[openstack-dev] [keystone] [trusts] [all] How trusts should work by design?
Nikolay Makhotkin
nmakhotkin at mirantis.com
Mon Feb 16 13:10:50 UTC 2015
Hello,
Decided to start a new thread due to too much technical details in old
thread.
(You can see thread *[openstack-dev] [keystone] [nova]* )
*The problem:* Trusts can not be used to retrieve a token for further work
with python-<project>client.
I made some research for trust's use cases. The main goal of trusts is
clear to me: delegation of privileges of one user to another on specific
time (or limitless). But if I get a trust and then get a token from it, it
can not be used in any python-client. The reason why it happens so - is
'authenticate' method in almost all python-clients. This method request a
keystone for authentication and get a new auth token. But in case of
trust-scoped token it can't be true - this method always return '403
Forbidden' [1]
*The question:* Is there a way to create a trust and use it for requests to
any other service? E.g., We can get a token from trust and use it (but
actually, we are not).
Or am I misunderstanding trust's purpose? How are trusts should worked?
[1]
https://github.com/openstack/keystone/blob/master/keystone/token/controllers.py#L154-L156
Best Regards,
Nikolay Makhotkin
@Mirantis
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150216/e28ddcb5/attachment.html>
More information about the OpenStack-dev
mailing list