yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1459482] Re: Default policy too restrictive on getting user

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Qiming Teng <tengqim@xxxxxxxxxxxxxxxxxx>
Date: Fri, 05 Jun 2015 13:12:10 -0000
Reply-to: Bug 1459482 <1459482@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: keystone
       Status: In Progress => Opinion

** Changed in: keystone
     Assignee: Qiming Teng (tengqim) => (unassigned)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1459482

Title:
  Default policy too restrictive on getting user

Status in OpenStack Identity (Keystone):
  Opinion

Bug description:
  For services that need to talk to many other services, Keystone has
  provided the trust based authentication model. That is good.

  When a user (e.g. USER) raises a service request, the actual job is
  delegated to the service user (e.g. SERVICE). SERVICE user will use
  trust mechanism for authentication in calls that follow. When creating
  a trust between USER and SERVICE, we will need the user ID of the
  SERVICE user, however, it is not possible today as keystone is
  restricting the get_user call to be admin only.

  A 'service' user may need to find out his own user ID given the user
  name specified in the configuration file. The usage scenario is for a
  requester to create a trust relationship with the service user so that
  the service user can do jobs on the requester's behalf. Restricting
  user_list or user_get to only admin users is making this very
  cumbersome even impossible.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1459482/+subscriptions

References

[Bug 1459482] [NEW] Default policy too restrictive on getting user
From: Qiming Teng, 2015-05-28