[openstack-dev] [OSSG] [keystone] Trusts: delegation and impersonation
Adam Young
ayoung at redhat.com
Tue Mar 19 15:13:36 UTC 2013
On 03/19/2013 05:06 AM, Chmouel Boudjnah wrote:
> On Sun, Mar 17, 2013 at 2:35 AM, Adam Young <ayoung at redhat.com> wrote:
>> Not allowing impoersonation is probably the right thing the abstract, but
>> due to the way Swift in particular manages ownership, which is at the per
>> user level, the attribute that needs to be delegated is, unfortunately, the
>> user_id of the owner of the object. Systems are currently built around
>> users surrendering control of their password just as you state above.
>> Impersonation is a step in the right direction. I would be happy to remove
>> the impersonation aspect of trusts once it is no longer needed.
> I can confirm that we are using impersonation in Swift while using the
> reseller_admin feature, I would be happy to adapt it in keystoneauth
> to trusts when this is implemented.
Trusts has been implemented. Aside from the documentation, you can find
decent examples in our unit tests for creating trusts with and without
impersonation. test/test_v3_auth.py
>
> As far goes the audit trail we are just logging the impersonation in
> the log which I believe should be just enough, ideally we could store
> it in a metadata (i.e: X-Container/Object/Account-Meta-Modified-By: )
> something not too hard to do via a middleware.
>
> Chmouel.
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
More information about the OpenStack-dev
mailing list