[Fiware-lab-recovery-tf] question from arian

[Federico Michele Facca]

Hi Thierry,
I think you didn't understand my point...

- commercial users of XXX node will be local (and remote eventually);
- free users from the FIWARE Lab will access through delegation;

Keep into consideration that this model is valid only for commercial offer
that wants to be ALSO in FIWARE Lab (and do not break the concept of
community). Sure if telefonica or orange wants to do a totally separated
commercial offer (and manage a full lab by themselves, including GE update,
and so on so fort....). The problem we need to solve - also in relation to
the open call - is the co-hexistence of the two to not make user migration
a pain.

This is unavoiadble for small nodes like Gent (given that you cite that) to
be suistainable. Why? because their resources are not enough to make by
themselves a meaningful Lab, including saas GE provisioning and so on.

Clearly, we have to starts from requirements, which (and maybe I was wrong,
I thought were already clear):
- we cannot move FIWARE Lab user personal data from Spain;
- we need to make more reliable the Lab and attached nodes;
- we have to support an hybrid type of node (commercial + lab) in light of
the new Open Call (and for suistainability reasons)

So Oauth delegation concept (as much as SAML Federation, I guess) should be
totally compatible with the above points. (if not, all the applications
registered using oauth have a problem!)

Users data will be only hosted in Spain, what goes in the nodes, would be
only the "general token" that then is used to create scoped token by the
local keystone.

Best,
Federico

On Thu, May 21, 2015 at 1:20 PM, <thierry.nagellen at orange.com> wrote:

