[openstack-dev] [tc][appcat] The future of the App Catalog

Jay Pipes jaypipes at gmail.com
Wed Mar 15 18:41:57 UTC 2017

On 03/15/2017 01:21 PM, Fox, Kevin M wrote:
> Other OpenStack subsystems (such as Heat) handle this with Trusts. A service account is made in a different, usually SQL backed Keystone Domain and a trust is created associating the service account with the User.
> This mostly works but does give the trusted account a lot of power, as the roles by default in OpenStack are pretty coarse grained. That should be solvable though.

I didn't think Keystone trusts and Keystone federation were compatible 
with each other, though? Did that change recently?


More information about the OpenStack-dev mailing list