[Openstack] One Time Keystone Use Tokens?

Adam Young ayoung at redhat.com
Mon Nov 11 18:00:11 UTC 2013


I think we need to look into using a trust for this instead of a Token hand-off.  The need for one user or limited use trusts has come up multiple times.  That coupled with a very short lived token (5 minutes) is probably a better solution.

----- Original Message -----
From: "Adam Young" <ayoung at redhat.com>
To: openstack at lists.openstack.org
Sent: Friday, October 25, 2013 9:06:29 PM
Subject: Re: [Openstack] One Time Keystone Use Tokens?

On 10/25/2013 04:03 PM, Ali, Haneef wrote: 





I don’t think it is possible. Can’t you revoke the token after VM boot? 
Yes, but I would not recommend doing that. You would have to modify every place that used tokens. Youncould make the token timeout very short, but it will break on any long running tasks. 










Thanks 

Haneef 




From: Brian Chong [ mailto:Brian_Chong at symantec.com ] 
Sent: Friday, October 25, 2013 8:19 AM 
To: openstack at lists.openstack.org 
Subject: [Openstack] One Time Keystone Use Tokens? 





Hi, 





I'm trying to figure out if its possible to configure KeyStone tokens to be one time use. My use case is that when a user requests that they want to take a action on the platform (i.e.: boot a VM) they aren't also using that same token to load a image in Glance or delete another VM, etc. 





How would I do that or is that even possible? 





Thanks a lot! 


-Brian 


_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to     : openstack at lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack 


_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to     : openstack at lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack




More information about the Openstack mailing list