>  Hi all
>
>
>
> Honestly to have a delegation of rights for commercial accounts that
> stakeholders could sell and linked to their own billing system is no sense.
> Legal implications are very touchy. The main idea is also to come back in a
> situation where any change will have less impact and could be
> tested/evaluated node per node.
>
>
>
> It is bank holiday in France on Monday but I can manage to be on the phone
> for this issue. I agree that we have first to define the model we could
> implement before going into procedures.
>
>
>
> BR
>
> Thierry
>
>
>
> *De :* fiware-lab-recovery-tf-bounces at lists.fiware.org [mailto:
> fiware-lab-recovery-tf-bounces at lists.fiware.org] *De la part de* FERNANDO
> LOPEZ AGUILAR
> *Envoyé :* jeudi 21 mai 2015 12:19
> *À :* Joaquín Salvachúa; Federico Michele Facca
> *Cc :* alessandro; fiware-lab-rec.
>
> *Objet :* Re: [Fiware-lab-recovery-tf] question from arian
>
>
>
> Like Joaquín says,
>
>
>
> I see more important the legal implications of all this stuff. It is not a
> technical problem, but we have to keep all the legal decisions. I mean, I
> need almost 2 weeks to complete a little thing about the publication of
> email of the users to all the infrastructure owner. I do not want to think
> about the procedure that we should do now.
>
>
>
> Regarding 25th, I am not available, I will be travelling to Vienna, I will
> inform to Henar in order to assist for me in that audio. But, she does not
> cover all the aspects of the problem.
>
>
>
> Fernando
>
>
>
> *De: *Joaquin Salvachua <jsalvachua at dit.upm.es>
> *Fecha: *Thursday 21 May 2015 12:10
> *Para: *Federico Michele Facca <federico.facca at create-net.org>
> *CC: *alessandro <alessandro.martellone at create-net.org>,
> "fiware-lab-rec." <fiware-lab-recovery-tf at lists.fiware.org>
> *Asunto: *Re: [Fiware-lab-recovery-tf] question from arian
>
>
>
> Hello,
>
>
>
> I think that we should  first define what model we want to have ( i agree
> to have local accounts break the model i have in mind, but perhaps there
> are some uses cases for it).
>
> Later we will see how we can implement a federation solution that is
> efficient and keeps the legal aspects for the databases.
>
>
>
> I think we should not mix both aspects.
>
>
>
> Best Regards
>
>
>
> Joaquín
>
>
>
>  El 21/5/2015, a las 11:56, Federico Michele Facca <
> federico.facca at create-net.org> escribió:
>
>
>
> hi,
>
> if we go for just local accounts, we break the concept of FIWARE ecosystem
> and single point of entry. so, from side that's not the way to go. keep
> into account that oauth delegation or saml federation WILL enable the
> commercial usage (each node, beyond the federated users - may have its
> local users and tools).
>
>
>
> I am more in favour of a solution that support both modalities (that could
> be based on oauth delegation or saml federation, I don't really care).
> FIWARE Ops chapter may work on this aspects for the keystone side (we can
> consider this indeed a "operation" issue), but I am afraid this will not be
> enough since also portal and other "global" services may be affected and
> this will require work from Cloud chapter guys.
>
>
>
> currently there is a SAML federation work in the OpenStack community. but
> we need to investigate how this align with current oauth based keystone.
>
>
>
> i will be out for three weeks, so i would not be able to kick off such
> action before end of june. anyhow, alessandro is the chapter leader (and
> architect) so he can coordinate this discussion with the cloud chapter.
>
>
>
> best,
>
> federico
>
>
>
> On Thu, May 21, 2015 at 11:09 AM, stefano de panfilis <
> stefano.depanfilis at eng.it> wrote:
>
> dear thierry,
>
>
>
> not sure your approach preserves the distributed nature of fiware lab
> which is guaranteed by the federation concept.
>
>
>
> as you know at the moment a user can have different vms in different nodes
> (actually i do have) the approach you are proposing seems, may be i'm
> wrong, making this more complicated. i think this is a value we cannot
> loose as it is still a differentiator fiware has and not possesd by other
> platforms.
>
>
>
> so we have to find a solution which shares the idm, but also keeps the
> federation notion fully implemented.
>
>  as juanjo was suggesting i agree a dedicate task, most likely to me in
> fi-ops, should be created. i even think that fi-ops should be a fiware
> chapter, i mean not the operations themesleves, but the implementation of
> the federation technologies.
>
>
>
> ciao,
>
> stefano
>
>
>
> ciao,
>
> stefano
>
>
>
>
>
> 2015-05-21 10:41 GMT+02:00  <thierry.nagellen at orange.com>:
>
>   Hi all,
>
>
>
> I would propose a solution to go a step further because using Geant it is
> impossible to do any business. For sustainability matter and to avoid what
> happened recently we should go for FIWARE Lab has a global portal hosting
> links to access local platforms. In this case we should not need delegation
> of IdM and just a local IdM to manage local accounts.
