On 16/06/17 05:09, Kaz Shinohara wrote:
I still takes `deferred _auth_method=password` behalf of trusts because we don't enable trusts in the Keystone side due to some internal reason.

Free advice: whatever reason you have for not enabling trusts, storing user passwords in the Heat database is 100x worse.

The issues what you pointed are correct(e.g. user_domain_id), we don't use the domain well and also added some patches to skip those issues.

Why aren't those upstream?

But I guess that the majority of heat users already moved to trusts and it is obviously better solution in terms of security and granular role control. As the edge case(perhaps), if a user want to take password auth, it would be too tricky for them to introduce it, therefore I agree your 2nd option.

If we will remove the `deferred_auth_method=password` from heat.conf, should we keep `deferred_auth_method` self or will replace it to a new config option just to specify the trusts enable/disable ? Do you have any idea on this? Also I'm thinking that `reauthentication_method` also might be changed/merged ?

Kaz Shinohara

2017-06-16 14:11 GMT+09:00 Rabi Mishra <ramis...@redhat.com <mailto:ramis...@redhat.com>>:


    I'm not sure whether this works with keystone v2 and anyone is using
    it or not. Keeping in mind that heat-cli is deprecated and keystone
    v3 is now the default, we've 2 options

    1. Continue to support 'deferred_auth_method=passsword' option and
    fix all the above issues.

    2. Remove/deprecate the option in pike itlsef.

    I would prefer option 2, but probably I miss some history and use
    cases for it.

Am I right in thinking that any user (i.e. not just the [heat] service user) can create a trust? I still see occasional requests about 'standalone mode' for clouds that don't have Heat available to users (which I suspect is broken, otherwise people wouldn't be asking), and I'm guessing that standalone mode has heretofore required deferred_auth_method=password.

So if we're going to remove the option then we should probably either officially disown standalone mode or rewrite the instructions such that it can be used with the trusts method.


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe

Reply via email to