78 lines
2.5 KiB
ReStructuredText
78 lines
2.5 KiB
ReStructuredText
==========
|
|
Use trusts
|
|
==========
|
|
|
|
OpenStack Identity manages authentication and authorization. A trust is
|
|
an OpenStack Identity extension that enables delegation and, optionally,
|
|
impersonation through ``keystone``. A trust extension defines a
|
|
relationship between:
|
|
|
|
**Trustor**
|
|
The user delegating a limited set of their own rights to another user.
|
|
|
|
**Trustee**
|
|
The user trust is being delegated to, for a limited time.
|
|
|
|
The trust can eventually allow the trustee to impersonate the trustor.
|
|
For security reasons, some safeties are added. For example, if a trustor
|
|
loses a given role, any trusts the user issued with that role, and the
|
|
related tokens, are automatically revoked.
|
|
|
|
The delegation parameters are:
|
|
|
|
**User ID**
|
|
The user IDs for the trustor and trustee.
|
|
|
|
**Privileges**
|
|
The delegated privileges are a combination of a project ID and a
|
|
number of roles that must be a subset of the roles assigned to the
|
|
trustor.
|
|
|
|
If you omit all privileges, nothing is delegated. You cannot
|
|
delegate everything.
|
|
|
|
**Delegation depth**
|
|
Defines whether or not the delegation is recursive. If it is
|
|
recursive, defines the delegation chain length.
|
|
|
|
Specify one of the following values:
|
|
|
|
- ``0``. The delegate cannot delegate these permissions further.
|
|
|
|
- ``1``. The delegate can delegate the permissions to any set of
|
|
delegates but the latter cannot delegate further.
|
|
|
|
- ``inf``. The delegation is infinitely recursive.
|
|
|
|
**Endpoints**
|
|
A list of endpoints associated with the delegation.
|
|
|
|
This parameter further restricts the delegation to the specified
|
|
endpoints only. If you omit the endpoints, the delegation is
|
|
useless. A special value of ``all_endpoints`` allows the trust to be
|
|
used by all endpoints associated with the delegated project.
|
|
|
|
**Duration**
|
|
(Optional) Comprised of the start time and end time for the trust.
|
|
|
|
|
|
Removing Expired Trusts
|
|
===========================================================
|
|
|
|
In the SQL trust stores expired and soft deleted trusts, that are not
|
|
automatically removed. These trusts can be removed with::
|
|
|
|
$ keystone-manage trust_flush [options]
|
|
|
|
OPTIONS (optional):
|
|
|
|
--project-id <string>:
|
|
To purge trusts of given project-id.
|
|
--trustor-user-id <string>:
|
|
To purge trusts of given trustor-id.
|
|
--trustee-user-id <string>:
|
|
To purge trusts of given trustee-id.
|
|
--date <string>:
|
|
To purge trusts older than date. If no date is supplied
|
|
keystone-manage will use the system clock time at runtime.
|