I took Jamie's approach in my patches:
https://review.openstack.org/#/c/57492/ https://review.openstack.org/#/c/57481/ https://review.openstack.org/#/c/56243/
As for your first question, I believe it is already impossible to generate a new token from a trust token, or am I mistaken ? ( https://github.com/openstack/keystone/blob/master/keystone/token/controllers.py#L155 )
I took Jamie's approach in my patches:
https:/ /review. openstack. org/#/c/ 57492/ /review. openstack. org/#/c/ 57481/ /review. openstack. org/#/c/ 56243/
https:/
https:/
As for your first question, I believe it is already impossible to generate a new token from a trust token, or am I mistaken ? ( https:/ /github. com/openstack/ keystone/ blob/master/ keystone/ token/controlle rs.py#L155 )