[openstack-dev] [keystone] [trusts] [all] How trusts should work by design?

Renat Akhmerov rakhmerov at mirantis.com
Thu Feb 19 06:01:17 UTC 2015


Hi,


> On 18 Feb 2015, at 23:54, Nikolay Makhotkin <nmakhotkin at mirantis.com> wrote:
> 
> Nova client's CLI parameter 'bypass_url' helps me. The client's API also has 'management_url' attribute, if this one is specified - the client doesn't reauthenticate. Also the most of clients have 'endpoint' argument, so client doesn't make extra call to keystone to retrieve new token and service_catalog.
> 
> Thank you for clarification!


I want to say an additional “thank you” from me for helping us solve this problem that’s been around for a while.

And just a small conceptual question: in my understanding since trust chaining has already landed this kind of reauthentication doesn’t make a lot of sense to me. Isn’t trust chaining supposed to mean that trust-scoped tokens a regular tokens should be considered equal? Or we should still assume that trust scoped tokens are sort of limited? If yes then how exactly they must be understood?


Thanks!

Renat Akhmerov
@ Mirantis Inc.




More information about the OpenStack-dev mailing list