Enable explicit impersonation

Registered by Mark Washenberger on 2012-09-12

Keystone authentication should support services explicitly impersonating users. With such requests, the authentication middleware should authenticate both the service and the user that is being impersonated.

For example, when nova is downloading an image from glance for a given user, glance should be able to know that it is talking to nova and not directly to the user. This would enable deployers eventually to set up different authorization for users and for services.

As an added bonus, keystone should support potentially different authentication mechanisms for services and users. In particular, a given deployer might want to have services authenticate with PKI, but have users continue to use UUID tokens.

This has been implemented by User to User Trusts in Grizzly,

Blueprint information

Status:
Complete
Approver:
None
Priority:
Medium
Drafter:
None
Direction:
Needs approval
Assignee:
None
Definition:
New
Series goal:
None
Implementation:
Implemented
Milestone target:
None
Started by
Adam Young on 2013-04-23
Completed by
Adam Young on 2013-04-23

Related branches

Sprints

(?)

Work Items

Dependency tree

* Blueprints in grey have been implemented.

This blueprint contains Public information 
Everyone can see this information.