Allow Keystone Trusts in API request headers
Heat uses Keystone Trusts to support autoscaling. But trust cannot be provided through API call - either a "not-trust-scoped" auth token or user credentials have to be specified in request headers. If client applications could provide trusts directly in requests, they could manage user stacks automatically, without knowing user credentials.
Blueprint information
- Status:
- Complete
- Approver:
- Steve Baker
- Priority:
- Undefined
- Drafter:
- None
- Direction:
- Needs approval
- Assignee:
- Steven Hardy
- Definition:
- Obsolete
- Series goal:
- None
- Implementation:
-
Not started
- Milestone target:
-
next
- Started by
- Completed by
- Angus Salkeld
Whiteboard
(shardy) So, it's not as simple as just providing a trust directly in the request, because you still need to authenticate the API call, which you want to do as the user owning the stack, not the proxy-service holding the trust. This use-case was discussed at the summit in the keystone delegation session, and the outcome was that keystone would need to add support for chained delegation via trusts:
https:/
https:/
https:/
If keystone gains that functionality, I think Heat can support this use-case with little or no work.
(asalkeld) if you want to give this another go, please post a spec.
Work Items
Dependency tree
* Blueprints in grey have been implemented.