>
>
>
> To have a global view of what are resources consumed by FIWARE Lab is just
> a matter of dashboard and does not need IdM features.
>
>
>
> In addition, with this system, a local platform could easily provide a
> commercial offer, using the same local IdM, switching a trial user into a
> commercial user.
>
>
>
> BR
>
> Thierry
>
>
>
> *De :* fiware-lab-recovery-tf-bounces at lists.fiware.org [mailto:
> fiware-lab-recovery-tf-bounces at lists.fiware.org] *De la part de* Juanjo
> Hierro
> *Envoyé :* mercredi 20 mai 2015 17:17
> *À :* Federico Michele Facca; fiware-lab-rec.
> *Objet :* Re: [Fiware-lab-recovery-tf] question from arian
>
>
>
> Hi Federico,
>
>   I was aware about the issue, that's why I explained that my assumption
> was that not all the issues had been solved with the new IdM version.
>
>   In my opinion, this is one of the major points that should be tackled
> within FI-Core.   Indeed trying to get the solution ready for the
> integration of new nodes in September (selected through the Open Call or
> deciding to join FIWARE Lab on their own).
>
>   Let's start the discussion during the coming weeks.   Where do we want
> it to be tackled?  Within the FI-Ops the or the FIWARE Cloud chapter?
> Probably a good approach would be to kick-off this in one of our monday
> regular architects meeting we have just started and then follow up.    Next
> Monday it was planned to discuss about dockers and stuff like this.   I
> wonder whether we can collocate it there or call for a specif meeting.
> Suggestions?
>
>   Best regards,
>
> -- Juanjo
>
> On 20/05/15 15:36, Federico Michele Facca wrote:
>
>  dear juanjo,
>
> my 2 cents on arian's question:
>
>
>
> The problem mentioned by arian is not solved, since idm/keystone is a
> single central service not high available in multiple locations beyond
> spain (such as the portal) - which does not reflect openstack usual
> architecture deployment for multi-region openstack. The default
> architecture for multi region keystone could not be applied since it
> requires to host user data outside spain.
>
>
>
> CREATE-NET proposed a solution (which was having a single keystone per
> node) using delegation to authenticate users using oauth2 from the "main"
> keystone, the advantages of such solution would have been:
>
>    a - nodes don't fail when central keystone is not available.
>
>    b - nodes can support both local users and FIWARE Lab users making
> "entering in the game" for without funding much cheaper
>
>
>
> the solution would require anyhow:
>
>    - requires some changes in portal
>
>    - requires some changes in blueprint engine
>
>
>
> thus basically - eventhough developed and partially tested - it was not
> moved ahead.
>
>
>
> alternative solutions may be based on saml, but i have the feeling this
> will get more complex for the portal and blueprints.
>
>
>
> best,
>
> federico
>
>
>
>
>
> --
>
> --
> Future Internet is closer than you think!
> http://www.fiware.org
>
> Official Mirantis partner for OpenStack Training
> https://www.create-net.org/community/openstack-training
>
> --
> Dr. Federico M. Facca
>
> CREATE-NET
> Via alla Cascata 56/D
> 38123 Povo Trento (Italy)
>
> P  +39 0461 312471
> M +39 334 6049758
> E  federico.facca at create-net.org
> T @chicco785
> W  www.create-net.org
>
>
>
> --
>
>
>
> ______________________________________________________
>
>
>
> Coordinator and Chief Architect, FIWARE platform
>
> CTO Industrial IoT, Telefónica
>
>
>
> email: juanjose.hierro at telefonica.com
>
> twitter: @JuanjoHierro
>
>
>
> You can follow FIWARE at:
>
>   website:  http://www.fiware.org
>
>   twitter:  @FIWARE
>
>   facebook: http://www.facebook.com/pages/FI-WARE/251366491587242
>
>   linkedIn: http://www.linkedin.com/groups/FIWARE-4239932
>
>
>  ------------------------------
>
>
> Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario,
> puede contener información privilegiada o confidencial y es para uso
> exclusivo de la persona o entidad de destino. Si no es usted. el
> destinatario indicado, queda notificado de que la lectura, utilización,
> divulgación y/o copia sin autorización puede estar prohibida en virtud de
> la legislación vigente. Si ha recibido este mensaje por error, le rogamos
> que nos lo comunique inmediatamente por esta misma vía y proceda a su
> destrucción.
>
> The information contained in this transmission is privileged and
> confidential information intended only for the use of the individual or
> entity named above. If the reader of this message is not the intended
> recipient, you are hereby notified that any dissemination, distribution or
> copying of this communication is strictly prohibited. If you have received
> this transmission in error, do not read it. Please immediately reply to the
> sender that you have received this communication in error and then delete
> it.
>
> Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário,
> pode conter informação privilegiada ou confidencial e é para uso exclusivo
