Using Trusts

The Metacloud Identity service manages authentication and authorization. A trust is a Metacloud Identity extension that enables delegation and impersonation using keystone.

A trust extension defines a relationship between:

  • Trustor—The user delegating a limited set of their own rights to another user.

  • Trustee—The user trust is being delegated to, for a limited time.

    The trust can enable the trustee to impersonate the trustor. To ensure security, if a trustor loses a given role, any trusts the user issued with that role, and the related tokens, are automatically revoked.

The delegation parameters are:

  • User ID—The user IDs for the trustor and trustee.
  • Privileges—The delegated privileges are a combination of a tenant ID and a number of roles that must be a subset of the roles assigned to the trustor. If you omit all privileges, nothing is delegated. You cannot delegate everything.
  • Delegation depth—Defines whether or not the delegation is recursive. If it is recursive, it defines the delegation chain length.

    Specify one of the following values:

    • 0—The delegate cannot delegate these permissions further.

    • 1—The delegate can delegate the permissions to any set of delegates but the latter cannot delegate further.

    • inf—The delegation is infinitely recursive.

  • Endpoints—A list of endpoints associated with the delegation. This parameter further restricts the delegation to the specified endpoints only. You must include endpoints or the delegation cannot be used. A value of all_endpoints allows the trust to be used by all endpoints associated with the delegated tenant.
  • Duration—(Optional) The start time and end time for the trust.