Re: [Openstack] Physical host identification

2011-07-16 Thread Jorge Williams
Right so we should really be hashing this with the tenant ID as well. -jOrGe W. On Jul 15, 2011, at 6:16 PM, Chris Behrens wrote: > I think it's sensitive because one could figure out how many hosts a SP has > globally... which a SP might not necessarily want to reveal. > > - Chris > > > On

Re: [Openstack] [Keystone] [Swift] Keystone Tenant vs Swift Account

2011-07-16 Thread Ziad Sawalha
Swift account and tenant should be the same. This does not prescribe that Swift not store them locally (Nova still stores projects). The synchronization can be lazy (Nova does this with a shim in Keystone. If a request is authorized by Keystone on a tenant that does not have a corresponding pro

Re: [Openstack] Keystone tenants vs. Nova projects

2011-07-16 Thread Ziad Sawalha
Agreed. Especially as we start to consider federation use cases, we'll need to take into consideration routing different requests to different backends. As an "Identity Metasystem", Keystone will implement a pluggable router model as well to handle custom routing of requests. It's not a trivial

Re: [Openstack] Keystone tenants vs. Nova projects

2011-07-16 Thread Ziad Sawalha
What's (who is) sfdc? From: andi abes [mailto:andi.a...@gmail.com] Sent: Friday, July 15, 2011 02:07 PM To: Yuriy Taraday Cc: openstack@lists.launchpad.net Subject: Re: [Openstack] Keystone tenants vs. Nova projects I guess sfdc disagrees with you - they allow e.g Dell to use a single sign on

Re: [Openstack] Keystone tenants vs. Nova projects

2011-07-16 Thread Troy Toman
I am guessing Salesforce.com On Jul 16, 2011, at 2:40 PM, Ziad Sawalha wrote: What's (who is) sfdc? From: andi abes [mailto:andi.a...@gmail.com] Sent: Friday, July 15, 2011 02:07 PM To: Yuriy Taraday mailto:yorik@gmail.com>> Cc: openstack@lists.launchpad.net

Re: [Openstack] OpenStack Identity: Keystone API Proposal

2011-07-16 Thread Ziad Sawalha
Whatever name a container for global objects has - or if one or more even exist – is only relevant to a specific implementation and not canonical. It fits better as a configuration than as a core part of the API or code. Even in the same LDAP system, an operator may have their own unique impleme

Re: [Openstack] OpenStack Identity: Keystone API Proposal

2011-07-16 Thread Thor Wolpert
Any thoughts on pulling in OpenDS or OpenLDAP? A plus for OpenDS is it'a already integrated with OpenAM and could supply federated logins if so desired. I have that need. On Sat, Jul 16, 2011 at 3:56 PM, Ziad Sawalha wrote: > Whatever name a container for global objects has - or if one or more