On Tue, Sep 3, 2013 at 5:52 PM, Steven Hardy <[email protected]> wrote:
> Hi, > > I have a question for the keystone folks re the expected behavior when > deleting a trust. > > Is it expected that you can only ever delete a trust as the user who > created it, and that you can *not* delete the trust when impersonating that > user using a token obtained via that trust? > We have some tests in keystone somewhat related to this scenario, but nothing that asserts that specific behavior- https://github.com/openstack/keystone/blob/master/keystone/tests/test_auth.py#L737-L763 > The reason for this question, is for the Heat use-case, this may represent > a significant operational limitation, since it implies that the user who > creates the stack is the only one who can ever delete it. > I don't follow this implication-- can you explain further? I don't see how the limitation above (if it exists) would impact this behavior or be a blocker for the design below. > > Current Heat behavior is to allow any user in the same tenant, provided > they have the requisite roles, to delete the stack That seems like a reasonable design. With trusts, any user who has been delegated the requisite role on the same tenant should be able to delete the stack. > which AFAICT atm will > not be possible when using trusts. > Similar to the above, I don't understand how trusts presents a blocker? > > Clarification as to whether this is as-designed or a bug somewhere much > appreciated, thanks! > > Steve > > _______________________________________________ > OpenStack-dev mailing list > [email protected] > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > -- -Dolph
_______________________________________________ OpenStack-dev mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
