Comment 1 for bug 1595084

Regarding the solutions:

2) and 3)
- the actions invoked can also time out internally, we have no influence on this.
- E.g. call a heat stack create that takes who knows much time. How do you decide whether the token needs to be renewed before the action? What if the token expiration is shorter than the expected length of the operation?
- renewing a token without admin credentials is impossible

Due to these reasons, I think 2) and 3) are not valid solutions.

1) yes, I think we should go for using trusts
- maybe the Mistral client could create the trust and Mistral could simply reuse it
- creating trusts does not require admin rights
- Mistral could run without admin credentials which is very important for standalone applications

Finally, IMHO at this point requiring keystone V3 should not be a limitation for deployments.