OpenStack Identity manages authentication and authorization. A trust is an OpenStack Identity extension that enables delegation and, optionally, impersonation through keystone. A trust extension defines a relationship between:
The user trust is being delegated to, for a limited time.
The trust can eventually allow the trustee to impersonate the trustor. For security reasons, some safeties are added. For example, if a trustor loses a given role, any trusts the user issued with that role, and the related tokens, are automatically revoked.
The delegation parameters are:
The delegated privileges are a combination of a tenant ID and a number of roles that must be a subset of the roles assigned to the trustor.
If you omit all privileges, nothing is delegated. You cannot delegate everything.
Defines whether or not the delegation is recursive. If it is recursive, defines the delegation chain length.
Specify one of the following values:
A list of endpoints associated with the delegation.
This parameter further restricts the delegation to the specified endpoints only. If you omit the endpoints, the delegation is useless. A special value of all_endpoints allows the trust to be used by all endpoints associated with the delegated tenant.
Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License http://creativecommons.org/licenses/by/3.0/legalcode.