> da pessoa ou entidade de destino. Se não é vossa senhoria o destinatário
> indicado, fica notificado de que a leitura, utilização, divulgação e/ou
> cópia sem autorização pode estar proibida em virtude da legislação vigente.
> Se recebeu esta mensagem por erro, rogamos-lhe que nos o comunique
> imediatamente por esta mesma via e proceda a sua destruição
>
> _________________________________________________________________________________________________________________________
>
>
>
> Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
>
> pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
>
> a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
>
> Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
>
>
>
> This message and its attachments may contain confidential or privileged information that may be protected by law;
>
> they should not be distributed, used or copied without authorisation.
>
> If you have received this email in error, please notify the sender and delete this message and its attachments.
>
> As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
>
> Thank you.
>
>
>
> _______________________________________________
> Fiware-lab-recovery-tf mailing list
> Fiware-lab-recovery-tf at lists.fiware.org
> https://lists.fiware.org/listinfo/fiware-lab-recovery-tf
>
>
>
>
>
> --
>
> Stefano De Panfilis
> Chief Innovation Officer
> Engineering Ingegneria Informatica S.p.A.
> via Riccardo Morandi 32
> 00148 Roma
> Italy
>
> tel (direct): +39-06-8759-4253
> tel (secr.): +39-068307-4513
> fax: +39-068307-4200
> cell: +39-335-7542-567
>
> skype: depa01
>
> twitter: @depa01
>
>
>
>
>
>
>
> --
>
> --
> Future Internet is closer than you think!
> http://www.fiware.org
>
> Official Mirantis partner for OpenStack Training
> https://www.create-net.org/community/openstack-training
>
> --
> Dr. Federico M. Facca
>
> CREATE-NET
> Via alla Cascata 56/D
> 38123 Povo Trento (Italy)
>
> P  +39 0461 312471
> M +39 334 6049758
> E  federico.facca at create-net.org
> T @chicco785
> W  www.create-net.org
>
> _______________________________________________
> Fiware-lab-recovery-tf mailing list
> Fiware-lab-recovery-tf at lists.fiware.org
> https://lists.fiware.org/listinfo/fiware-lab-recovery-tf
>
>
>
>
>  ------------------------------
>
>
> Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario,
> puede contener información privilegiada o confidencial y es para uso
> exclusivo de la persona o entidad de destino. Si no es usted. el
> destinatario indicado, queda notificado de que la lectura, utilización,
> divulgación y/o copia sin autorización puede estar prohibida en virtud de
> la legislación vigente. Si ha recibido este mensaje por error, le rogamos
> que nos lo comunique inmediatamente por esta misma vía y proceda a su
> destrucción.
>
> The information contained in this transmission is privileged and
> confidential information intended only for the use of the individual or
> entity named above. If the reader of this message is not the intended
> recipient, you are hereby notified that any dissemination, distribution or
> copying of this communication is strictly prohibited. If you have received
> this transmission in error, do not read it. Please immediately reply to the
> sender that you have received this communication in error and then delete
> it.
>
> Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário,
> pode conter informação privilegiada ou confidencial e é para uso exclusivo
> da pessoa ou entidade de destino. Se não é vossa senhoria o destinatário
> indicado, fica notificado de que a leitura, utilização, divulgação e/ou
> cópia sem autorização pode estar proibida em virtude da legislação vigente.
> Se recebeu esta mensagem por erro, rogamos-lhe que nos o comunique
> imediatamente por esta mesma via e proceda a sua destruição
>
> _________________________________________________________________________________________________________________________
>
> Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
> pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
> a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
> Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
>
> This message and its attachments may contain confidential or privileged information that may be protected by law;
> they should not be distributed, used or copied without authorisation.
> If you have received this email in error, please notify the sender and delete this message and its attachments.
> As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
> Thank you.
>
>


-- 
--
Future Internet is closer than you think!
http://www.fiware.org

Official Mirantis partner for OpenStack Training
https://www.create-net.org/community/openstack-training

-- 
Dr. Federico M. Facca

CREATE-NET
Via alla Cascata 56/D
38123 Povo Trento (Italy)

P  +39 0461 312471
M +39 334 6049758
E  federico.facca at create-net.org
T @chicco785
W  www.create-net.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.fiware.org/private/fiware-lab-recovery-tf/attachments/20150521/6c5632e5/attachment.html>