ayoung at redhat
Jul 26, 2012, 7:33 PM
Post #2 of 5
On 07/26/2012 08:30 PM, Ryan Lane wrote:
Re: [keystone] Multi-tenants per user, authentication tokens and global roles
[In reply to]
> I'm working on upgrading to essex, which means I need to start using
> keystone. My use case seems to not fit keystone very well, though...
> In my environment, one user can be a member of many projects (some
> users are in up to 20-30 projects). Management of projects is done
> nearly completely though the web interface, and users may work on
> resources in multiple projects at the same time. Our web interface can
> show all or a subset of user's project's resources in the same view.
> In Nova, using the EC2 API, I could query all resources for a user on
> their behalf using an admin user, or I could use their access/secret
> key and change the tenant for requesting each project.
> >From what I can tell in Keystone, when a user authenticates, they get
> a token directly linked with a tenant. If I want to do API calls on a
> user's behalf in a tenant, I must authenticate them for that tenant.
> It seems there's no way for me to make requests on a user's behalf for
> multiple projects without authenticating them for every single tenant.
> Is this the case? Is there any way for me to handle this? I'd really
> like to avoid authenticating a user 30 times on login, then needing to
> store all 30 of their tokens.
Not in Essex. When we discussed the Domains blueprint, one issue that
I brought up was nested groups/projects. That would solve your
problem. It is not currently being developed.
> I have another issue as well. My environment is meant to be integrated
> and more of a private-style cloud. We have a group of administrators
> that should be able to manage all instances, networks, etc. In Nova's
> auth there were global groups. In Keystone there are no global groups.
> Will this ever be added into keystone? It's really annoying to need to
> constantly add/remove ourselves from projects to manage them.
Again, this is really a group nesting problem. I am not sure if the
domain blueprint would help you out here:
> - Ryan
> Mailing list: https://launchpad.net/~openstack
> Post to : openstack [at] lists
> Unsubscribe : https://launchpad.net/~openstack
> More help : https://help.launchpad.net/ListHelp
Mailing list: https://launchpad.net/~openstack
Post to : openstack [at] lists
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp