From: Eric Day [e...@oddments.org] > Service Provider zones could be configured to access authz.myco.com > for any authentication requests that come in for the myco.com namespace.
Hmm, yes I think that might be possible (with the obvious performance concerns). My concern was that we would have to make a call back to authz.myco.com to check *every* instance. By having a pared-down set to work with we can avoid having to scan all the instances under MyCo's control. But, you are correct that we could get that pared down list from authz.myco.com just as easily as from sp.authz. Let me stew on that one some more. > For example, you could have the accounts: > > alice > alice_shares > bob Yes, I thought about that more over the weekend. While it's attractive for up-front simplicity it makes account management much harder. Whenever we want to delegate a command from MyCo to SP we need to decide which account we will use to perform the operation. User account management will become just as complicated as Resource Group synchronization. -S Confidentiality Notice: This e-mail message (including any attached or embedded documents) is intended for the exclusive and confidential use of the individual or entity to which this message is addressed, and unless otherwise expressly indicated, is confidential and privileged information of Rackspace. Any dissemination, distribution or copying of the enclosed material is prohibited. If you receive this transmission in error, please notify us immediately by e-mail at ab...@rackspace.com, and delete the original message. Your cooperation is appreciated. _______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp