Open Stack

Hi Tim,

The change was already merged to master. Withe next release of 
python-muranoclient it can be used in Congress.

Regards
Filip

On 07/08/2015 03:57 PM, Tim Hinrichs wrote:
> There are two things to remember here.
>
> 1) When you configure the Congress datasource driver to talk to 
> Murano, you choose which user rights Congress should use.  If you need 
> to get all of the tenants data, you want to choose an admin user for 
> the Murano driver.  Personally I always use admin users so that I can 
> write policy over everything.  Typically we think of Congress as an 
> admin tool.
>
> 2) As you point out, if the Murano driver doesn't provide 
> all_tenants=true argument when it makes the API call into Murano, it 
> won't get all the data for all the tenants; it'll only get the data 
> for the user you provided in (1).  Ideally whether all_tenants=true 
> would be a datasource configuration option, but it's not today.  The 
> datasource drivers I've looked at all use all_tenants=true.
>
> Tim
>
>
>
>
> On Wed, Jul 8, 2015 at 5:16 AM Kirill Zaitsev <kzaitsev at mirantis.com 
> <mailto:kzaitsev at mirantis.com>> wrote:
>
>     1) This does raise a security concern. We can however cover it
>     with a separate policy-based permission, that would check if a
>     user can view all tenants. nova seem to do so, see:
>     https://github.com/openstack/nova/blob/4209d0140774adf3e162b7bde3cbd6b417065dd5/etc/nova/policy.json#L13
>
>     2) Will give it some thought, but it does seem like an ok practice.
>
>     -- 
>     Kirill Zaitsev
>     Murano team
>     Software Engineer
>     Mirantis, Inc
>
>     On 8 Jul 2015 at 14:44:51, Filip Blaha (filip.blaha at hp.com
>     <mailto:filip.blaha at hp.com>) wrote:
>
>>     Hi all,
>>
>>     I started implement bp [1]. Problem is that congress needs data
>>     about
>>     environments from all tenants but murano API lists only
>>     environments of
>>     user's current tenant. We decided to ipmplement it similarly like
>>     listing servers in nova where is query parameter all_tenants=true
>>     for
>>     that (user must be admin) I have 2 questions about that:
>>
>>     1) Are there any security concerns about this approach?
>>     2) Has someone better idea how to implement this?
>>
>>     [1]
>>     https://blueprints.launchpad.net/murano/+spec/murano-api-all-tenants-search
>>
>>
>>     Regards
>>     Filip
>>
>>
>>
>>     __________________________________________________________________________
>>
>>     OpenStack Development Mailing List (not for usage questions)
>>     Unsubscribe:
>>     OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>>     <http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe>
>>
>>     http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>     __________________________________________________________________________
>     OpenStack Development Mailing List (not for usage questions)
>     Unsubscribe:
>     OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>     <http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe>
>     http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150713/3db219cb/attachment.html>