[openstack-dev] [Keystone] Trusts and Explicit Impersonation

Adam Young ayoung at redhat.com
Mon Dec 10 18:51:51 UTC 2012 

On 12/10/2012 01:36 PM, Mark Washenberger wrote:
> David, Adam, (other Trusts/Auth folks. . .),
>
> Any thoughts on this?
>
> Thanks!
>
>
>>> From: Mark Washenberger [mailto:mark.washenberger at markwash.net]
>>> Sent: Friday, December 07, 2012 8:53 PM
>>> To: OpenStack Development Mailing List
>>> Subject: [openstack-dev] Trusts and Explicit Impersonation
>>>
>>>
>>>
>>> Hi auth guys!
>>>
>>>
>>>
>>> As we continue to make progress towards large service providers exposing
>>> their Glance deployments as public services, one critical feature we need to
>>> support is the ability to limit certain actions (mostly image uploads, also
>>> possibly image downloads) to use by Nova or other trusted services, and
>>> restrict users from taking those actions directly. Of course, this feature
>>> would only be turned on by configuration, and not likely by default.
>>>
>>>
>>>
>>> I had figured we could do this using some features piggy-backed on
>>> keystone pki, and documented the use case in this blueprint:
>>> https://blueprints.launchpad.net/keystone/+spec/keystone-explicit-impersonation

Yep, that is trusts.

>>>
>>>
>>>
>>> I've been following the discussion of Keystone Trusts with interest, and
>>> some questions have presented themselves. Is there some way we could
>>> manipulate the Trust mechanism to provide the auth feature Glance needs?
Yes, although remember the trust is going to provide a token with roles, 
and it is up to Glance policy to enforce the role based access.
>>> Another (scarier for me) question: does the Trusts proposal conflict with my
>>> feature request?
No, it implements it.


BTW, your blueprint seems to also have a hint of the multifactor 
blueprint in it.
https://blueprints.launchpad.net/keystone/+spec/multi-factor-authn
>>>
>>>
>>>
>>> Thanks!
>>>
>>> Mark
>>>
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> OpenStack-dev mailing list
>>> OpenStack-dev at lists.openstack.org
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

More information about the OpenStack-dev mailing list