I'm working on upgrading to essex, which means I need to start using keystone. My use case seems to not fit keystone very well, though...
In my environment, one user can be a member of many projects (some users are in up to 20-30 projects). Management of projects is done nearly completely though the web interface, and users may work on resources in multiple projects at the same time. Our web interface can show all or a subset of user's project's resources in the same view. In Nova, using the EC2 API, I could query all resources for a user on their behalf using an admin user, or I could use their access/secret key and change the tenant for requesting each project. >From what I can tell in Keystone, when a user authenticates, they get a token directly linked with a tenant. If I want to do API calls on a user's behalf in a tenant, I must authenticate them for that tenant. It seems there's no way for me to make requests on a user's behalf for multiple projects without authenticating them for every single tenant. Is this the case? Is there any way for me to handle this? I'd really like to avoid authenticating a user 30 times on login, then needing to store all 30 of their tokens. I have another issue as well. My environment is meant to be integrated and more of a private-style cloud. We have a group of administrators that should be able to manage all instances, networks, etc. In Nova's auth there were global groups. In Keystone there are no global groups. Will this ever be added into keystone? It's really annoying to need to constantly add/remove ourselves from projects to manage them. - Ryan _______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : [email protected] Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
