[openstack-dev] [novaclient]should administrator can see all servers of all tenants by default?

Robert Collins robertc at robertcollins.net
Wed Oct 16 04:59:50 UTC 2013 

I think that would be fine: --tenant FOO implying 'show me results
from FOO if I have access to that' makes total sense to me.

On 16 October 2013 17:52, Christopher Yeoh <cbkyeoh at gmail.com> wrote:
>
> --all-tenants would only be turned on if --tenant was specified, not a
> general default. Do you see that causing any problems for non trivial
> clouds?
>
> Chris
>
>
> On Tue, Oct 15, 2013 at 7:26 PM, Robert Collins <robertc at robertcollins.net>
> wrote:
>>
>> Please don't invert the bug though: if --all-tenants becomes the
>> default nova server behaviour in v3, please ensure there is a
>> --no-all-tenants to unbreak it for non-trivial clouds.
>>
>> Thanks!
>> -Rob
>>
>> On 15 October 2013 20:54, Lingxian Kong <anlin.kong at gmail.com> wrote:
>> > then, what's the conclusion that we can begin to start?
>> >
>> >
>> > 2013/10/15 Christopher Yeoh <cbkyeoh at gmail.com>
>> >>
>> >> On Tue, Oct 15, 2013 at 10:25 AM, Caitlin Bestler
>> >> <caitlin.bestler at nexenta.com> wrote:
>> >>>
>> >>> On 10/14/2013 8:37 AM, Ben Nemec wrote:
>> >>>>
>> >>>> I agree that this needs to be fixed.  It's very counterintuitive, if
>> >>>> nothing else (which is also my argument against requiring all-tenants
>> >>>> for admin users in the first place).  The only question for me is
>> >>>> whether to fix it in novaclient or in Nova itself.
>> >>>
>> >>>
>> >>> If it is fixed in novaclient, then any unscrupulous tenant would be
>> >>> able
>> >>> to unfix it in novaclient themselves and gain the same information
>> >>> about
>> >>> other tenants that the bug is allowing.
>> >>>
>> >>> So if the intent is to protect leakage of information across tenant
>> >>> lines
>> >>> then the correct solution is a real lock (i.e. in Nova) rather
>> >>> than just a screen door "lock".
>> >>>
>> >>
>> >> The novaclient fix for V2 would be simply to automatically pass
>> >> all-tenants where needed. It would not give a non admin user any extra
>> >> privileges even if they modified novaclient.
>> >>
>> >> Chris
>> >>
>> >> _______________________________________________
>> >> OpenStack-dev mailing list
>> >> OpenStack-dev at lists.openstack.org
>> >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>> >>
>> >
>> >
>> >
>> > --
>> > --------------------------------------------
>> > Lingxian Kong
>> > Huawei Technologies Co.,LTD.
>> > IT Product Line CloudOS PDU
>> > China, Xi'an
>> > Mobile: +86-18602962792
>> > Email: konglingxian at huawei.com; anlin.kong at gmail.com
>> >
>> > _______________________________________________
>> > OpenStack-dev mailing list
>> > OpenStack-dev at lists.openstack.org
>> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>> >
>>
>>
>>
>> --
>> Robert Collins <rbtcollins at hp.com>
>> Distinguished Technologist
>> HP Converged Cloud
>>
>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>



-- 
Robert Collins <rbtcollins at hp.com>
Distinguished Technologist
HP Converged Cloud

More information about the OpenStack-dev mailing list