+Boris B
On 03/15/2017 02:55 PM, Fox, Kevin M wrote:
I think they are. If they are not, things will break if federation is used for
sure. If you know that it is please let me know. I want to deploy federation at
some point but was waiting for dashboard support. Now that the dashboard
supports it, I may try it soon. Its a no-go still though if heat doesn't work
with it.
We had a customer engagement recently that had issues with Heat not
being able to execute certain actions in a federated Keystone
environment. I believe we learned that Keystone trusts and federation
were not compatible during this engagement.
Boris, would you mind refreshing memories on this?
Best,
-jay
________________________________________
From: Jay Pipes [[email protected]]
Sent: Wednesday, March 15, 2017 11:41 AM
To: [email protected]
Subject: Re: [openstack-dev] [tc][appcat] The future of the App Catalog
On 03/15/2017 01:21 PM, Fox, Kevin M wrote:
Other OpenStack subsystems (such as Heat) handle this with Trusts. A service
account is made in a different, usually SQL backed Keystone Domain and a trust
is created associating the service account with the User.
This mostly works but does give the trusted account a lot of power, as the
roles by default in OpenStack are pretty coarse grained. That should be
solvable though.
I didn't think Keystone trusts and Keystone federation were compatible
with each other, though? Did that change recently?
Best,
-jay
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: [email protected]?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: [email protected]?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: [email protected]?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
