[openstack-dev] [tc][appcat] The future of the App Catalog
zbitter at redhat.com
Wed Mar 15 19:51:33 UTC 2017
On 15/03/17 14:41, Jay Pipes wrote:
> On 03/15/2017 01:21 PM, Fox, Kevin M wrote:
>> Other OpenStack subsystems (such as Heat) handle this with Trusts. A
>> service account is made in a different, usually SQL backed Keystone
>> Domain and a trust is created associating the service account with the
>> This mostly works but does give the trusted account a lot of power, as
>> the roles by default in OpenStack are pretty coarse grained. That
>> should be solvable though.
> I didn't think Keystone trusts and Keystone federation were compatible
> with each other, though?
You're correct, you have to pick one or the other.
> Did that change recently?
Nope. We did discuss it at the PTG:
More information about the OpenStack-dev