[openstack-dev] [keystone] design summit outcomes

Steven Hardy shardy at redhat.com
Thu Nov 14 15:03:34 UTC 2013

On Wed, Nov 13, 2013 at 10:04:04AM -0600, Dolph Mathews wrote:
> I guarantee there's a few things I'm forgetting, but this is my collection
> of things we discussed at the summit and determined to be good things to
> pursue during the icehouse timeframe. The contents represent a high level
> mix of etherpad conclusions and hallway meetings.
> https://gist.github.com/dolph/7366031

Looks good, but I have some feedback on items which were discussed (either
in the delegation session or in the hallway with ayoung/jlennox), and are
high priority for Heat, I don't see these captured in the page above:

- Need a way to create a secret derived from a trust (natively, not via
  ec2tokens extension), and it needs to be configurable such that it
  won't expire, or has a very long expiry time. ayoung mentioned a
  credential mechanism, but I'm not sure which BP he was referring to, so
  clarification appreciated.

- We need a way to get the role-tenant pairs (not just the tenant-less
  role list) into the request context, so we can correctly scope API
  requests.  I raised this bug:


  Related to this thread (reminder - which you said you'd respond to ;):


  This topic came up again today related to tenant-scoped nova flavors:


  Closely related to this bug I think:


  I'd welcome discussion on how we solve the request-scoping issue
  openstack-wide, currently I'm thinking we need the role-tenant pairs (and
  probably role-domain pairs) in the request context, so we can correctly
  filter in the model_query when querying the DB while servicing the
  API request.



More information about the OpenStack-dev mailing list