This has been our hidden agenda for many releases (minus the project split). There are other projects that you mention that are much better at handling authentication, many enterprises already have these place as well. We have been trying to get out of the identity management (and consequently, the authentication) space for a while. That's why we have been focusing on federated identity and removing write operations to LDAP.
Enter the admin, service users, and sql backed users. Many existing deployments store users in an SQL based backend. We pushed back on adding features for this use case for a while, but there are enough folks out there that want to do this, which is why we approving a spec to enforce password lifecycle in the N release. So the new project/repo would have to handle this case as well. Architecturally, I can see why you would want to split things up, it is a logical break. But I also see a few arguments against a split: 1) we already support Kerberos and OpenLDAP (and other auth services); 2) I don't think we have a trouble with scope / not enough contribution; and 3) inertia, adopting new services takes a long time (see v2 to v3 transition), and this would add to that pile. Thanks, Steve Martinelli OpenStack Keystone Project Team Lead From: Boris Pavlovic <bpavlo...@mirantis.com> To: OpenStack Development Mailing List <openstack-dev@lists.openstack.org> Date: 2016/04/06 03:27 PM Subject: [openstack-dev] [tc][ptl][keystone] Proposal to split authentication part out of Keystone to separated project Hi stackers, I would like to suggest very simple idea of splitting out of Keystone authentication part in the separated project. Such change has 2 positive outcomes: 1) It will be quite simple to create scalable service with high performance for authentication based on very mature projects like: Kerberos[1] and OpenLDAP[2]. 2) This will reduce scope of Keystone, which means 2 things 2.1) Smaller code base that has less issues and is simpler for testing 2.2) Keystone team would be able to concentrate more on fixing perf/scalability issues of authorization, which is crucial at the moment for large clouds. Thoughts? [1] http://web.mit.edu/kerberos/ [2] http://ldapcon.org/2011/downloads/hummel-slides.pdf Best regards, Boris Pavlovic __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev