<div dir="ltr">@Renat, They are conceptually different:<div>- regular tokens are created for the owner of addressed resource</div><div>- trust scoped tokens are for trustees and have some security restrictions.</div><div>The case is about disallowing a trustee to aquire a regular token allowing him anything the trustor is allowed. It'd be an exploit.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Feb 19, 2015 at 9:01 AM, Renat Akhmerov <span dir="ltr"><<a href="mailto:rakhmerov@mirantis.com" target="_blank">rakhmerov@mirantis.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi,<br>
<span class=""><br>
<br>
> On 18 Feb 2015, at 23:54, Nikolay Makhotkin <<a href="mailto:nmakhotkin@mirantis.com">nmakhotkin@mirantis.com</a>> wrote:<br>
><br>
> Nova client's CLI parameter 'bypass_url' helps me. The client's API also has 'management_url' attribute, if this one is specified - the client doesn't reauthenticate. Also the most of clients have 'endpoint' argument, so client doesn't make extra call to keystone to retrieve new token and service_catalog.<br>
><br>
> Thank you for clarification!<br>
<br>
<br>
</span>I want to say an additional “thank you” from me for helping us solve this problem that’s been around for a while.<br>
<br>
And just a small conceptual question: in my understanding since trust chaining has already landed this kind of reauthentication doesn’t make a lot of sense to me. Isn’t trust chaining supposed to mean that trust-scoped tokens a regular tokens should be considered equal? Or we should still assume that trust scoped tokens are sort of limited? If yes then how exactly they must be understood?<br>
<br>
<br>
Thanks!<br>
<span class="im HOEnZb"><br>
Renat Akhmerov<br>
@ Mirantis Inc.<br>
<br>
<br>
</span><div class="HOEnZb"><div class="h5">__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr"><font color="#000000" style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">Kind Regards,</font><br style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"><font color="#000000" style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">Alexander Makarov,</font><br style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"><font color="#000000" style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">Senoir Software Developer,</font><br style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"><br style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"><font color="#000000" style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">Mirantis, Inc.</font><br style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"><font color="#000000" style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">35b/3, Vorontsovskaya St., 109147, Moscow, Russia</font><br style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"><br style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"><font color="#000000" style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">Tel.: +7 (495) 640-49-04</font><br style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"><font color="#000000" style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">Tel.: +7 (926) 204-50-60</font><br style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"><br style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"><font color="#000000" style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">Skype: MAKAPOB.AJIEKCAHDP</font><br></div></div>
</div>