Open Stack

On 10/15/2012 09:34 AM, Ian Main wrote:
> For the Heat API use case it can't be one shot.  We will require
> failover operations for the length of the stack.  Who knows how many
> times we might need to perform these actions.

A pre auth will allow multiple tokens to be fetched for a user.  A 
Preauth will not have an time (although we may want to add that on in 
the future)


>
> Also to be clear the failure actions right now involve destroying and
> recreating the instances involved (the entire stack).  One of the big
> issues is that this should be done as the user that originally created
> it so that we can maintain quota and billing information.

The actions performed must be limited by the policy and then the RBAC 
enforcement.

>
> There is also a concern that the stack may outlive the keystone user.
> I'm not sure this is to be handled with this scheme.
No,  once a Keystone user is gone, all their tokens will be invalidated, 
to includes ones created by preauth, and all preauth's for that user 
will be invalidated.



>
>