https://etherpad.openstack.org/p/keystone-mitaka-summit-federation Federation
- With keystoneauth merged with openstackclient we will be able to finish client side (esp k2k)
- Service Providers endpoint filtering - today every user gets set of enabled service providers in the token response. We should be able to limit it per user/scoped project/scoped domain etc - https://review.openstack.org/#/c/188534/
- Native tracing of the ephemeral users - please see section
- keystoneauth1.session.Session() should allow for getting remote-clouds Session() objects basing on K2K. Something like sp_session = session.Session().get_remote_session('sp1')
- What's the best way to have configurations for multiple clouds and easily switch between them - each cloud should have at least project/domain id to scope to. Is it os-cloud-config?
- Troubleshooting and debugging support
- Mix and Match federation
- What was demo'ed in Boston from the folks from MOC
- Use local nova, but get images from a remote SP glance
- Use local swift, but sign objects from a remote SP barbican
- LDAP "federation" - we should formally support use of an Apache lookup module for LDAP, then allow mapping into keystone groups via the regualar federation mapper
- We need SSSD/identity_look to be domain-friendly. i.e. pass down both DN and domain
- deprecate ldap identity(henrynash) Not for a looooong time, my friend, but one day
- Mapping engine - relies on the string substitution and concatenation - this stops us from fixing few open bugs (https://bugs.launchpad.net/keystone/+bug/1401057). Are we happy with the engine for now so there is no urgent need for rewriting it? Are we relatively happy with that and some work would be welcomed? Do we need more intelligent DSL kind of language? Do we miss anything (in terms of functionalities)?
- Pre-canned mappings? the K2K mapping and Tokenless Auth mapping are for the most part, very similar looking.
