[openstack-dev] [tc][appcat] The future of the App Catalog
Jay Pipes
jaypipes at gmail.com
Wed Mar 15 18:41:57 UTC 2017
On 03/15/2017 01:21 PM, Fox, Kevin M wrote:
> Other OpenStack subsystems (such as Heat) handle this with Trusts. A service account is made in a different, usually SQL backed Keystone Domain and a trust is created associating the service account with the User.
>
> This mostly works but does give the trusted account a lot of power, as the roles by default in OpenStack are pretty coarse grained. That should be solvable though.
I didn't think Keystone trusts and Keystone federation were compatible
with each other, though? Did that change recently?
Best,
-jay
More information about the OpenStack-dev
mailing list