<html>

  <head>

    <meta content="text/html; charset=UTF-8" http-equiv="Content-Type">

  </head>

  <body text="#000000" bgcolor="#FFFFFF">

    <div class="moz-cite-prefix">On 12/24/2015 03:20 AM, 大塚元央 wrote:<br>

    </div>

    <blockquote

cite="mid:CAN_6Z10r98pw0U5pE8-spO7McGqhg+N9QQpXp2hmGgvtEnk=mQ@mail.gmail.com"

      type="cite">

      <div dir="ltr">Hi, Hua.

        <div><br>

        </div>

        <div>I agree with you if trust_id is secret.</div>

        <div>But I think trust_id is not a secret.</div>

      </div>

    </blockquote>

    <br>

    This is not correct.  Trust ID is only usable by the trustee user to

    get a token, and does not need to be treated as a secret.<br>

    <br>

    <blockquote

cite="mid:CAN_6Z10r98pw0U5pE8-spO7McGqhg+N9QQpXp2hmGgvtEnk=mQ@mail.gmail.com"

      type="cite">

      <div dir="ltr">

        <div><span style="color:rgb(0,0,0);font-family:sans-serif;font-size:small;white-space:pre-wrap">User can know trustee_user_name and trustee_password from k8s/swarm instances.</span></div>

        <div><span style="color:rgb(0,0,0);font-family:sans-serif;font-size:small;white-space:pre-wrap">If user knows about other user's trust_id, user can use a other user's swift resources.</span></div>

        <div><span style="color:rgb(0,0,0);font-family:sans-serif;font-size:small;white-space:pre-wrap">This wii be a security risk.</span><br>

        </div>

        <div><span style="color:rgb(0,0,0);font-family:sans-serif;font-size:small;white-space:pre-wrap">

</span></div>

        <div><span style="color:rgb(0,0,0);font-family:sans-serif;font-size:small;white-space:pre-wrap">Thanks</span></div>

        <div><span style="color:rgb(0,0,0);font-family:sans-serif;font-size:small;white-space:pre-wrap">-yuanying</span></div>

      </div>

      <br>

      <div class="gmail_quote">

        <div dir="ltr">2015年12月24日(木) 16:49 王华 <<a

            moz-do-not-send="true"

            href="mailto:wanghua.humble@gmail.com"><a class="moz-txt-link-abbreviated" href="mailto:wanghua.humble@gmail.com">wanghua.humble@gmail.com</a></a>>:<br>

        </div>

        <blockquote class="gmail_quote" style="margin:0 0 0

          .8ex;border-left:1px #ccc solid;padding-left:1ex">

          <div dir="ltr">Hi all,

            <div><br>

            </div>

            <div>I want to create a trustee user for each bay [1]. The

              discussion for trust is in [2].</div>

            <div><br>

            </div>

            <div>Here is my solution:</div>

            <div>I don't create a user for each bay. All the bays no

              matter who creates it use the same user.</div>

            <div>But we create different trust for the user for

              different bay. The user can not access any service without

              the trust id. So there is no need to create a user for

              each bay. </div>

            <div><br>

            </div>

            <div><br>

            </div>

            <div>[1]<a moz-do-not-send="true"

href="https://blueprints.launchpad.net/magnum/+spec/create-trustee-user-for-each-bay"

                target="_blank">https://blueprints.launchpad.net/magnum/+spec/create-trustee-user-for-each-bay</a></div>

            <div>[2]<a moz-do-not-send="true"

                href="https://review.openstack.org/#/c/254705/"

                target="_blank">https://review.openstack.org/#/c/254705/</a></div>

            <div><br>

            </div>

            <div>Regards,</div>

            <div>Wanghua</div>

          </div>

__________________________________________________________________________<br>

          OpenStack Development Mailing List (not for usage questions)<br>

          Unsubscribe: <a moz-do-not-send="true"

href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe"

            rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>

          <a moz-do-not-send="true"

            href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev"

            rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>

        </blockquote>

      </div>

      <br>

      <fieldset class="mimeAttachmentHeader"></fieldset>

      <br>

      <pre wrap="">__________________________________________________________________________

OpenStack Development Mailing List (not for usage questions)

Unsubscribe: <a class="moz-txt-link-abbreviated" href="mailto:OpenStack-dev-request@lists.openstack.org?subject:unsubscribe">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a>

<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>

</pre>

    </blockquote>

    <br>

  </body>

</html>