Jump to: navigation, search

KeystoneFolsomSummitTopics

Revision as of 20:28, 7 February 2012 by Jsavak (talk)

Keystone Folsom Summit Topics

What we're doing with Middleware - does it reside in Keystone, each project, etc. 

12:16   [freenode] [(westmaas ~westmaas@184-106-186-202.static.cloud-ips.com )   ]hello sir, some things have been landing in middleware in the  keystone  project lately, especially for glance - will these changes  have to be  re-done as ksl lands?12:55 [freenode] [msg(westmaas)] not if you do them in th ksl project ;) port the changes you want over right now in http://github.com/termie/keystonelight12:56 [freenode] [(westmaas ~westmaas@184-106-186-202.static.cloud-ips.com )] is middleware going to move out of ksl?12:57 [freenode] [msg(westmaas)] probably at some point, but when they do they will be copied out of the ksl project, (i expect)12:58 [freenode] [(westmaas ~westmaas@184-106-186-202.static.cloud-ips.com )] kk12:58 [freenode] [msg(westmaas)] we haven't committed to doing them all yet12:58 [freenode] [msg(westmaas)] though i think nova is currently already doing it12:58 [freenode] [(westmaas ~westmaas@184-106-186-202.static.cloud-ips.com )] yeah it is13:01   [freenode] [msg(westmaas)] just talked it over with vish, we have a   pretty decent plan for what to do with the middleware, actuals13:02   [freenode] [msg(westmaas)] thoughts are thin: we put some base-class   for middleware into keystoneclient that can be subclassed wby the   project middleware, and then the project middlewares do specific stuff13:04   [freenode] [msg(westmaas)] this will allow us a little bit of   flexibility if something small changes or we want to add some default   behaviors
How to allow for/enable multifactor authentication
- pluggable backend for multiple authN sources (ex: mobile authN from verisign but SMS done through Telesign)
- Potential out-of-box integration with WikiD - an opensrouce MFA provider-  allowing MFA for different tenants/users. Ex: Access to tenant A  requires 3 authN but tenant B requires 2. User Jane requires 3 authN but  user test_service requires 1.Catalog crud
 - right now, catalog is template/config file based in keystone/redux -   catalogs are handed back with a user once authenticated, because the   tenantID is embedded into URI for some of the services (SWIFT, I'm   looking at you) -   there's also some use cases related to wanting to hide endpoints from   some users - i.e. if you're not an admin, don't return the admin   endpoints.Endpoints   in general need to have a general discussion from the point of view of   use cases, then re-examine the API to figure out how to support it.Federation
Huge   topic - means lots of things to lots of people. We need get a sense of   what the needs are from the community, and then wrangle this down into   something where we can prototype and start small - getting something   done in the folsom timeframe for expansion as we drive the project   forward.Default tenant

DO  we even allow a user  to be created without a tenant - and if so, how do  we handle the "free  floating user" issue when that case does occur  (assuming they're  separate entities on some backend systems)currently nova EC2 keys are handed out to a user - not a user-tenant   pair, so they are theoretically usable by a user regardless of the   tenant owning the VM that the user is accessing/messin' with
Retrieved from "https://wiki.openstack.org/w/index.php?title=KeystoneFolsomSummitTopics&oldid=4414"