On 06/08/2025 10:19, Bram Kranendonk wrote:
Hi folks,
I’m looking for a way to execute actions using Admin User X for Regular User Y. I came across the OS-TRUST extension with the /impersonation /flag, but this does not allow for an admin user to create trusts as another trustor. Are there other ways to accomplish such feature in Keystone?
in general that is often consdier request forgery as there are some data that even admins should not eb able to access the classic example is the value of a secret stored in barbican. if such a feature exits in keystone the audit trail need to be very explicit. i hope this is not currently a thing because nova and other service have no concpet of one user impersonating another and aht would lead to us logging the request as if it came form user Y instead of the fact it was user X pretendeing to be Y. for services like barbican it could be considerd a security bug unless the impersonation is done via explcit parmater on the token that it can detect and use policy to block.
Thanks in advance,
*. Bram Kranendonk* OpenStack Engineer