[openstack-dev] [keystone][heat] Question re deleting trusts via trust token
Steven Hardy
shardy at redhat.com
Tue Sep 3 22:52:57 UTC 2013
Hi,
I have a question for the keystone folks re the expected behavior when
deleting a trust.
Is it expected that you can only ever delete a trust as the user who
created it, and that you can *not* delete the trust when impersonating that
user using a token obtained via that trust?
The reason for this question, is for the Heat use-case, this may represent
a significant operational limitation, since it implies that the user who
creates the stack is the only one who can ever delete it.
Current Heat behavior is to allow any user in the same tenant, provided
they have the requisite roles, to delete the stack, which AFAICT atm will
not be possible when using trusts.
Clarification as to whether this is as-designed or a bug somewhere much
appreciated, thanks!
Steve
More information about the OpenStack-dev
mailing list