Bug 1110589

Summary: [RFE][keystone]: Allow Redelegation via Trusts
Product: Red Hat OpenStack Reporter: RHOS Integration <rhos-integ>
Component: openstack-keystoneAssignee: Nathan Kinder <nkinder>
Status: CLOSED ERRATA QA Contact: yeylon <yeylon>
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ayoung, mabrams, markmc, mlopes, nbarcet, srevivo, yeylon
Target Milestone: Upstream M2Keywords: FutureFeature, OtherQA
Target Release: 7.0 (Kilo)   
Hardware: Unspecified   
OS: Unspecified   
URL: https://blueprints.launchpad.net/keystone/+spec/trusts-redelegation
Whiteboard: upstream_milestone_kilo-2 upstream_definition_approved upstream_status_implemented
Fixed In Version: openstack-keystone-2015.1.0-1.el7ost Doc Type: Enhancement
Doc Text:
The Identity Service (keystone) now allows for re-delegation of trusts. This allows a trustee with a trust token to create another trust to delegate their roles to others. In addition, a counter enumerates the number of times a trust can be re-delegated. This feature allows a trustee to re-delegate the roles contained in its trust token to another trustee. The user creating the initial trust can control if a trust can be re-delegated when this is necessary. Consequently, trusts can now be re-delegated if the original trust allows it.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-08-05 13:12:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description RHOS Integration 2014-06-18 04:05:44 UTC 
Cloned from launchpad blueprint https://blueprints.launchpad.net/keystone/+spec/trusts-redelegation.

Description:

Add support to trusts such that redelegation between consumers of trusts
(trustees, which are services for the currently expected use-cases) is
possible.

Specification URL (additional information):

None
Comment 2 Mike Abrams 2015-03-20 09:39:46 UTC 
Nathan, need more on the success criteria here; i've read the full spec here but still feel i need some direction on how to test.  thx a lot.
Comment 3 Nathan Kinder 2015-03-20 16:32:26 UTC 
(In reply to Mike Abrams from comment #2)
> Nathan, need more on the success criteria here; i've read the full spec here
> but still feel i need some direction on how to test.  thx a lot.

So this new "allow_redelegation" setting essentially just lets you
create a trust using a trust token.  This previously was not possible.
Aditionally, there is a counter to say how many times a trust can be
redelegated . You should do some basic tests for this:

- Attempt to create a trust to redelegate using a trust token when
allow_redelegation is not set (should fail - negative test).

- Attempt to create a trust to redelegate using a trust token when
allow_redelegation is set, then execute that new trust (should pass).

- Set a counter for the max number of delegations to something like 2,
then make sure if can only be chained that many times.
Comment 10 errata-xmlrpc 2015-08-05 13:12:36 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2015:1548