I was thinking of having OAuth implementation for authorization/delegation in an external identity management solution, option 2 :). The IdM solution can be extensible to support other Identity Federation protocols as well such as SAML.
Khaled On Mon, Mar 28, 2011 at 11:17 AM, Jay Pipes <jaypi...@gmail.com> wrote: > On Mon, Mar 28, 2011 at 10:15 AM, Sandy Walsh <sandy.wa...@rackspace.com> > wrote: > > Currently, we link Nova deployments (aka Zones) with a single admin > account. > > All operations done in the child zone are done with this admin account. > > Obviously this needs to change. A simple operation such as > "get_all_servers" > > should only return the servers that User X owns. In the current > > implementation, all the servers the admin account can see will be > returned. > > We need some form of federated identity management. User accounts must be > > shared between homogeneous and heterogeneous deployments. ie. all > private, > > all public or public/private (aka Hybrid) via Bursting. > > There are some possibilities here: > > 1. Replicate User accounts across zones. A user account would map to N > child > > zone accounts ... one for each child zone. These "placeholder" accounts > are > > hidden from the user and synchronized when the parent changes. > > 2. Rely on an external/shared user management service. Let the Auth/RBAC > > system sort out visibility, control, etc. This system would need to be > > publicly available to both groups in the hybrid scenario. > > 3. Continue with the admin account and filter access control/visibility > in > > the parent zone. > > ... and I'm sure there are others. > > 4. Use OAuth? > > -jay > > _______________________________________________ > Mailing list: https://launchpad.net/~openstack > Post to : openstack@lists.launchpad.net > Unsubscribe : https://launchpad.net/~openstack > More help : https://help.launchpad.net/ListHelp >
_______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp