[Openstack] Identity API v3 - Why allow multi-tenant users?

Matt Joyce matt.joyce at cloudscaling.com
Wed Jul 18 06:46:23 UTC 2012 

I could see service users and security / operations teams having a need to
span many domains.

-Matt

On Tue, Jul 17, 2012 at 11:24 PM, Tim Bell <Tim.Bell at cern.ch> wrote:

> ** **
>
> I thought that the v3 API supports domains as a group of tenants which
> would make the question rather different.****
>
> ** **
>
> Thus, I guess the question is****
>
> ** **
>
> **A.      **Should there be users in multiple tenants in a single domain ?
> ****
>
> **B.      **Should there be users in multiple domains ?****
>
> ** **
>
> There are clear use cases for A (such as researchers working on multiple
> projects sharing project quotas)****
>
> ** **
>
> For B, it is less clear as if I am a domain administrator, I do not want
> to be told that I cannot allocate user X since another domain has already
> taken it. On the other hand, there is a clear architectural benefit from
> having the concept of identity (and authentication) split off from roles
> and projects.****
>
> ** **
>
> Tim****
>
> ** **
>
> *From:* openstack-bounces+tim.bell=cern.ch at lists.launchpad.net [mailto:
> openstack-bounces+tim.bell=cern.ch at lists.launchpad.net] *On Behalf Of *John
> Postlethwait
> *Sent:* 18 July 2012 07:42
> *To:* Rouault, Jason (Cloud Services)
> *Cc:* openstack at lists.launchpad.net
>
> *Subject:* Re: [Openstack] Identity API v3 - Why allow multi-tenant users?
> ****
>
> ** **
>
> Forcing a user to remember different usernames and/or passwords for each
> project they are a part of, when it is possible they are part of N
> projects, really isn't an acceptable option in my opinion.****
>
> ** **
>
> I believe that regardless of the engineering complexities, the end users
> shouldn't have to feel pain in order to make engineering the solutions and
> features they interact with easier. Software is for end users (in their
> various forms) and as such we need to take that into account when we make
> decisions. While no functionality is lost per se, there is a major end-user
> impact, and that should be reason enough to implement it…****
>
> ** **
>
> ** **
>
> John Postlethwait****
>
> Nebula, Inc.****
>
> 206-999-4492****
>
> ** **
>
> On Tuesday, July 17, 2012 at 4:15 PM, Rouault, Jason (Cloud Services)
> wrote:****
>
> One benefit is the user does not need to have multiple sets of credentials
> to interact with multiple projects.****
>
>  ****
>
> Jason****
>
>  ****
>
> *From:* openstack-bounces+jason.rouault=hp.com at lists.launchpad.net [
> mailto:openstack-bounces <openstack-bounces>+jason.rouault=
> hp.com at lists.launchpad.net] *On Behalf Of *Adam Young
> *Sent:* Tuesday, July 17, 2012 11:55 AM
> *To:* openstack at lists.launchpad.net
> *Subject:* Re: [Openstack] Identity API v3 - Why allow multi-tenant users?
> ****
>
>  ****
>
> On 05/29/2012 01:18 PM, Caitlin Bestler wrote:****
>
> One of the major complication I see in the API is that users can be
> associated with multiple tenants.****
>
>  ****
>
> What is the benefit of this? What functionality would be lost if a human
> user merely had to use a different account with each tenant?****
>
>  ****
>
> There are numerous issues with multi-tenant users. For example, if a user
> is associated with multiple tenants, who resets the user’s password?****
>
>  ****
>
>
>
> ****
>
> _______________________________________________****
>
> Mailing list: https://launchpad.net/~openstack****
>
> Post to     : openstack at lists.launchpad.net****
>
> Unsubscribe : https://launchpad.net/~openstack****
>
> More help   : https://help.launchpad.net/ListHelp****
>
> Did you ever get an answer?  This has been discussed in depth.****
>
> _______________________________________________****
>
> Mailing list: https://launchpad.net/~openstack****
>
> Post to : openstack at lists.launchpad.net****
>
> Unsubscribe : https://launchpad.net/~openstack****
>
> More help : https://help.launchpad.net/ListHelp****
>
> ** **
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack at lists.launchpad.net
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20120717/8f12686a/attachment.html>

More information about the Openstack mailing list