In the example I gave below they are not members of any group and have no roles assigned to them. Should they still be authenticated?
From: "Rouault, Jason (Cloud Services)" <[email protected]<mailto:[email protected]>> Date: Thu, 14 Jul 2011 16:25:22 +0000 To: Ziad Sawalha <[email protected]<mailto:[email protected]>>, Yuriy Taraday <[email protected]<mailto:[email protected]>>, "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: RE: [Openstack] Keystone tenants vs. Nova projects A user can specify a tenantID at the time of authentication. If no tenantID is specified during authentication, then I would expect the ‘default’ tenant for the user would apply. The capabilities of User1 on TenantA (in this case the default tenant for the user) would be determined by their role and group assignments within the context of TenantA. Jason From: Ziad Sawalha [mailto:[email protected]] Sent: Wednesday, July 13, 2011 10:35 PM To: Rouault, Jason (Cloud Services); Yuriy Taraday; [email protected]<mailto:[email protected]> Subject: Re: [Openstack] Keystone tenants vs. Nova projects What if: - User1 has TenantA as her default tenant Should the service authenticate the user against TenantA? And if so, why? What does the 'default tenant' grant User1 on TenantA? It's some nebulous, implied role… From: "Rouault, Jason (Cloud Services)" <[email protected]<mailto:[email protected]>> Date: Wed, 13 Jul 2011 13:18:44 +0000 To: Ziad Sawalha <[email protected]<mailto:[email protected]>>, Yuriy Taraday <[email protected]<mailto:[email protected]>>, "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: RE: [Openstack] Keystone tenants vs. Nova projects If a user is bound to their default tenant, why wouldn’t any role assignments for that user in their default tenant apply? User1 authenticates specifying TenantB, this binds User1 into the context of TenantB. In subsequent web service requests using the token received after authentication, the Auth component filter would decorate the headers with RoleY. If User1 authenticates specifying TenantA, or specifying no Tenant, this binds User1 into the context of TenantA. The headers would then be decorated with RoleX. Jason From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Ziad Sawalha Sent: Tuesday, July 12, 2011 10:09 PM To: Yuriy Taraday; [email protected]<mailto:[email protected]> Subject: Re: [Openstack] Keystone tenants vs. Nova projects Our goal is to support Nova use cases right now. You can provide access to multiple tenants using a role assignment (assigning a user a role on a specific tenant effectively binds them to that tenant). However, this raises the issue of what the 'implied' role of a user is when they are bound to their default tenant. So we're considering how to alter the model to clean that up. No great solution yet. Any suggestions are welcome…. Ziad From: Yuriy Taraday <[email protected]<mailto:[email protected]>> Date: Tue, 28 Jun 2011 16:59:08 +0400 To: <[email protected]<mailto:[email protected]>> Subject: [Openstack] Keystone tenants vs. Nova projects Currently Keystone model assumes that user is bound to exactly one tenant. It conflicts with the fact that in Nova user can have access to several projects. Which way will it be? Kind regards, Yuriy. _______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : [email protected]<mailto:[email protected]> Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp This email may include confidential information. If you received it in error, please delete it. This email may include confidential information. If you received it in error, please delete it. This email may include confidential information. If you received it in error, please delete it.
_______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : [email protected] Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
