[openstack-dev] [Ceilometer] Event API Access Controls
Herndon, John Luke (HPCS - Ft. Collins)
john.herndon at hp.com
Mon Aug 5 16:26:30 UTC 2013
On 8/5/13 2:04 AM, "Julien Danjou" <julien at danjou.info> wrote:
>On Sat, Aug 03 2013, Herndon, John Luke (HPCS - Ft. Collins) wrote:
>> Hello, I'm currently implementing the event api blueprint, and am
>> wondering what access controls we should impose on the event api. The
>> purpose of the blueprint is to provide a StackTach equivalent in the
>> ceilometer api. I believe that StackTach is used as an internal tool
>> end with no access to end users. Given that the event api is targeted at
>> administrators, I am currently thinking that it should be limited to
>> users only. However, I wanted to ask for input on this topic. Any
>> for opening it up so users can look at events for their resources? Any
>> arguments for not doing so?
>You should definitely use the policy system we has in Ceilometer to
>check that the user is authenticated and has admin privileges. We
>already have such a mechanism in ceilometer.api.acl.
>I don't see any point to expose raw operator system data to the users.
>That could even be dangerous security wise.
This plans sounds good to me. We can enable/disable the event api for
users, but is there a way to restrict a user to viewing only his/her
events using the policy system? Or do we not need to do that?
>// Free Software hacker / freelance consultant
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 5443 bytes
Desc: not available
More information about the OpenStack-dev