[openstack-dev] [tc][appcat] The future of the App Catalog

Zane Bitter zbitter at redhat.com
Wed Mar 15 19:51:33 UTC 2017

On 15/03/17 14:41, Jay Pipes wrote:
> On 03/15/2017 01:21 PM, Fox, Kevin M wrote:
>> Other OpenStack subsystems (such as Heat) handle this with Trusts. A
>> service account is made in a different, usually SQL backed Keystone
>> Domain and a trust is created associating the service account with the
>> User.
>> This mostly works but does give the trusted account a lot of power, as
>> the roles by default in OpenStack are pretty coarse grained. That
>> should be solvable though.
> I didn't think Keystone trusts and Keystone federation were compatible
> with each other, though?

You're correct, you have to pick one or the other.

> Did that change recently?

Nope. We did discuss it at the PTG:


- ZB

More information about the OpenStack-dev mailing list