I agree with Vish here. A common set of group names would be a good first step and allow us to federate authn without the upfront complexity of trying to also federate authz. Come to think of it, there's no reason that role A would need to have similar privileges in zones X and Y. More likely than not, they would have different privileges, and therefore a federated authz service wouldn't really make sense.
-jay On Wed, Mar 30, 2011 at 4:38 PM, Vishvananda Ishaya <[email protected]> wrote: > Not sure that AuthZ has to be federated. If AuthN can return a list of > meaningful groups (something akin to roles) to AuthZ, we can isolate AuthZ to > a given deployment. So we can have a set of standard groups defined, and if > Alice's AuthN returns one of those groups, she can launch. It means we will > probably have to define some sort of openstack-compatible authn groups. > > Vish > > On Mar 30, 2011, at 12:44 PM, Sandy Walsh wrote: > >> From: Jon Slenk [[email protected]] >> >>> I think that if the system used capabilities/ZBAC then there would be >> no such weird prompting. >> >> I see your point, but I'm assuming AuthZ has to be federated as well. We >> don't know about Alice, she lives in her private cloud. We have to ask her >> AuthZ system if she can boot a new instance. >> >> This flow is saying "The AuthZ resource lives on your side of the fence and >> I'd like to access it", but to do so Alice needs to grant permission and >> that interaction seems confusing to me. >> >> -S >> >> PS> appreciate the feedback! >> >> >> Confidentiality Notice: This e-mail message (including any attached or >> embedded documents) is intended for the exclusive and confidential use of the >> individual or entity to which this message is addressed, and unless otherwise >> expressly indicated, is confidential and privileged information of Rackspace. >> Any dissemination, distribution or copying of the enclosed material is >> prohibited. >> If you receive this transmission in error, please notify us immediately by >> e-mail >> at [email protected], and delete the original message. >> Your cooperation is appreciated. >> >> >> _______________________________________________ >> Mailing list: https://launchpad.net/~openstack >> Post to : [email protected] >> Unsubscribe : https://launchpad.net/~openstack >> More help : https://help.launchpad.net/ListHelp > > > _______________________________________________ > Mailing list: https://launchpad.net/~openstack > Post to : [email protected] > Unsubscribe : https://launchpad.net/~openstack > More help : https://help.launchpad.net/ListHelp > _______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : [email protected] Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
