[openstack-dev] [OSSG] [keystone] Trusts: delegation and impersonation

Chmouel Boudjnah chmouel at chmouel.com
Tue Mar 19 09:06:57 UTC 2013


On Sun, Mar 17, 2013 at 2:35 AM, Adam Young <ayoung at redhat.com> wrote:
> Not allowing impoersonation is probably the right thing the abstract, but
> due to the way Swift in particular manages ownership, which is at the per
> user level, the attribute that needs to be delegated is, unfortunately, the
> user_id of the owner of the object.  Systems are currently built around
> users surrendering control of their password just as you state above.
> Impersonation is a step in the right direction.  I would be happy to remove
> the impersonation aspect of trusts once it is no longer needed.

I can confirm that we are using impersonation in Swift while using the
reseller_admin feature, I would be happy to adapt it in keystoneauth
to trusts when this is implemented.

 As far goes the audit trail we are just logging the impersonation in
the log which I believe should be just enough, ideally we could store
it in a metadata (i.e: X-Container/Object/Account-Meta-Modified-By: )
something not too hard to do via a middleware.

Chmouel.



More information about the OpenStack-dev mailing list