Agreed, Pluggable option 2 with a default OAuth implementation seems like the best strategy.
Vish On Mar 28, 2011, at 9:42 AM, Khaled Hussein wrote: > I was thinking of having OAuth implementation for authorization/delegation in > an external identity management solution, option 2 :). The IdM solution can > be extensible to support other Identity Federation protocols as well such as > SAML. > > Khaled > > On Mon, Mar 28, 2011 at 11:17 AM, Jay Pipes <[email protected]> wrote: > On Mon, Mar 28, 2011 at 10:15 AM, Sandy Walsh <[email protected]> > wrote: > > Currently, we link Nova deployments (aka Zones) with a single admin account. > > All operations done in the child zone are done with this admin account. > > Obviously this needs to change. A simple operation such as "get_all_servers" > > should only return the servers that User X owns. In the current > > implementation, all the servers the admin account can see will be returned. > > We need some form of federated identity management. User accounts must be > > shared between homogeneous and heterogeneous deployments. ie. all private, > > all public or public/private (aka Hybrid) via Bursting. > > There are some possibilities here: > > 1. Replicate User accounts across zones. A user account would map to N child > > zone accounts ... one for each child zone. These "placeholder" accounts are > > hidden from the user and synchronized when the parent changes. > > 2. Rely on an external/shared user management service. Let the Auth/RBAC > > system sort out visibility, control, etc. This system would need to be > > publicly available to both groups in the hybrid scenario. > > 3. Continue with the admin account and filter access control/visibility in > > the parent zone. > > ... and I'm sure there are others. > > 4. Use OAuth? > > -jay > > _______________________________________________ > Mailing list: https://launchpad.net/~openstack > Post to : [email protected] > Unsubscribe : https://launchpad.net/~openstack > More help : https://help.launchpad.net/ListHelp > > _______________________________________________ > Mailing list: https://launchpad.net/~openstack > Post to : [email protected] > Unsubscribe : https://launchpad.net/~openstack > More help : https://help.launchpad.net/ListHelp
_______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : [email protected] Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
