Open Stack

On Tue, Sep 3, 2013 at 5:52 PM, Steven Hardy <shardy at redhat.com> wrote:

> Hi,
>
> I have a question for the keystone folks re the expected behavior when
> deleting a trust.
>
> Is it expected that you can only ever delete a trust as the user who
> created it, and that you can *not* delete the trust when impersonating that
> user using a token obtained via that trust?
>

We have some tests in keystone somewhat related to this scenario, but
nothing that asserts that specific behavior-

https://github.com/openstack/keystone/blob/master/keystone/tests/test_auth.py#L737-L763


> The reason for this question, is for the Heat use-case, this may represent
> a significant operational limitation, since it implies that the user who
> creates the stack is the only one who can ever delete it.
>

I don't follow this implication-- can you explain further? I don't see how
the limitation above (if it exists) would impact this behavior or be a
blocker for the design below.


>
> Current Heat behavior is to allow any user in the same tenant, provided
> they have the requisite roles, to delete the stack


That seems like a reasonable design. With trusts, any user who has been
delegated the requisite role on the same tenant should be able to delete
the stack.


> which AFAICT atm will
> not be possible when using trusts.
>

Similar to the above, I don't understand how trusts presents a blocker?


>
> Clarification as to whether this is as-designed or a bug somewhere much
> appreciated, thanks!
>
> Steve
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>



-- 

-Dolph
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130903/f27a3e2c/attachment.html>