[openstack-dev] [Keystone] Trusts and Explicit Impersonation

Mark Washenberger mark.washenberger at markwash.net
Mon Dec 10 18:36:04 UTC 2012


David, Adam, (other Trusts/Auth folks. . .),

Any thoughts on this?

Thanks!


>> From: Mark Washenberger [mailto:mark.washenberger at markwash.net]
>> Sent: Friday, December 07, 2012 8:53 PM
>> To: OpenStack Development Mailing List
>> Subject: [openstack-dev] Trusts and Explicit Impersonation
>>
>>
>>
>> Hi auth guys!
>>
>>
>>
>> As we continue to make progress towards large service providers exposing
>> their Glance deployments as public services, one critical feature we need to
>> support is the ability to limit certain actions (mostly image uploads, also
>> possibly image downloads) to use by Nova or other trusted services, and
>> restrict users from taking those actions directly. Of course, this feature
>> would only be turned on by configuration, and not likely by default.
>>
>>
>>
>> I had figured we could do this using some features piggy-backed on
>> keystone pki, and documented the use case in this blueprint:
>> https://blueprints.launchpad.net/keystone/+spec/keystone-explicit-impersonation
>>
>>
>>
>> I've been following the discussion of Keystone Trusts with interest, and
>> some questions have presented themselves. Is there some way we could
>> manipulate the Trust mechanism to provide the auth feature Glance needs?
>> Another (scarier for me) question: does the Trusts proposal conflict with my
>> feature request?
>>
>>
>>
>> Thanks!
>>
>> Mark
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>



More information about the OpenStack-dev mailing list