1110589 – [RFE][keystone]: Allow Redelegation via Trusts

Bug 1110589 - [RFE][keystone]: Allow Redelegation via Trusts

Summary: [RFE][keystone]: Allow Redelegation via Trusts

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-keystone
Sub Component:
Version:	unspecified
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	Upstream M2
Target Release:	7.0 (Kilo)
Assignee:	Nathan Kinder
QA Contact:	yeylon@redhat.com
Docs Contact:
URL:	https://blueprints.launchpad.net/keys...
Whiteboard:	upstream_milestone_kilo-2 upstream_de...
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-06-18 04:05 UTC by RHOS Integration
Modified:	2016-04-26 23:12 UTC (History)
CC List:	7 users (show)
Fixed In Version:	openstack-keystone-2015.1.0-1.el7ost
Doc Type:	Enhancement
Doc Text:	The Identity Service (keystone) now allows for re-delegation of trusts. This allows a trustee with a trust token to create another trust to delegate their roles to others. In addition, a counter enumerates the number of times a trust can be re-delegated. This feature allows a trustee to re-delegate the roles contained in its trust token to another trustee. The user creating the initial trust can control if a trust can be re-delegated when this is necessary. Consequently, trusts can now be re-delegated if the original trust allows it.
Clone Of:
Environment:
Last Closed:	2015-08-05 13:12:36 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHEA-2015:1548	0	normal	SHIPPED_LIVE	Red Hat Enterprise Linux OpenStack Platform Enhancement Advisory	2015-08-05 17:07:06 UTC

Description RHOS Integration 2014-06-18 04:05:44 UTC

Cloned from launchpad blueprint https://blueprints.launchpad.net/keystone/+spec/trusts-redelegation.

Description:

Add support to trusts such that redelegation between consumers of trusts
(trustees, which are services for the currently expected use-cases) is
possible.

Specification URL (additional information):

None

Comment 2 Mike Abrams 2015-03-20 09:39:46 UTC

Nathan, need more on the success criteria here; i've read the full spec here but still feel i need some direction on how to test.  thx a lot.

Comment 3 Nathan Kinder 2015-03-20 16:32:26 UTC

(In reply to Mike Abrams from comment #2)
> Nathan, need more on the success criteria here; i've read the full spec here
> but still feel i need some direction on how to test.  thx a lot.

So this new "allow_redelegation" setting essentially just lets you
create a trust using a trust token.  This previously was not possible.
Aditionally, there is a counter to say how many times a trust can be
redelegated . You should do some basic tests for this:

- Attempt to create a trust to redelegate using a trust token when
allow_redelegation is not set (should fail - negative test).

- Attempt to create a trust to redelegate using a trust token when
allow_redelegation is set, then execute that new trust (should pass).

- Set a counter for the max number of delegations to something like 2,
then make sure if can only be chained that many times.

Comment 10 errata-xmlrpc 2015-08-05 13:12:36 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2015:1548

Note You need to log in before you can comment on or make changes to this bug.