[openstack-dev] [keystone][heat] Question re deleting trusts via trust token
Dolph Mathews
dolph.mathews at gmail.com
Tue Sep 3 23:12:00 UTC 2013
On Tue, Sep 3, 2013 at 5:52 PM, Steven Hardy <shardy at redhat.com> wrote:
> Hi,
>
> I have a question for the keystone folks re the expected behavior when
> deleting a trust.
>
> Is it expected that you can only ever delete a trust as the user who
> created it, and that you can *not* delete the trust when impersonating that
> user using a token obtained via that trust?
>
We have some tests in keystone somewhat related to this scenario, but
nothing that asserts that specific behavior-
https://github.com/openstack/keystone/blob/master/keystone/tests/test_auth.py#L737-L763
> The reason for this question, is for the Heat use-case, this may represent
> a significant operational limitation, since it implies that the user who
> creates the stack is the only one who can ever delete it.
>
I don't follow this implication-- can you explain further? I don't see how
the limitation above (if it exists) would impact this behavior or be a
blocker for the design below.
>
> Current Heat behavior is to allow any user in the same tenant, provided
> they have the requisite roles, to delete the stack
That seems like a reasonable design. With trusts, any user who has been
delegated the requisite role on the same tenant should be able to delete
the stack.
> which AFAICT atm will
> not be possible when using trusts.
>
Similar to the above, I don't understand how trusts presents a blocker?
>
> Clarification as to whether this is as-designed or a bug somewhere much
> appreciated, thanks!
>
> Steve
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
--
-Dolph
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130903/f27a3e2c/attachment.html>
More information about the OpenStack-dev
mailing list