[openstack-dev] [novaclient]should administrator can see all servers of all tenants by default?

Robert Collins robertc at robertcollins.net
Tue Oct 15 08:56:25 UTC 2013 

Please don't invert the bug though: if --all-tenants becomes the
default nova server behaviour in v3, please ensure there is a
--no-all-tenants to unbreak it for non-trivial clouds.

Thanks!
-Rob

On 15 October 2013 20:54, Lingxian Kong <anlin.kong at gmail.com> wrote:
> then, what's the conclusion that we can begin to start?
>
>
> 2013/10/15 Christopher Yeoh <cbkyeoh at gmail.com>
>>
>> On Tue, Oct 15, 2013 at 10:25 AM, Caitlin Bestler
>> <caitlin.bestler at nexenta.com> wrote:
>>>
>>> On 10/14/2013 8:37 AM, Ben Nemec wrote:
>>>>
>>>> I agree that this needs to be fixed.  It's very counterintuitive, if
>>>> nothing else (which is also my argument against requiring all-tenants
>>>> for admin users in the first place).  The only question for me is
>>>> whether to fix it in novaclient or in Nova itself.
>>>
>>>
>>> If it is fixed in novaclient, then any unscrupulous tenant would be able
>>> to unfix it in novaclient themselves and gain the same information about
>>> other tenants that the bug is allowing.
>>>
>>> So if the intent is to protect leakage of information across tenant lines
>>> then the correct solution is a real lock (i.e. in Nova) rather
>>> than just a screen door "lock".
>>>
>>
>> The novaclient fix for V2 would be simply to automatically pass
>> all-tenants where needed. It would not give a non admin user any extra
>> privileges even if they modified novaclient.
>>
>> Chris
>>
>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>
>
>
> --
> --------------------------------------------
> Lingxian Kong
> Huawei Technologies Co.,LTD.
> IT Product Line CloudOS PDU
> China, Xi'an
> Mobile: +86-18602962792
> Email: konglingxian at huawei.com; anlin.kong at gmail.com
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>



-- 
Robert Collins <rbtcollins at hp.com>
Distinguished Technologist
HP Converged Cloud

More information about the OpenStack-dev mailing list