[Openstack] Federated Identity Management (bursting and zones)
vishvananda at gmail.com
Wed Mar 30 20:38:32 UTC 2011
Not sure that AuthZ has to be federated. If AuthN can return a list of meaningful groups (something akin to roles) to AuthZ, we can isolate AuthZ to a given deployment. So we can have a set of standard groups defined, and if Alice's AuthN returns one of those groups, she can launch. It means we will probably have to define some sort of openstack-compatible authn groups.
On Mar 30, 2011, at 12:44 PM, Sandy Walsh wrote:
> From: Jon Slenk [jslenk at internap.com]
>> I think that if the system used capabilities/ZBAC then there would be
> no such weird prompting.
> I see your point, but I'm assuming AuthZ has to be federated as well. We don't know about Alice, she lives in her private cloud. We have to ask her AuthZ system if she can boot a new instance.
> This flow is saying "The AuthZ resource lives on your side of the fence and I'd like to access it", but to do so Alice needs to grant permission and that interaction seems confusing to me.
> PS> appreciate the feedback!
> Confidentiality Notice: This e-mail message (including any attached or
> embedded documents) is intended for the exclusive and confidential use of the
> individual or entity to which this message is addressed, and unless otherwise
> expressly indicated, is confidential and privileged information of Rackspace.
> Any dissemination, distribution or copying of the enclosed material is prohibited.
> If you receive this transmission in error, please notify us immediately by e-mail
> at abuse at rackspace.com, and delete the original message.
> Your cooperation is appreciated.
> Mailing list: https://launchpad.net/~openstack
> Post to : openstack at lists.launchpad.net
> Unsubscribe : https://launchpad.net/~openstack
> More help : https://help.launchpad.net/ListHelp
More information about the Openstack