==========
Use trusts
==========

OpenStack Identity manages authentication and authorization. A trust is
an OpenStack Identity extension that enables delegation and, optionally,
impersonation through ``keystone``. A trust extension defines a
relationship between:

**Trustor**
  The user delegating a limited set of their own rights to another user.

**Trustee**
  The user trust is being delegated to, for a limited time.

  The trust can eventually allow the trustee to impersonate the trustor.
  For security reasons, some safeties are added. For example, if a trustor
  loses a given role, any trusts the user issued with that role, and the
  related tokens, are automatically revoked.

The delegation parameters are:

**User ID**
  The user IDs for the trustor and trustee.

**Privileges**
  The delegated privileges are a combination of a project ID and a
  number of roles that must be a subset of the roles assigned to the
  trustor.

  If you omit all privileges, nothing is delegated. You cannot
  delegate everything.

**Delegation depth**
  Defines whether or not the delegation is recursive. If it is
  recursive, defines the delegation chain length.

  Specify one of the following values:

  - ``0``. The delegate cannot delegate these permissions further.

  - ``1``. The delegate can delegate the permissions to any set of
    delegates but the latter cannot delegate further.

  - ``inf``. The delegation is infinitely recursive.

**Endpoints**
  A list of endpoints associated with the delegation.

  This parameter further restricts the delegation to the specified
  endpoints only. If you omit the endpoints, the delegation is
  useless. A special value of ``all_endpoints`` allows the trust to be
  used by all endpoints associated with the delegated project.

**Duration**
  (Optional) Comprised of the start time and end time for the trust.


Removing Expired Trusts
===========================================================

In the SQL trust stores expired and soft deleted trusts, that are not
automatically removed. These trusts can be removed with::

    $ keystone-manage trust_flush [options]

 OPTIONS (optional):

        --project-id <string>:
                    To purge trusts of given project-id.
        --trustor-user-id <string>:
                    To purge trusts of given trustor-id.
        --trustee-user-id <string>:
                    To purge trusts of given trustee-id.
        --date <string>:
                    To purge trusts older than date. If no date is supplied
                    keystone-manage will use the system clock time at runtime.
