[openstack-dev] Can I count on the OS-TRUST extension for a backup service?

Preston L. Bannister preston at bannister.us
Sat Dec 26 03:04:19 UTC 2015


In the implementation of a instance backup service for OpenStack, on
restore I need to (re)create the restored instance in the original tenant.

Restores can be fired off by an administrator (not the original user), so
at instance-create time I have two main choices:

   1. Create the instance as the backup service.
   2. Create the instance as the original user.

Clearly (1) is workable (given the backup user has access to the tenant).
Keypairs are a bit of an issue, but solvable.

Also clearly (2) is better, but that requires a means to impersonate the
original user. Keystone trusts seem to be that means, but raises additional
questions. (Also the fact the current documentation for Keystone is
incomplete in this area does not raise the confidence level.)

   1. How far back is the Keystone OS-TRUST extension reliable? (Kilo?
   Juno?)
   2. Do any OpenStack distributions omit the OS-TRUST extension?

A feature labelled as an "extension" poses a risk to the developer. :)

Trying to get a handle on that risk.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20151225/b1991690/attachment.html>


More information about the OpenStack-dev mailing list