@Renat, They are conceptually different:
- regular tokens are created for the owner of addressed resource
- trust scoped tokens are for trustees and have some security restrictions.
The case is about disallowing a trustee to aquire a regular token allowing
him anything the trustor is allowed. It'd
@Renat, I like the idea. For now we have a spec:
https://github.com/openstack/keystone-specs/blob/master/api/v3/identity-api-v3-os-trust-ext.rst
It's consiedered to be enough but as for me it lacks TL;DR section :)
On Thu, Feb 19, 2015 at 8:15 PM, Renat Akhmerov rakhme...@mirantis.com
wrote:
On 19 Feb 2015, at 18:32, Alexander Makarov amaka...@mirantis.com wrote:
@Renat, They are conceptually different:
- regular tokens are created for the owner of addressed resource
- trust scoped tokens are for trustees and have some security restrictions.
The case is about disallowing a
@lists.openstack.org
Sent: Tuesday, 17 February, 2015 4:00:05 AM
Subject: Re: [openstack-dev] [keystone] [trusts] [all] How trusts should
work by design?
https://blueprints.launchpad.net/keystone/+spec/trust-scoped-re-authentication
On Mon, Feb 16, 2015 at 7:57 PM, Alexander Makarov
amaka
Hi,
On 18 Feb 2015, at 23:54, Nikolay Makhotkin nmakhot...@mirantis.com wrote:
Nova client's CLI parameter 'bypass_url' helps me. The client's API also has
'management_url' attribute, if this one is specified - the client doesn't
reauthenticate. Also the most of clients have 'endpoint'
On Mon, Feb 16, 2015 at 09:02:01PM +0600, Renat Akhmerov wrote:
Yeah, clarification from keystone folks would be really helpful.
If Nikolaya**s info is correct (I believe it is) then I actually dona**t
understand why trusts are needed at all, they seem to be useless. My
assumption
We could soften this limitation a little by returning token client tries to
authenticate with.
I think we need to discuss it in community.
On Mon, Feb 16, 2015 at 6:47 PM, Steven Hardy sha...@redhat.com wrote:
On Mon, Feb 16, 2015 at 09:02:01PM +0600, Renat Akhmerov wrote:
Yeah,
https://blueprints.launchpad.net/keystone/+spec/trust-scoped-re-authentication
On Mon, Feb 16, 2015 at 7:57 PM, Alexander Makarov amaka...@mirantis.com
wrote:
We could soften this limitation a little by returning token client tries
to authenticate with.
I think we need to discuss it in
Steve, I saw a couple of things in what you wrote that we might be doing wrong.
We’ll check them when we wake up and let you know what we discovered.
Thanks
Renat Akhmerov
@ Mirantis Inc.
On 16 Feb 2015, at 21:47, Steven Hardy sha...@redhat.com wrote:
On Mon, Feb 16, 2015 at 09:02:01PM
- Original Message -
From: Alexander Makarov amaka...@mirantis.com
To: OpenStack Development Mailing List (not for usage questions)
openstack-dev@lists.openstack.org
Sent: Tuesday, 17 February, 2015 4:00:05 AM
Subject: Re: [openstack-dev] [keystone] [trusts] [all] How trusts should
Yeah, clarification from keystone folks would be really helpful.
If Nikolay’s info is correct (I believe it is) then I actually don’t understand
why trusts are needed at all, they seem to be useless. My assumption is that
they can be used only if we send requests directly to OpenStack services
11 matches
Mail list logo