K2K Project federation
K2K Project federation
In a multi -region distributed cloud (e.g. intercloud) setup, end user have to deal with multiple projects across clouds to run its workload. Maintaining multiple projects across cloud is challenging to the customer and degrades user experience.
This problem can be easily resolved by project federation. Keystone supports K2K federation concept which promotes identity federation between two (more) keystone instances. This federation model can be extended to support project federation across two (more) keystone.
In this model
1. User will scope his/her token to a particular project in source cloud (where user's IdP is defined or have billing relationship).
2. User can move to target cloud with "project scoped SAML assertion".
3. keystone at the target cloud can federate the project on which user had scoped his token at source cloud.
4. No need to create physical project at target cloud, while mapping SAML to keystone token it should scope to the federated project.
5. Cloud Id (unique id will be assigned to the individual clouds) should be used to name space the federated project. This help name collision and uniqueness.
6. Service (Nova, swift, cinder) should consider namespaced project ids (source-
Blueprint information
- Status:
- Complete
- Approver:
- None
- Priority:
- Undefined
- Drafter:
- Arvind Tiwari
- Direction:
- Needs approval
- Assignee:
- Arvind Tiwari
- Definition:
- Superseded
- Series goal:
- None
- Implementation:
- Unknown
- Milestone target:
- None
- Started by
- Completed by
- Steve Martinelli
Related branches
Related bugs
Sprints
Whiteboard
(stevemar) 2016-02-02: marking this as superseded by cross-cloud-