On Thu, Sep 1, 2016 at 11:58 AM, Adam Young <ayo...@redhat.com> wrote:
> On 08/31/2016 07:56 AM, Michael Still wrote: > > There is a quick sketch of what a service account might look like at > https://review.openstack.org/#/c/363606/ -- I need to do some more > fiddling to get the new option group working, but I could do that if we > wanted to try and get this into Newton. > > So, I don't think we need it. I think that doing an identity for the new > node *in order* to register it with an IdP is backwards: register it, and > use the identity from the IdP via Federation. > > Anything authenticated should be done from the metadata server or from > Nova itself, based on the token used to launch the workflow. > I'm not sure we're on the same page here. The flows would be something like this: - Instance boot request - Initiating user token is available, and is passed through to the vendordata REST service - Metadata _might_ be generated, if the instance is using config drive - Metadata request from within the instance (any use case not using config drive) - No user token, this is just cloud-init running on the instance, although it could be other client software too - We don't have a token to pass to the vendordata REST service, so we currently pass nothing, keystone middleware denies request So, its those post-boot requests from inside the instance that have me concerned. Michael -- Rackspace Australia
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
