I think we need to look into using a trust for this instead of a Token hand-off. The need for one user or limited use trusts has come up multiple times. That coupled with a very short lived token (5 minutes) is probably a better solution.
----- Original Message ----- From: "Adam Young" <ayo...@redhat.com> To: openstack@lists.openstack.org Sent: Friday, October 25, 2013 9:06:29 PM Subject: Re: [Openstack] One Time Keystone Use Tokens? On 10/25/2013 04:03 PM, Ali, Haneef wrote: I don’t think it is possible. Can’t you revoke the token after VM boot? Yes, but I would not recommend doing that. You would have to modify every place that used tokens. Youncould make the token timeout very short, but it will break on any long running tasks. Thanks Haneef From: Brian Chong [ mailto:brian_ch...@symantec.com ] Sent: Friday, October 25, 2013 8:19 AM To: openstack@lists.openstack.org Subject: [Openstack] One Time Keystone Use Tokens? Hi, I'm trying to figure out if its possible to configure KeyStone tokens to be one time use. My use case is that when a user requests that they want to take a action on the platform (i.e.: boot a VM) they aren't also using that same token to load a image in Glance or delete another VM, etc. How would I do that or is that even possible? Thanks a lot! -Brian _______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack _______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack _______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
