@Morgan Fainberg - my vote is for (1), since there may be users of both trusts and ec2tokens on grizzly (who won't want this hole to be exploitable), but they probably don't care about ec2 credentials derived from a trust (well they can't because it doesn't currently work..)
AFAIK Heat is the only thing which wants to make use of ec2 credentials derived from a trust ID, which will be possible after this is fixed, and we only care about that functionality from Havana onwards, so (1) wfm and shouldn't impact existing users (whereas the second option will, potentially)
@Morgan Fainberg - my vote is for (1), since there may be users of both trusts and ec2tokens on grizzly (who won't want this hole to be exploitable), but they probably don't care about ec2 credentials derived from a trust (well they can't because it doesn't currently work..)
AFAIK Heat is the only thing which wants to make use of ec2 credentials derived from a trust ID, which will be possible after this is fixed, and we only care about that functionality from Havana onwards, so (1) wfm and shouldn't impact existing users (whereas the second option will, potentially)