Revision as of 20:36, 7 February 2012

Keystone Folsom Summit Topics

How to allow for/enable multifactor authentication -

• pluggable backend for multiple authN sources (ex: mobile authN from verisign but SMS done through Telesign) -
• Potential out-of-box integration with WikiD - an opensrouce MFA provider-
• allowing MFA for different tenants/users. Ex: Access to tenant A requires 3 authN but tenant B requires 2. User Jane requires 3 authN but user test_service requires 1.

Catalog crud

• right now, catalog is template/config file based in keystone/redux - catalogs are handed back with a user once authenticated, because the tenantID is embedded into URI for some of the services (SWIFT, I'm looking at you) - there's also some use cases related to wanting to hide endpoints from some users - i.e. if you're not an admin, don't return the admin endpoints.Endpoints in general need to have a general discussion from the point of view of use cases, then re-examine the API to figure out how to support it.

Federation

• Huge topic - means lots of things to lots of people. We need get a sense of what the needs are from the community, and then wrangle this down into something where we can prototype and start small - getting something done in the folsom timeframe for expansion as we drive the project forward.

Default tenant

• DO we even allow a user to be created without a tenant - and if so, how do we handle the "free floating user" issue when that case does occur (assuming they're separate entities on some backend systems)currently nova EC2 keys are handed out to a user - not a user-tenant pair, so they are theoretically usable by a user regardless of the tenant owning the VM that the user is accessing/messin' with