[openstack-dev] [Ceilometer] Event API Access Controls

Herndon, John Luke (HPCS - Ft. Collins) john.herndon at hp.com
Mon Aug 5 16:26:30 UTC 2013

Hi Julien,

On 8/5/13 2:04 AM, "Julien Danjou" <julien at danjou.info> wrote:

>On Sat, Aug 03 2013, Herndon, John Luke (HPCS - Ft. Collins) wrote:
>Hi John,
>> Hello, I'm currently implementing the event api blueprint[0], and am
>> wondering what access controls we should impose on the event api. The
>> purpose of the blueprint is to provide a StackTach equivalent in the
>> ceilometer api. I believe that StackTach is used as an internal tool
>> end with no access to end users. Given that the event api is targeted at
>> administrators, I am currently thinking that it should be limited to
>> users only. However, I wanted to ask for input on this topic. Any
>> for opening it up so users can look at events for their resources? Any
>> arguments for not doing so?
>You should definitely use the policy system we has in Ceilometer to
>check that the user is authenticated and has admin privileges. We
>already have such a mechanism in ceilometer.api.acl.
>I don't see any point to expose raw operator system data to the users.
>That could even be dangerous security wise.

This plans sounds good to me. We can enable/disable the event api for
users, but is there a way to restrict a user to viewing only his/her
events using the policy system? Or do we not need to do that?


>Julien Danjou
>// Free Software hacker / freelance consultant
>// http://julien.danjou.info
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5443 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130805/e160b0df/attachment.bin>

More information about the OpenStack-dev mailing list