[openstack-dev] [solum] [mistral] [heat] keystone chained trusts / oauth
Angus Salkeld
angus.salkeld at RACKSPACE.COM
Wed May 28 00:56:52 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi all
During our Solum meeting it was felt we should make sure that all three
team are on the same page wrt $subject.
I'll describe the use case we are trying to solve and hopefully get some
guidance from the keystone team about the best way forward.
Solum implements a ci/cd pipeline that we want to trigger based on a git
receive hook. What we do is generate a magic webhook (should be
ec2signed url - on the todo list) and when it is hit we want
to call mistral-execution-create (which runs a workflow that calls
to other openstack services (heat is one of them).
We currently use a trust token and that fails because both mistral and
heat want to create trust tokens as well :-O (trust tokens can't be
rescoped).
So what is the best mechanism for this? I spoke to Steven Hardy at
summit and he suggested (after talking to some keystone folks) we all
move to using the new oauth functionality in keystone.
I believe there might be some limitations to oauth (are roles supported?).
Basically I want to make sure we are doing the right (and compatible)
thing so autonomous actions can be carried out across services.
Regards
Angus
refs:
https://blueprints.launchpad.net/mistral/+spec/mistral-oauth
https://blueprints.launchpad.net/solum/+spec/solum-oauth
https://blueprints.launchpad.net/heat/+spec/heat-oauth
other interesting stuff:
http://adam.younglogic.com/2013/03/trusts-and-oauth/
http://homakov.blogspot.com.au/2013/03/oauth1-oauth2-oauth.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEcBAEBAgAGBQJThTRTAAoJEFrDYBLxZjWoQgYH/2/TyJH2INIFojxu6lwntbHh
6IhVmcXIybY+F/RN++YTBLduqA7qVxsGY2ZrGkztK3wISquI9Hw97Lw6jHelfK3J
3FnuS68xdxfhFwRNB8Slp5FT8ssHYazqpKn6kB5Rz7icZe6kWBTDGD8LTyiPwmJs
fWotAu/uzQJD0qcvg1XOE6Yddxm7owf85wY4BSSURzjBakK9ANwT1rW+pBoVFWF3
sxxIOCnDXmCJsiN18x3hHAXXxIxiLwlBp/YIuIUSznDK3a8JiIoaQ3jjM/FvcvX4
P7zQZL2qEoV4PXnvW5NmMaguOc/teTcw7ga3txry0RDHAYfDWmetKCuUjJtAKYQ=
=XaIS
-----END PGP SIGNATURE-----
More information about the OpenStack-dev
mailing list