| alistarle | Hello guy's, just a quick question about trust creation: Why we harcoded the trustor must be authenticated user ? https://github.com/openstack/keystone/blob/master/keystone/api/trusts.py#L286, can't we rely on policy for that, as all the field can be specified in the API, why an admin can't create trust on behalf on users ? It can be very useful | 10:48 |
|---|---|---|
| alistarle | for orchestration use-cases | 10:48 |
| alistarle | To make it more official, I have created a bug report about that: https://bugs.launchpad.net/keystone/+bug/1954425 | 11:21 |
| *** marlinc is now known as Guest8143 | 13:25 | |
| raildo | alistarle, Keystone rely on the policy to check all the API calls, including the creating new trust action, by user the context as well, we can check if the authenticated user will be the same as the trustee, imho this way will be much more secure that just opening it to admins to create trust for everyone but this is just how the trust was implemented at that point. I don't see it as a bug, but if you want to change how this was implemented I | 13:32 |
| raildo | would suggest to bring this topic to the Keystone meeting and you can bring your points on why opening it to an admin scope would be better than the current solution | 13:32 |
| opendevreview | Merged openstack/keystone master: Accept STS and IAM services from Ceph Obj Gateway https://review.opendev.org/c/openstack/keystone/+/754404 | 17:02 |
| -opendevstatus- NOTICE: The Gerrit service on review.opendev.org is being quickly restarted for a configuration adjustment, and should return momentarily | 17:26 | |
| mloza | hello, how can I use `openstack limit` option? | 19:07 |
| mloza | I tried `openstack --os-system-scope all limit create test --project mloza_test --service compute --resource-limit 40` | 19:07 |
| mloza | but I'm getting this error `You are not authorized to perform the requested action: identity:create_limits.` | 19:08 |
| mloza | my user has admin role | 19:09 |
| -opendevstatus- NOTICE: The Gerrit service on review.opendev.org is being restarted again for a plugin change, and should be back shortly | 20:17 | |
Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!