This is a feature that just landed in Grizzly which could certainly use some extra security-focused eyes. There's two use cases being addressed: 1) Scoped role delegation with optional impersonation: "I trust user X to perform role Y on project Z, optionally for some duration of time, and optionally while impersonating me." 2) Impersonation: "I trust user X to impersonate me, optionally for some duration of time." In short, a trust is created by a trustor; the trustee must first authenticate as themselves, and then may consume the trust by specifying it's ID (which is not necessarily a secret); the trustee then receives a token with the project and associated roles as specified by the trustor; the generated token may also reflect the trustor's identity, instead of the trustees (but will contain an impersonation flag to indicate this behavior). The original blueprint [1] outlines the goal of the feature and contains links to relevant patches. The Identity API v3 specification contains a fairly thorough overview of the final concept [2] along with a examples for each of the related API calls [3]. The implementation is mostly housed in the keystone.trust package [4] although it also affects both v3 and v2 auth flows, in the keystone.auth [5] and keystone.token [6] packages, respectively. [1]: https://blueprints.launchpad.net/keystone/+spec/trusts [2]: https://github.com/openstack/identity-api/blob/master/openstack-identity-api/src/markdown/identity-api-v3.md#trusts [3]: https://github.com/openstack/identity-api/blob/master/openstack-identity-api/src/markdown/identity-api-v3.md#trusts-1 [4]: https://github.com/openstack/keystone/tree/master/keystone/trust [5]: https://github.com/openstack/keystone/tree/master/keystone/auth [6]: https://github.com/openstack/keystone/tree/master/keystone/token Thanks for all your hard work, Adam! -Dolph -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130314/780b82b2/attachment.html>