[openstack-dev] [Keystone][Nova] Any Code Examples of Other Services Using Keystone Policy?

Dan Smith dms at danplanet.com
Thu May 5 22:03:36 UTC 2016

> I'm currently working on the spec for Project ID Validation in Nova
> using Keystone. The outcome of the Design Summit Session was that the
> Nova service user would use the Keystone policy to establish whether the
> requester had access to the project at all to verify the id. I was
> wondering if there were any code examples of a non-Keystone service
> using the Keystone policy in this way?
> Also if I misunderstood something, please feel free to correct me or to
> clarify!

Just to clarify, the outcome as I understood it is:

/Instead/ of a Nova service user, Nova should use the credentials of the
user doing the quota manipulation to authenticate a request to keystone
to check for the presence of the target user. That means doing a HEAD or
GET on the tenant in keystone using the credentials provided to Nova for
the quota operation. The only Keystone policy involved is making sure
that the user has permission to do that HEAD or GET operation (which is
really just a deployment thing).


More information about the OpenStack-dev mailing list