← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1459482] [NEW] Default policy too restrictive on getting user

 

Public bug reported:

For services that need to talk to many other services, Keystone has
provided the trust based authentication model. That is good.

When a user (e.g. USER) raises a service request, the actual job is
delegated to the service user (e.g. SERVICE). SERVICE user will use
trust mechanism for authentication in calls that follow. When creating a
trust between USER and SERVICE, we will need the user ID of the SERVICE
user, however, it is not possible today as keystone is restricting the
get_user call to be admin only.

A 'service' user may need to find out his own user ID given the user
name specified in the configuration file. The usage scenario is for a
requester to create a trust relationship with the service user so that
the service user can do jobs on the requester's behalf. Restricting
user_list or user_get to only admin users is making this very cumbersome
even impossible.

** Affects: keystone
     Importance: Undecided
     Assignee: Qiming Teng (tengqim)
         Status: In Progress

** Changed in: keystone
     Assignee: (unassigned) => Qiming Teng (tengqim)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1459482

Title:
  Default policy too restrictive on getting user

Status in OpenStack Identity (Keystone):
  In Progress

Bug description:
  For services that need to talk to many other services, Keystone has
  provided the trust based authentication model. That is good.

  When a user (e.g. USER) raises a service request, the actual job is
  delegated to the service user (e.g. SERVICE). SERVICE user will use
  trust mechanism for authentication in calls that follow. When creating
  a trust between USER and SERVICE, we will need the user ID of the
  SERVICE user, however, it is not possible today as keystone is
  restricting the get_user call to be admin only.

  A 'service' user may need to find out his own user ID given the user
  name specified in the configuration file. The usage scenario is for a
  requester to create a trust relationship with the service user so that
  the service user can do jobs on the requester's behalf. Restricting
  user_list or user_get to only admin users is making this very
  cumbersome even impossible.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1459482/+subscriptions


Follow ups

References