openstack/keystone
Code Issues Proposed changes
keystone/doc/source/user/trusts.rst
Andreas Jaeger f10f95b455 Docs: Make robust with using real links 
Our tools noticed that keystone links to
https://docs.openstack.org/keystone/latest/admin/identity-domain-specific-config.html
which does not exist anymore.

The page was removed but the link to it was not changed. Replace this
and similar links with internal links that will work even if files are
moved - and can be verified, thus sphinx will error in case of broken
targets.

These changes include a few other fixes for broken keystone links, e.g.
to renamed anchors.

For the include files in admin/configuration.rst and
admin/federation/configure_federation.rst: Rename them to *inc.
The files were
published twice (as separate files and on this page) and thus
referencing failed. Renaming avoids this.

Also, put doctree outside of html tree so that it does not get
published.

Change-Id: I3d07637b0046cc88a66bcb51a0a4fe7c146c1549
2019-08-09 20:15:14 +02:00

2.6 KiB
Raw Blame History

Trusts

OpenStack Identity manages authentication and authorization. A trust is an OpenStack Identity extension that enables delegation and, optionally, impersonation through keystone. A trust extension defines a relationship between:

Trustor

The user delegating a limited set of their own rights to another user.

Trustee

The user trust is being delegated to, for a limited time.

The trust can eventually allow the trustee to impersonate the trustor. For security reasons, some safeties are added. For example, if a trustor loses a given role, any trusts the user issued with that role, and the related tokens, are automatically revoked.

The delegation parameters are:

User ID

The user IDs for the trustor and trustee.

Privileges

The delegated privileges are a combination of a project ID and a number of roles that must be a subset of the roles assigned to the trustor.

If you omit all privileges, nothing is delegated. You cannot delegate everything.

Delegation depth

Defines whether or not the delegation is recursive. If it is recursive, defines the delegation chain length.

Specify one of the following values:

  • 0. The delegate cannot delegate these permissions further.
  • 1. The delegate can delegate the permissions to any set of delegates but the latter cannot delegate further.
  • inf. The delegation is infinitely recursive.
Endpoints

A list of endpoints associated with the delegation.

This parameter further restricts the delegation to the specified endpoints only. If you omit the endpoints, the delegation is useless. A special value of all_endpoints allows the trust to be used by all endpoints associated with the delegated project.

Duration

(Optional) Comprised of the start time and end time for the trust.

Note

See the administrator guide on removing expired trusts </admin/manage-trusts> for recommended maintenance procedures.