<div dir="ltr"><br><div class="gmail_extra"><div class="gmail_quote">On Tue, Sep 3, 2013 at 5:52 PM, Steven Hardy <span dir="ltr"><<a href="mailto:shardy@redhat.com" target="_blank">shardy@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">Hi,<br>
<br>
I have a question for the keystone folks re the expected behavior when<br>
deleting a trust.<br>
<br>
Is it expected that you can only ever delete a trust as the user who<br>
created it, and that you can *not* delete the trust when impersonating that<br>
user using a token obtained via that trust?<br></blockquote><div><br></div><div>We have some tests in keystone somewhat related to this scenario, but nothing that asserts that specific behavior-</div><div><br></div><div>
<a href="https://github.com/openstack/keystone/blob/master/keystone/tests/test_auth.py#L737-L763">https://github.com/openstack/keystone/blob/master/keystone/tests/test_auth.py#L737-L763</a></div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br>
The reason for this question, is for the Heat use-case, this may represent<br>
a significant operational limitation, since it implies that the user who<br>
creates the stack is the only one who can ever delete it.<br></blockquote><div><br></div><div>I don't follow this implication-- can you explain further? I don't see how the limitation above (if it exists) would impact this behavior or be a blocker for the design below.</div>
<div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br>
Current Heat behavior is to allow any user in the same tenant, provided<br>
they have the requisite roles, to delete the stack</blockquote><div><br></div><div>That seems like a reasonable design. With trusts, any user who has been delegated the requisite role on the same tenant should be able to delete the stack.</div>
<div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">which AFAICT atm will<br>
not be possible when using trusts.<br></blockquote><div><br></div><div>Similar to the above, I don't understand how trusts presents a blocker?</div><div> <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br>
Clarification as to whether this is as-designed or a bug somewhere much<br>
appreciated, thanks!<br>
<br>
Steve<br>
<br>
_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div><br></div>-Dolph
</div></div>