Excellent ... timely and much needed! For completeness here is the link to Zone AuthZ requirements: http://wiki.openstack.org/FederatedAuthZwithZones
<http://wiki.openstack.org/FederatedAuthZwithZones>Look forward to helping out where I can. -S ________________________________ From: openstack-bounces+sandy.walsh=rackspace....@lists.launchpad.net [openstack-bounces+sandy.walsh=rackspace....@lists.launchpad.net] on behalf of Ziad Sawalha [z...@sawalha.com] Sent: Monday, April 18, 2011 8:42 AM To: openstack@lists.launchpad.net Subject: [Openstack] Proposing an Identity Service in OpenStack (a.k.a. Auth) Hi Everyone, For OpenStack to achieve the goal of being a "massively scalable cloud operating system", it needs a common approach to some of the problems that an "operating system"deals with such as Authentication (auth-n) and Authorization (auth-z). There has been much discussion on the topic (see below) so we are proposing we combine all these efforts into a new OpenStack project that addresses the auth of all other projects. I would like to raise this for discussion at the upcoming summit in Santa Clara and put forward the following as a starting point for the discussion: SCOPE The potential scope for an auth service is huge; this is not a simple problem, especially when you deal with authorization and, eventually, usage metering. We suggest we start with a minimum viable product (MVP) and that the most immediate requirements that need to be addressed are what has already been solved for in Swift and Nova today. We propose to start building in (1-2 week) iterations during the Diablo development phase: * One Service: there should be one auth-n service (this does not presume or preclude auth-z) * Service is a new Core service * Protocol: initial implementation of Rackspace auth token * Anyscale: single dev machine to globally distributed * Integrate with Swift, Nova * Independent: I can run this on its own (no coupling to other services). Therefore can be installed and run with any services that are OpenStack compatible. TIMELINE Iteration 0 (1-2 weeks): MVP prototype * blueprint * We need lightweight delegation (one tenant / multiple users) on validate (this extends scope of what is in Rackspace and Swift, but is needed for Nova) * No delegation beyond existing Nova and Swift implementation * Using a Token * Admin is handled by "groups" (roles) - only group allowed to be returned is ADMIN * nothing as a Service for testing. Post MVP: iteration 2/3/...: defined from subset of backlog & feedback from community Backlog: * migration path from cactus * support for ec2 & openstack api * zones support * authz by group/role/attribute/... with pluggable Policy Engine * Pluggable back-end (ex: database, LDAP, Active Directory, PAM, Swift) * rbac / roles * Delegation * OAuth for solving 3rd party partner problem / federation * (Generic?) Organizational Model * user management API DESIGN SUMMIT * We are looking forward to starting a discussion with the community on how to incrementally define and execute on a common Auth system for OpenStack ADDITIONAL INFORMATION For reference, existing blueprints and discussions on the topic are: SPECS and CODE http://wiki.openstack.org/AuthnAuthz (spec and discussion) http://wiki.openstack.org/openstack-authn (spec) http://bazaar.launchpad.net/~anso/nova/authn_and_authz/revision/770 (auth service prototype) https://code.launchpad.net/~khussein/swift/authn (middleware proposal) SWIFT https://blueprints.launchpad.net/swift/+spec/swift-authn https://blueprints.launchpad.net/swift/+spec/bexar-swauth NOVA https://blueprints.launchpad.net/nova/+spec/authentication-consistency https://blueprints.launchpad.net/nova/+spec/nova-authn GLANCE https://blueprints.launchpad.net/glance/+spec/authentication BURROW https://blueprints.launchpad.net/burrow/+spec/openstack-auth-ldap Regards, Ziad Confidentiality Notice: This e-mail message (including any attached or embedded documents) is intended for the exclusive and confidential use of the individual or entity to which this message is addressed, and unless otherwise expressly indicated, is confidential and privileged information of Rackspace. Any dissemination, distribution or copying of the enclosed material is prohibited. If you receive this transmission in error, please notify us immediately by e-mail at ab...@rackspace.com, and delete the original message. Your cooperation is appreciated.
_______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
