Not sure that AuthZ has to be federated. If AuthN can return a list of meaningful groups (something akin to roles) to AuthZ, we can isolate AuthZ to a given deployment. So we can have a set of standard groups defined, and if Alice's AuthN returns one of those groups, she can launch. It means we will probably have to define some sort of openstack-compatible authn groups.
Vish On Mar 30, 2011, at 12:44 PM, Sandy Walsh wrote: > From: Jon Slenk [jsl...@internap.com] > >> I think that if the system used capabilities/ZBAC then there would be > no such weird prompting. > > I see your point, but I'm assuming AuthZ has to be federated as well. We > don't know about Alice, she lives in her private cloud. We have to ask her > AuthZ system if she can boot a new instance. > > This flow is saying "The AuthZ resource lives on your side of the fence and > I'd like to access it", but to do so Alice needs to grant permission and that > interaction seems confusing to me. > > -S > > PS> appreciate the feedback! > > > Confidentiality Notice: This e-mail message (including any attached or > embedded documents) is intended for the exclusive and confidential use of the > individual or entity to which this message is addressed, and unless otherwise > expressly indicated, is confidential and privileged information of Rackspace. > Any dissemination, distribution or copying of the enclosed material is > prohibited. > If you receive this transmission in error, please notify us immediately by > e-mail > at ab...@rackspace.com, and delete the original message. > Your cooperation is appreciated. > > > _______________________________________________ > Mailing list: https://launchpad.net/~openstack > Post to : openstack@lists.launchpad.net > Unsubscribe : https://launchpad.net/~openstack > More help : https://help.launchpad.net/ListHelp _______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp