[openstack-dev] [Solum][Keystone] Best practices for storing keystone trusts information

Lance D Bragstad ldbragst at us.ibm.com
Fri Jan 17 18:31:06 UTC 2014 

Hi Georgy,

The following might help with some of the trust questions you have, if you
haven't looked at it already:
https://github.com/openstack/identity-api/blob/master/openstack-identity-api/v3/src/markdown/identity-api-v3-os-trust-ext.md


As far as storage implementation, trust uses sql and kvs backends. Trusts
can be given an expiration but if an expiration is not given the trust is
valid until it is explicitly revoked (taken from the link above):

  Optionally, the trust may only be valid for a specified time period, as
defined by expires_at. If noexpires_at is specified, then the trust is
valid until it is explicitly revoked.

Trusts can also be given 'uses' so that you can set a limit to how many
times a trust will issue a token to the trustee. That functionality hasn't
landed yet but it is up for review: https://review.openstack.org/#/c/56243/

Hope this helps!


Best Regards,

Lance Bragstad




From:	Georgy Okrokvertskhov <gokrokvertskhov at mirantis.com>
To:	OpenStack Development Mailing List
            <openstack-dev at lists.openstack.org>,
Date:	01/17/2014 12:11 PM
Subject:	[openstack-dev] [Solum][Keystone] Best practices for storing
            keystone trusts information



Hi,

In Solum project we want to use Keystone trusts to work with other
OpenStack services on behalf of user. Trusts are long term entities and a
service should keep them for a long time.

I want to understand what are best practices for working with trusts and
storing them in a service?

What are the options to keep trust? I see obvious approaches like keep them
in a service DB or keep them in memory. Are there any other approaches?

Is there a proper way to renew trust? For example if I have a long term
task which is waiting for external event, how to keep trust fresh for a
long and unpredicted period?

Thanks
Georgy_______________________________________________
OpenStack-dev mailing list
OpenStack-dev at lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140117/9b8cd154/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140117/9b8cd154/attachment.gif>

More information about the OpenStack-dev mailing list