[openstack-dev] [tc][appcat] The future of the App Catalog

Jay Pipes jaypipes at gmail.com
Wed Mar 15 19:06:26 UTC 2017


+Boris B

On 03/15/2017 02:55 PM, Fox, Kevin M wrote:
> I think they are. If they are not, things will break if federation is used for sure. If you know that it is please let me know. I want to deploy federation at some point but was waiting for dashboard support. Now that the dashboard supports it, I may try it soon. Its a no-go still though if heat doesn't work with it.

We had a customer engagement recently that had issues with Heat not 
being able to execute certain actions in a federated Keystone 
environment. I believe we learned that Keystone trusts and federation 
were not compatible during this engagement.

Boris, would you mind refreshing memories on this?

Best,
-jay

> ________________________________________
> From: Jay Pipes [jaypipes at gmail.com]
> Sent: Wednesday, March 15, 2017 11:41 AM
> To: openstack-dev at lists.openstack.org
> Subject: Re: [openstack-dev] [tc][appcat] The future of the App Catalog
>
> On 03/15/2017 01:21 PM, Fox, Kevin M wrote:
>> Other OpenStack subsystems (such as Heat) handle this with Trusts. A service account is made in a different, usually SQL backed Keystone Domain and a trust is created associating the service account with the User.
>>
>> This mostly works but does give the trusted account a lot of power, as the roles by default in OpenStack are pretty coarse grained. That should be solvable though.
>
> I didn't think Keystone trusts and Keystone federation were compatible
> with each other, though? Did that change recently?
>
> Best,
> -jay
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>



More information about the OpenStack-dev mailing list