Default policy too restrictive on getting user
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Opinion
|
Wishlist
|
Unassigned |
Bug Description
For services that need to talk to many other services, Keystone has provided the trust based authentication model. That is good.
When a user (e.g. USER) raises a service request, the actual job is delegated to the service user (e.g. SERVICE). SERVICE user will use trust mechanism for authentication in calls that follow. When creating a trust between USER and SERVICE, we will need the user ID of the SERVICE user, however, it is not possible today as keystone is restricting the get_user call to be admin only.
A 'service' user may need to find out his own user ID given the user name specified in the configuration file. The usage scenario is for a requester to create a trust relationship with the service user so that the service user can do jobs on the requester's behalf. Restricting user_list or user_get to only admin users is making this very cumbersome even impossible.
Changed in keystone: | |
assignee: | nobody → Qiming Teng (tengqim) |
Changed in keystone: | |
status: | New → In Progress |
Changed in keystone: | |
assignee: | Qiming Teng (tengqim) → nobody |
status: | In Progress → Opinion |
A 'service' user may discover it's own user ID by validating it's own token.