-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi all
During our Solum meeting it was felt we should make sure that all three team are on the same page wrt $subject. I'll describe the use case we are trying to solve and hopefully get some guidance from the keystone team about the best way forward. Solum implements a ci/cd pipeline that we want to trigger based on a git receive hook. What we do is generate a magic webhook (should be ec2signed url - on the todo list) and when it is hit we want to call mistral-execution-create (which runs a workflow that calls to other openstack services (heat is one of them). We currently use a trust token and that fails because both mistral and heat want to create trust tokens as well :-O (trust tokens can't be rescoped). So what is the best mechanism for this? I spoke to Steven Hardy at summit and he suggested (after talking to some keystone folks) we all move to using the new oauth functionality in keystone. I believe there might be some limitations to oauth (are roles supported?). Basically I want to make sure we are doing the right (and compatible) thing so autonomous actions can be carried out across services. Regards Angus refs: https://blueprints.launchpad.net/mistral/+spec/mistral-oauth https://blueprints.launchpad.net/solum/+spec/solum-oauth https://blueprints.launchpad.net/heat/+spec/heat-oauth other interesting stuff: http://adam.younglogic.com/2013/03/trusts-and-oauth/ http://homakov.blogspot.com.au/2013/03/oauth1-oauth2-oauth.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJThTRTAAoJEFrDYBLxZjWoQgYH/2/TyJH2INIFojxu6lwntbHh 6IhVmcXIybY+F/RN++YTBLduqA7qVxsGY2ZrGkztK3wISquI9Hw97Lw6jHelfK3J 3FnuS68xdxfhFwRNB8Slp5FT8ssHYazqpKn6kB5Rz7icZe6kWBTDGD8LTyiPwmJs fWotAu/uzQJD0qcvg1XOE6Yddxm7owf85wY4BSSURzjBakK9ANwT1rW+pBoVFWF3 sxxIOCnDXmCJsiN18x3hHAXXxIxiLwlBp/YIuIUSznDK3a8JiIoaQ3jjM/FvcvX4 P7zQZL2qEoV4PXnvW5NmMaguOc/teTcw7ga3txry0RDHAYfDWmetKCuUjJtAKYQ= =XaIS -----END PGP SIGNATURE----- _______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
