Public bug reported:
For services that need to talk to many other services, Keystone has
provided the trust based authentication model. That is good.
When a user (e.g. USER) raises a service request, the actual job is
delegated to the service user (e.g. SERVICE). SERVICE user will use
trust mechanism for authentication in calls that follow. When creating a
trust between USER and SERVICE, we will need the user ID of the SERVICE
user, however, it is not possible today as keystone is restricting the
get_user call to be admin only.
A 'service' user may need to find out his own user ID given the user
name specified in the configuration file. The usage scenario is for a
requester to create a trust relationship with the service user so that
the service user can do jobs on the requester's behalf. Restricting
user_list or user_get to only admin users is making this very cumbersome
even impossible.
** Affects: keystone
Importance: Undecided
Assignee: Qiming Teng (tengqim)
Status: In Progress
** Changed in: keystone
Assignee: (unassigned) => Qiming Teng (tengqim)
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1459482
Title:
Default policy too restrictive on getting user
Status in OpenStack Identity (Keystone):
In Progress
Bug description:
For services that need to talk to many other services, Keystone has
provided the trust based authentication model. That is good.
When a user (e.g. USER) raises a service request, the actual job is
delegated to the service user (e.g. SERVICE). SERVICE user will use
trust mechanism for authentication in calls that follow. When creating
a trust between USER and SERVICE, we will need the user ID of the
SERVICE user, however, it is not possible today as keystone is
restricting the get_user call to be admin only.
A 'service' user may need to find out his own user ID given the user
name specified in the configuration file. The usage scenario is for a
requester to create a trust relationship with the service user so that
the service user can do jobs on the requester's behalf. Restricting
user_list or user_get to only admin users is making this very
cumbersome even impossible.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1459482/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
