OpenStack Identity (keystone)

Default policy too restrictive on getting user

Bug #1459482 reported by Qiming Teng
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Opinion
Wishlist
Unassigned

Bug Description

For services that need to talk to many other services, Keystone has provided the trust based authentication model. That is good.

When a user (e.g. USER) raises a service request, the actual job is delegated to the service user (e.g. SERVICE). SERVICE user will use trust mechanism for authentication in calls that follow. When creating a trust between USER and SERVICE, we will need the user ID of the SERVICE user, however, it is not possible today as keystone is restricting the get_user call to be admin only.

A 'service' user may need to find out his own user ID given the user name specified in the configuration file. The usage scenario is for a requester to create a trust relationship with the service user so that the service user can do jobs on the requester's behalf. Restricting user_list or user_get to only admin users is making this very cumbersome even impossible.

Qiming Teng (tengqim)
Changed in keystone:
assignee: nobody → Qiming Teng (tengqim)
OpenStack Infra (hudson-openstack)
Changed in keystone:
status: New → In Progress
Revision history for this message
Dolph Mathews (dolph) wrote :

A 'service' user may discover it's own user ID by validating it's own token.

Changed in keystone:
importance: Undecided → Wishlist
Revision history for this message
Lance Bragstad (lbragstad) wrote :

This is set to "In Progress" yet there is no bug linked. Qiming Teng, you don't have a patch floating around that addresses this, do you? I just want to link it here for context.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on keystone (master)

Change abandoned by Qiming Teng (<email address hidden>) on branch: master
Review: https://review.openstack.org/181298
Reason: There is no easy way to get this done via policy tweaking. The original use case can be easily satisfied via token checking.

Big thanks to all reviewers.

Qiming Teng (tengqim)
Changed in keystone:
assignee: Qiming Teng (tengqim) → nobody
status: In Progress → Opinion
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.