9843767b21
Change-Id: I40999b1eb923fc3796cbb6d982e03d39cdf8c720 Implements: blueprint consistency-file-rename
1.8 KiB
Use trusts
OpenStack Identity manages authentication and authorization. A trust
is an OpenStack Identity extension that enables delegation and,
optionally, impersonation through keystone. A trust
extension defines a relationship between:
- Trustor
-
The user delegating a limited set of their own rights to another user.
- Trustee
-
The user trust is being delegated to, for a limited time.
The trust can eventually allow the trustee to impersonate the trustor. For security reasons, some safeties are added. For example, if a trustor loses a given role, any trusts the user issued with that role, and the related tokens, are automatically revoked.
The delegation parameters are:
- User ID
-
The user IDs for the trustor and trustee.
- Privileges
-
The delegated privileges are a combination of a tenant ID and a number of roles that must be a subset of the roles assigned to the trustor.
If you omit all privileges, nothing is delegated. You cannot delegate everything.
- Delegation depth
-
Defines whether or not the delegation is recursive. If it is recursive, defines the delegation chain length.
Specify one of the following values:
0. The delegate cannot delegate these permissions further.1. The delegate can delegate the permissions to any set of delegates but the latter cannot delegate further.inf. The delegation is infinitely recursive.
- Endpoints
-
A list of endpoints associated with the delegation.
This parameter further restricts the delegation to the specified endpoints only. If you omit the endpoints, the delegation is useless. A special value of
all_endpointsallows the trust to be used by all endpoints associated with the delegated tenant. - Duration
-
(Optional) Comprised of the start time and end time for the trust.