[openstack-dev] [magnum][keystone] clusters, trustees and projects
Ricardo Rocha
rocha.porto at gmail.com
Mon Feb 26 10:17:44 UTC 2018
Hi.
We have an issue on the way Magnum uses keystone trusts.
Magnum clusters are created in a given project using HEAT, and require
a trust token to communicate back with OpenStack services - there is
also integration with Kubernetes via a cloud provider.
This trust belongs to a given user, not the project, so whenever we
disable the user's account - for example when a user leaves the
organization - the cluster becomes unhealthy as the trust is no longer
valid. Given the token is available in the cluster nodes, accessible
by users, a trust linked to a service account is also not a viable
solution.
Is there an existing alternative for this kind of use case? I guess
what we might need is a trust that is linked to the project.
I believe the same issue would be there using application credentials,
as the ownership is similar.
Cheers,
Ricardo
More information about the OpenStack-dev
mailing list