Enable explicit impersonation
Keystone authentication should support services explicitly impersonating users. With such requests, the authentication middleware should authenticate both the service and the user that is being impersonated.
For example, when nova is downloading an image from glance for a given user, glance should be able to know that it is talking to nova and not directly to the user. This would enable deployers eventually to set up different authorization for users and for services.
As an added bonus, keystone should support potentially different authentication mechanisms for services and users. In particular, a given deployer might want to have services authenticate with PKI, but have users continue to use UUID tokens.
This has been implemented by User to User Trusts in Grizzly,
Blueprint information
- Status:
- Complete
- Approver:
- None
- Priority:
- Medium
- Drafter:
- None
- Direction:
- Needs approval
- Assignee:
- None
- Definition:
- New
- Series goal:
- None
- Implementation:
- Implemented
- Milestone target:
- None
- Started by
- Adam Young
- Completed by
- Adam Young
Related branches
Related bugs
Sprints
Whiteboard
This is closely related to a use case I brought up with OASIS ID-CLOUD:
https:/
The use case points out the need for audibility across all services that use impersonated-
Work Items
Dependency tree
* Blueprints in grey have been implemented.