On Fri, Aug 14, 2015 at 05:34:59PM +0800, 王华 wrote: > Hi Clint Byrum, > Trusts can solve this problem, but it may cause performance problem. > When we want to get a stack, we need to get the trust_id from db first, > andA > authenticate with the trust_id, then we can get the stack. A
I'm not sure you actually need trusts, you just need a token scoped to the appropriate project, so if your admin user has sufficient roles in all the projects, you can iterate over the projects and get a token per-project, such that the scope of the project_id matches the tenant/project in the request to heat. I appreciate this isn't much more efficient than the impersonation approach, but it does reduce the complexity a bit. Steve __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev