hi, if we go for just local accounts, we break the concept of FIWARE ecosystem and single point of entry. so, from side that's not the way to go. keep into account that oauth delegation or saml federation WILL enable the commercial usage (each node, beyond the federated users - may have its local users and tools). I am more in favour of a solution that support both modalities (that could be based on oauth delegation or saml federation, I don't really care). FIWARE Ops chapter may work on this aspects for the keystone side (we can consider this indeed a "operation" issue), but I am afraid this will not be enough since also portal and other "global" services may be affected and this will require work from Cloud chapter guys. currently there is a SAML federation work in the OpenStack community. but we need to investigate how this align with current oauth based keystone. i will be out for three weeks, so i would not be able to kick off such action before end of june. anyhow, alessandro is the chapter leader (and architect) so he can coordinate this discussion with the cloud chapter. best, federico On Thu, May 21, 2015 at 11:09 AM, stefano de panfilis < stefano.depanfilis at eng.it> wrote: > dear thierry, > > not sure your approach preserves the distributed nature of fiware lab > which is guaranteed by the federation concept. > > as you know at the moment a user can have different vms in different nodes > (actually i do have) the approach you are proposing seems, may be i'm > wrong, making this more complicated. i think this is a value we cannot > loose as it is still a differentiator fiware has and not possesd by other > platforms. > > so we have to find a solution which shares the idm, but also keeps the > federation notion fully implemented. > as juanjo was suggesting i agree a dedicate task, most likely to me in > fi-ops, should be created. i even think that fi-ops should be a fiware > chapter, i mean not the operations themesleves, but the implementation of > the federation technologies. > > ciao, > stefano > > ciao, > stefano > > > 2015-05-21 10:41 GMT+02:00 <thierry.nagellen at orange.com>: > >> Hi all, >> >> >> >> I would propose a solution to go a step further because using Geant it is >> impossible to do any business. For sustainability matter and to avoid what >> happened recently we should go for FIWARE Lab has a global portal hosting >> links to access local platforms. In this case we should not need delegation >> of IdM and just a local IdM to manage local accounts. >> >> >> >> To have a global view of what are resources consumed by FIWARE Lab is >> just a matter of dashboard and does not need IdM features. >> >> >> >> In addition, with this system, a local platform could easily provide a >> commercial offer, using the same local IdM, switching a trial user into a >> commercial user. >> >> >> >> BR >> >> Thierry >> >> >> >> *De :* fiware-lab-recovery-tf-bounces at lists.fiware.org [mailto: >> fiware-lab-recovery-tf-bounces at lists.fiware.org] *De la part de* Juanjo >> Hierro >> *Envoyé :* mercredi 20 mai 2015 17:17 >> *À :* Federico Michele Facca; fiware-lab-rec. >> *Objet :* Re: [Fiware-lab-recovery-tf] question from arian >> >> >> >> Hi Federico, >> >> I was aware about the issue, that's why I explained that my assumption >> was that not all the issues had been solved with the new IdM version. >> >> In my opinion, this is one of the major points that should be tackled >> within FI-Core. Indeed trying to get the solution ready for the >> integration of new nodes in September (selected through the Open Call or >> deciding to join FIWARE Lab on their own). >> >> Let's start the discussion during the coming weeks. Where do we want >> it to be tackled? Within the FI-Ops the or the FIWARE Cloud chapter? >> Probably a good approach would be to kick-off this in one of our monday >> regular architects meeting we have just started and then follow up. Next >> Monday it was planned to discuss about dockers and stuff like this. I >> wonder whether we can collocate it there or call for a specif meeting. >> Suggestions? >> >> Best regards, >> >> -- Juanjo >> >> On 20/05/15 15:36, Federico Michele Facca wrote: >> >> dear juanjo, >> >> my 2 cents on arian's question: >> >> >> >> The problem mentioned by arian is not solved, since idm/keystone is a >> single central service not high available in multiple locations beyond >> spain (such as the portal) - which does not reflect openstack usual >> architecture deployment for multi-region openstack. The default >> architecture for multi region keystone could not be applied since it >> requires to host user data outside spain. >> >> >> >> CREATE-NET proposed a solution (which was having a single keystone per >> node) using delegation to authenticate users using oauth2 from the "main" >> keystone, the advantages of such solution would have been: >> >> a - nodes don't fail when central keystone is not available. >> >> b - nodes can support