Skip to main content

Module trust

openstack_keystone_core

Module trust 

Source
Expand description

§Trust provider.

Trusts.

A trust represents a user’s (the trustor) authorization to delegate roles to another user (the trustee), and optionally allow the trustee to impersonate the trustor. After the trustor has created a trust, the trustee can specify the trust’s id attribute as part of an authentication request to then create a token representing the delegated authority of the trustor.

The trust contains constraints on the delegated attributes. A token created based on a trust will convey a subset of the trustor’s roles on the specified project. Optionally, the trust may only be valid for a specified time period, as defined by expires_at. If no expires_at is specified, then the trust is valid until it is explicitly revoked.

The impersonation flag allows the trustor to optionally delegate impersonation abilities to the trustee. To services validating the token, the trustee will appear as the trustor, although the token will also contain the impersonation flag to indicate that this behavior is in effect.

A project_id may not be specified without at least one role, and vice versa. In other words, there is no way of implicitly delegating all roles to a trustee, in order to prevent users accidentally creating trust that are much more broad in scope than intended. A trust without a project_id or any delegated roles is unscoped, and therefore does not represent authorization on a specific resource.

Trusts are immutable. If the trustee or trustor wishes to modify the attributes of the trust, they should create a new trust and delete the old trust. If a trust is deleted, any tokens generated based on the trust are immediately revoked.

If the trustor loses access to any delegated attributes, the trust becomes immediately invalid and any tokens generated based on the trust are immediately revoked.

Trusts can also be chained, meaning, a trust can be created by using a trust scoped token.

Re-exports§

pub use error::TrustProviderError;
pub use types::*;

Modules§

api
Trust API
backend
Trust provider Backend trait.
error
Trust Error
service
Trust provider.
types
Trust Extension types

Enums§

TrustProvider
Trust provider.