Public bug reported: For services that need to talk to many other services, Keystone has provided the trust based authentication model. That is good.
When a user (e.g. USER) raises a service request, the actual job is delegated to the service user (e.g. SERVICE). SERVICE user will use trust mechanism for authentication in calls that follow. When creating a trust between USER and SERVICE, we will need the user ID of the SERVICE user, however, it is not possible today as keystone is restricting the get_user call to be admin only. A 'service' user may need to find out his own user ID given the user name specified in the configuration file. The usage scenario is for a requester to create a trust relationship with the service user so that the service user can do jobs on the requester's behalf. Restricting user_list or user_get to only admin users is making this very cumbersome even impossible. ** Affects: keystone Importance: Undecided Assignee: Qiming Teng (tengqim) Status: In Progress ** Changed in: keystone Assignee: (unassigned) => Qiming Teng (tengqim) -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1459482 Title: Default policy too restrictive on getting user Status in OpenStack Identity (Keystone): In Progress Bug description: For services that need to talk to many other services, Keystone has provided the trust based authentication model. That is good. When a user (e.g. USER) raises a service request, the actual job is delegated to the service user (e.g. SERVICE). SERVICE user will use trust mechanism for authentication in calls that follow. When creating a trust between USER and SERVICE, we will need the user ID of the SERVICE user, however, it is not possible today as keystone is restricting the get_user call to be admin only. A 'service' user may need to find out his own user ID given the user name specified in the configuration file. The usage scenario is for a requester to create a trust relationship with the service user so that the service user can do jobs on the requester's behalf. Restricting user_list or user_get to only admin users is making this very cumbersome even impossible. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1459482/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp