If I understand the scenario correctly, I think you might run into the same problem with OAuth Access Tokens.
>> We currently use a trust token and that fails because both mistral and
>> heat want to create trust tokens as well :-O (trust tokens can't be
>> rescoped).
i.e.: Use OAuth Access Token (oa) to get a Keystone token (kt), then use that Keystone token (kt) to get another Keystone token? (scoped or not, the request will be denied to prevent chaining)
>> I believe there might be some limitations to oauth (are roles supported?).
You may specify any number of roles to be delegated in an OAuth Access Token, the only limitation I can think of, is that only projects are supported, not domains.
Regards,
Steve Martinelli
Software Developer - Openstack
Keystone Core Member
|
| |
| Phone:
1-905-413-2851 E-mail: steve...@ca.ibm.com |
8200 Warden Ave Markham, ON L6G 1C7 Canada |
From: Angus Salkeld <angus.salk...@rackspace.com>
To: "OpenStack Development Mailing List (not for usage questions)" <openstack-dev@lists.openstack.org>,
Date: 05/27/2014 08:58 PM
Subject: [openstack-dev] [solum] [mistral] [heat] keystone chained trusts / oauth
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi all
During our Solum meeting it was felt we should make sure that all three
team are on the same page wrt $subject.
I'll describe the use case we are trying to solve and hopefully get some
guidance from the keystone team about the best way forward.
Solum implements a ci/cd pipeline that we want to trigger based on a git
receive hook. What we do is generate a magic webhook (should be
ec2signed url - on the todo list) and when it is hit we want
to call mistral-execution-create (which runs a workflow that calls
to other openstack services (heat is one of them).
We currently use a trust token and that fails because both mistral and
heat want to create trust tokens as well :-O (trust tokens can't be
rescoped).
So what is the best mechanism for this? I spoke to Steven Hardy at
summit and he suggested (after talking to some keystone folks) we all
move to using the new oauth functionality in keystone.
I believe there might be some limitations to oauth (are roles supported?).
Basically I want to make sure we are doing the right (and compatible)
thing so autonomous actions can be carried out across services.
Regards
Angus
refs:
https://blueprints.launchpad.net/mistral/+spec/mistral-oauth
https://blueprints.launchpad.net/solum/+spec/solum-oauth
https://blueprints.launchpad.net/heat/+spec/heat-oauth
other interesting stuff:
http://adam.younglogic.com/2013/03/trusts-and-oauth/
http://homakov.blogspot.com.au/2013/03/oauth1-oauth2-oauth.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEcBAEBAgAGBQJThTRTAAoJEFrDYBLxZjWoQgYH/2/TyJH2INIFojxu6lwntbHh
6IhVmcXIybY+F/RN++YTBLduqA7qVxsGY2ZrGkztK3wISquI9Hw97Lw6jHelfK3J
3FnuS68xdxfhFwRNB8Slp5FT8ssHYazqpKn6kB5Rz7icZe6kWBTDGD8LTyiPwmJs
fWotAu/uzQJD0qcvg1XOE6Yddxm7owf85wY4BSSURzjBakK9ANwT1rW+pBoVFWF3
sxxIOCnDXmCJsiN18x3hHAXXxIxiLwlBp/YIuIUSznDK3a8JiIoaQ3jjM/FvcvX4
P7zQZL2qEoV4PXnvW5NmMaguOc/teTcw7ga3txry0RDHAYfDWmetKCuUjJtAKYQ=
=XaIS
-----END PGP SIGNATURE-----
_______________________________________________
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
_______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
