[openstack-dev] [murano] [congress] Congress needs to fetch environments from all tenants.
filip.blaha at hp.com
Mon Jul 13 12:57:39 UTC 2015
The change was already merged to master. Withe next release of
python-muranoclient it can be used in Congress.
On 07/08/2015 03:57 PM, Tim Hinrichs wrote:
> There are two things to remember here.
> 1) When you configure the Congress datasource driver to talk to
> Murano, you choose which user rights Congress should use. If you need
> to get all of the tenants data, you want to choose an admin user for
> the Murano driver. Personally I always use admin users so that I can
> write policy over everything. Typically we think of Congress as an
> admin tool.
> 2) As you point out, if the Murano driver doesn't provide
> all_tenants=true argument when it makes the API call into Murano, it
> won't get all the data for all the tenants; it'll only get the data
> for the user you provided in (1). Ideally whether all_tenants=true
> would be a datasource configuration option, but it's not today. The
> datasource drivers I've looked at all use all_tenants=true.
> On Wed, Jul 8, 2015 at 5:16 AM Kirill Zaitsev <kzaitsev at mirantis.com
> <mailto:kzaitsev at mirantis.com>> wrote:
> 1) This does raise a security concern. We can however cover it
> with a separate policy-based permission, that would check if a
> user can view all tenants. nova seem to do so, see:
> 2) Will give it some thought, but it does seem like an ok practice.
> Kirill Zaitsev
> Murano team
> Software Engineer
> Mirantis, Inc
> On 8 Jul 2015 at 14:44:51, Filip Blaha (filip.blaha at hp.com
> <mailto:filip.blaha at hp.com>) wrote:
>> Hi all,
>> I started implement bp . Problem is that congress needs data
>> environments from all tenants but murano API lists only
>> environments of
>> user's current tenant. We decided to ipmplement it similarly like
>> listing servers in nova where is query parameter all_tenants=true
>> that (user must be admin) I have 2 questions about that:
>> 1) Are there any security concerns about this approach?
>> 2) Has someone better idea how to implement this?
>> OpenStack Development Mailing List (not for usage questions)
>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> OpenStack Development Mailing List (not for usage questions)
> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OpenStack-dev