Open Stack

On 12/10/2012 02:41 PM, Mark Washenberger wrote:
> So, in the case of this feature, the trustor (end user) is going to
> delegate to the trustee (Glance) a role that the trustor himself does
> not have? (Namely, some role that allows image uploads.) That seems to
> violate the spirit of the the spec.
Nope.  The user needs to have the role in the first place.
> I must be missing something. Thanks in advance for correcting me!
Why would the user not have the role?
>
> markwash
>
> On Mon, Dec 10, 2012 at 10:56 AM, Yee, Guang <guang.yee at hp.com> wrote:
>> I think the current trust BP should cover your use case.
>>
>> http://wiki.openstack.org/Keystone/Trusts
>>
>> In your case, the trustee would be Image Service or endpoint.
>>
>>
>> Guang
>>
>>
>> -----Original Message-----
>> From: Mark Washenberger [mailto:mark.washenberger at markwash.net]
>> Sent: Monday, December 10, 2012 10:36 AM
>> To: OpenStack Development Mailing List
>> Subject: Re: [openstack-dev] [Keystone] Trusts and Explicit Impersonation
>>
>> David, Adam, (other Trusts/Auth folks. . .),
>>
>> Any thoughts on this?
>>
>> Thanks!
>>
>>
>>>> From: Mark Washenberger [mailto:mark.washenberger at markwash.net]
>>>> Sent: Friday, December 07, 2012 8:53 PM
>>>> To: OpenStack Development Mailing List
>>>> Subject: [openstack-dev] Trusts and Explicit Impersonation
>>>>
>>>>
>>>>
>>>> Hi auth guys!
>>>>
>>>>
>>>>
>>>> As we continue to make progress towards large service providers exposing
>>>> their Glance deployments as public services, one critical feature we need
>> to
>>>> support is the ability to limit certain actions (mostly image uploads,
>> also
>>>> possibly image downloads) to use by Nova or other trusted services, and
>>>> restrict users from taking those actions directly. Of course, this
>> feature
>>>> would only be turned on by configuration, and not likely by default.
>>>>
>>>>
>>>>
>>>> I had figured we could do this using some features piggy-backed on
>>>> keystone pki, and documented the use case in this blueprint:
>>>>
>> https://blueprints.launchpad.net/keystone/+spec/keystone-explicit-impersonat
>> ion
>>>>
>>>>
>>>> I've been following the discussion of Keystone Trusts with interest, and
>>>> some questions have presented themselves. Is there some way we could
>>>> manipulate the Trust mechanism to provide the auth feature Glance needs?
>>>> Another (scarier for me) question: does the Trusts proposal conflict with
>> my
>>>> feature request?
>>>>
>>>>
>>>>
>>>> Thanks!
>>>>
>>>> Mark
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> OpenStack-dev mailing list
>>>> OpenStack-dev at lists.openstack.org
>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>>
>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev