On Mon, Mar 28, 2011 at 10:15 AM, Sandy Walsh <sandy.wa...@rackspace.com> wrote: > Currently, we link Nova deployments (aka Zones) with a single admin account. > All operations done in the child zone are done with this admin account. > Obviously this needs to change. A simple operation such as "get_all_servers" > should only return the servers that User X owns. In the current > implementation, all the servers the admin account can see will be returned. > We need some form of federated identity management. User accounts must be > shared between homogeneous and heterogeneous deployments. ie. all private, > all public or public/private (aka Hybrid) via Bursting. > There are some possibilities here: > 1. Replicate User accounts across zones. A user account would map to N child > zone accounts ... one for each child zone. These "placeholder" accounts are > hidden from the user and synchronized when the parent changes. > 2. Rely on an external/shared user management service. Let the Auth/RBAC > system sort out visibility, control, etc. This system would need to be > publicly available to both groups in the hybrid scenario. > 3. Continue with the admin account and filter access control/visibility in > the parent zone. > ... and I'm sure there are others.
4. Use OAuth? -jay _______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp