[openstack-dev] [keystone] on-behalf-of proxy identities for applications running in-instance
Eoghan Glynn
eglynn at redhat.com
Wed Oct 10 10:26:08 UTC 2012
Folks,
One to think about in advance of any keystone roadmap discussions
at the summit ...
As we build out the infrastructure, it's likely there will be more
and more cases where applications running on instances will need
to access openstack services securely (for example to use a
notification, or queueing, or metrics service).
It would be great if keystone provided support for provisioning
some form of proxy identity to instances that would allow the apps
running in-instance to make API calls on behalf of the instance
owner, within some constraints (on the services that may be invoked
on).
Similar, basically, to the flexibility that AWS IAM roles provide
currently.
I don't know if this is even feasible within the current set of
keystone capabilities and the fairly static policy.json setup.
However, if it is do-able, it might be a good feature to discuss
for future roadmap consideration.
Cheers,
Eoghan
More information about the OpenStack-dev
mailing list