The approach here looks solid, but I'm not sure if it goes far enough. One issue that Keystone has to resolve eventually is how to authenticate request for tenant-specific file system users. Basically the core authentication system allows satellite authentication systems to authenticate users within defined scopes. That is a Tenant X authentication server authenticates file system users for Tenant X. TenantX:Jsmith is a different user than TenantY:Jsmith.
What you probably want to avoid for that sort of system is *mapping* all of users from each of the Tenants to the central authentication server. Adding and deleting file system users from *all* tenants could end up being a bit too many transactions and ultimately requires excessive and error-prone replication of data. What we need is for TenantX's server to provide the information about who "Jsmith" is, and what jsmith is allowed to do, But in a way where it cannot reference any of TenantY's resources. _______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : [email protected] Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
