On 03/15/2017 01:21 PM, Fox, Kevin M wrote:
Other OpenStack subsystems (such as Heat) handle this with Trusts. A service
account is made in a different, usually SQL backed Keystone Domain and a trust
is created associating the service account with the User.
This mostly works but does give the trusted account a lot of power, as the
roles by default in OpenStack are pretty coarse grained. That should be
solvable though.
I didn't think Keystone trusts and Keystone federation were compatible
with each other, though? Did that change recently?
Best,
-jay
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