both local users and FIWARE Lab users making >> "entering in the game" for without funding much cheaper >> >> >> >> the solution would require anyhow: >> >> - requires some changes in portal >> >> - requires some changes in blueprint engine >> >> >> >> thus basically - eventhough developed and partially tested - it was not >> moved ahead. >> >> >> >> alternative solutions may be based on saml, but i have the feeling this >> will get more complex for the portal and blueprints. >> >> >> >> best, >> >> federico >> >> >> >> >> >> -- >> >> -- >> Future Internet is closer than you think! >> http://www.fiware.org >> >> Official Mirantis partner for OpenStack Training >> https://www.create-net.org/community/openstack-training >> >> -- >> Dr. Federico M. Facca >> >> CREATE-NET >> Via alla Cascata 56/D >> 38123 Povo Trento (Italy) >> >> P +39 0461 312471 >> M +39 334 6049758 >> E federico.facca at create-net.org >> T @chicco785 >> W www.create-net.org >> >> >> >> -- >> >> >> >> ______________________________________________________ >> >> >> >> Coordinator and Chief Architect, FIWARE platform >> >> CTO Industrial IoT, Telefónica >> >> >> >> email: juanjose.hierro at telefonica.com >> >> twitter: @JuanjoHierro >> >> >> >> You can follow FIWARE at: >> >> website: http://www.fiware.org >> >> twitter: @FIWARE >> >> facebook: http://www.facebook.com/pages/FI-WARE/251366491587242 >> >> linkedIn: http://www.linkedin.com/groups/FIWARE-4239932 >> >> >> ------------------------------ >> >> >> Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario, >> puede contener información privilegiada o confidencial y es para uso >> exclusivo de la persona o entidad de destino. Si no es usted. el >> destinatario indicado, queda notificado de que la lectura, utilización, >> divulgación y/o copia sin autorización puede estar prohibida en virtud de >> la legislación vigente. Si ha recibido este mensaje por error, le rogamos >> que nos lo comunique inmediatamente por esta misma vía y proceda a su >> destrucción. >> >> The information contained in this transmission is privileged and >> confidential information intended only for the use of the individual or >> entity named above. If the reader of this message is not the intended >> recipient, you are hereby notified that any dissemination, distribution or >> copying of this communication is strictly prohibited. If you have received >> this transmission in error, do not read it. Please immediately reply to the >> sender that you have received this communication in error and then delete >> it. >> >> Esta mensagem e seus anexos se dirigem exclusivamente ao seu >> destinatário, pode conter informação privilegiada ou confidencial e é para >> uso exclusivo da pessoa ou entidade de destino. Se não é vossa senhoria o >> destinatário indicado, fica notificado de que a leitura, utilização, >> divulgação e/ou cópia sem autorização pode estar proibida em virtude da >> legislação vigente. Se recebeu esta mensagem por erro, rogamos-lhe que nos >> o comunique imediatamente por esta mesma via e proceda a sua destruição >> >> _________________________________________________________________________________________________________________________ >> >> Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc >> pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler >> a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, >> Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. >> >> This message and its attachments may contain confidential or privileged information that may be protected by law; >> they should not be distributed, used or copied without authorisation. >> If you have received this email in error, please notify the sender and delete this message and its attachments. >> As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. >> Thank you. >> >> >> _______________________________________________ >> Fiware-lab-recovery-tf mailing list >> Fiware-lab-recovery-tf at lists.fiware.org >> https://lists.fiware.org/listinfo/fiware-lab-recovery-tf >> >> > > > -- > Stefano De Panfilis > Chief Innovation Officer > Engineering Ingegneria Informatica S.p.A. > via Riccardo Morandi 32 > 00148 Roma > Italy > > tel (direct): +39-06-8759-4253 > tel (secr.): +39-068307-4513 > fax: +39-068307-4200 > cell: +39-335-7542-567 > skype: depa01 > twitter: @depa01 > > -- -- Future Internet is closer than you think! http://www.fiware.org Official Mirantis partner for OpenStack Training https://www.create-net.org/community/openstack-training -- Dr. Federico M. Facca CREATE-NET Via alla Cascata 56/D 38123 Povo Trento (Italy) P +39 0461 312471 M +39 334 6049758 E federico.facca at create-net.org T @chicco785 W www.create-net.org -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.fiware.org/private/fiware-lab-recovery-tf/attachments/20150521/dbd6a3b7/attachment.html>
You can get more information about our cookies and privacy policies clicking on the following links: Privacy policy Cookies policy