On 15/03/17 14:41, Jay Pipes wrote:
On 03/15/2017 01:21 PM, Fox, Kevin M wrote:
Other OpenStack subsystems (such as Heat) handle this with Trusts. A
service account is made in a different, usually SQL backed Keystone
Domain and a trust is created associating the service account with the
User.
This mostly works but does give the trusted account a lot of power, as
the roles by default in OpenStack are pretty coarse grained. That
should be solvable though.
I didn't think Keystone trusts and Keystone federation were compatible
with each other, though?
You're correct, you have to pick one or the other.
Did that change recently?
Nope. We did discuss it at the PTG:
https://etherpad.openstack.org/p/pike-ptg-cross-project-federation
- ZB
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
