Hi Adam, Thanks for that. :) I'm researching the Trust Capability now to see if that will get my close to what I need using different roles and then delegating those roles. Not sure how unwieldy that will be in terms of the policy management but I'm going to investigate it. -Brian From: Adam Young <ayoung at redhat.com<mailto:ayoung at redhat.com>> Date: Tuesday, November 12, 2013 12:42 PM To: "openstack at lists.openstack.org<mailto:openstack at lists.openstack.org>" <openstack at lists.openstack.org<mailto:openstack at lists.openstack.org>> Subject: Re: [Openstack] One Time Keystone Use Tokens? On 10/25/2013 11:19 AM, Brian Chong wrote: Hi, I'm trying to figure out if its possible to configure KeyStone tokens to be one time use. My use case is that when a user requests that they want to take a action on the platform (i.e.: boot a VM) they aren't also using that same token to load a image in Glance or delete another VM, etc. I filed a bug for this feature. https://bugs.launchpad.net/keystone/+bug/1250617 However, not that the feature you are requesting is best supported by trusts in general: you need to split up the roels for each action (create vm, upload image to glance) and then delegate only the roles for the operations desired. How would I do that or is that even possible? Thanks a lot! -Brian _______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack at lists.openstack.org<mailto:openstack at lists.openstack.org> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.openstack.org/pipermail/openstack/attachments/20131112/4134a666/attachment.html>