While the ultimate goal is using Keystone for AuthZ in Nova we may need an interim solution until Keystone is fully ready. This session will talk, at a code level, what might be possible to do in Nova until Keystone is ready. How will authorization checks get performed? Decorators? Explicit if-statements? When will authorization checks get performed? In API? In Server.API? in the service itself? How will we configure this interim solution without writing a whole lot of code that will be thrown away later? .conf? db? json? .py? Will we require all Nova resources to belong to Resource Groups in order to keep the AuthZ-service calls to a minimum? Will this work across Zones? Will this work in Federated environments? How will this interim solution get replaced when Keystone is ready?
Tuesday October 4, 2011 3:30pm - 3:55pm