[openstack-dev] [Keystone][Marconi][Heat] Creating accounts in Keystone

Zane Bitter zbitter at redhat.com
Mon Aug 25 14:49:50 UTC 2014

On 24/08/14 23:17, Adam Young wrote:
> On 08/23/2014 02:01 AM, Clint Byrum wrote:
>> I don't know how Zaqar does its magic, but I'd love to see simple signed
>> URLs rather than users/passwords. This would work for Heat as well. That
>> way we only have to pass in a single predictably formatted string.
>> Excerpts from Zane Bitter's message of 2014-08-22 14:35:38 -0700:
>>> Here's an interesting fact about Zaqar (the project formerly known as
>>> Marconi) that I hadn't thought about before this week: it's probably the
>>> first OpenStack project where a major part of the API primarily faces
> Nah, this is the direction we are headed.  Service users (out of LDAP!)
> are going to be the norm with a recent feature add to Keytone:
> http://adam.younglogic.com/2014/08/getting-service-users-out-of-ldap/

Ah, excellent, thanks Adam. (BTW markup fail: "The naming of this file 
is essential: keystone..conf [sic] is the expected form.")

So this will solve the Authentication half of the problem. What is the 
recommended solution for Authorisation?

In particular, even if a service like Zaqar or Heat implements their own 
authorisation (e.g. the user creating a Zaqar queue supplies lists of 
the accounts that are allowed to read or write to it, respectively), how 
does the user ensure that the service accounts they create will not have 
access to other OpenStack APIs? IIRC the default policy.json files 
supplied by the various projects allow non-admin operations from any 
account with a role in the project.


More information about the OpenStack-dev mailing list