[openstack-dev] [Barbican] Providing service user read access to all tenant's certificates

Vijay Venkatachalam Vijay.Venkatachalam at citrix.com
Thu Sep 17 02:02:44 UTC 2015


The user here is the LBaaS service user which needs read access. This service user does play any role in the config creator's project. The service user might be playing a different role is in a common project.
For ex. "admin" user with "admin" role in "admin" project is the service user in devstack for LBaaS.

--Vijay



From: Dave McCowan (dmccowan) [mailto:dmccowan at cisco.com]
Sent: 16 September 2015 18:36
To: OpenStack Development Mailing List (not for usage questions) <openstack-dev at lists.openstack.org>
Subject: Re: [openstack-dev] [Barbican] Providing service user read access to all tenant's certificates

A user with the role "observer" in a project will have read access to all secrets and containers for that project, using the default settings in the policy.json file.

--Dave McCowan

From: Vijay Venkatachalam <Vijay.Venkatachalam at citrix.com<mailto:Vijay.Venkatachalam at citrix.com>>
Reply-To: "OpenStack Development Mailing List (not for usage questions)" <openstack-dev at lists.openstack.org<mailto:openstack-dev at lists.openstack.org>>
Date: Tuesday, September 15, 2015 at 10:06 PM
To: "OpenStack Development Mailing List (openstack-dev at lists.openstack.org<mailto:openstack-dev at lists.openstack.org>)" <openstack-dev at lists.openstack.org<mailto:openstack-dev at lists.openstack.org>>
Subject: [openstack-dev] [Barbican] Providing service user read access to all tenant's certificates

Hi,
               Is there a way to provide read access to a certain user to all secrets/containers of all project/tenant's certificates?
               This user with universal "read" privilege's will be used as a service user by LBaaS plugin to read tenant's certificates during LB configuration implementation.

               Today's LBaaS users are following the below mentioned process

1.      tenant's creator/admin user uploads a certificate info as secrets and container

2.      User then have to create ACLs for the LBaaS service user to access the containers and secrets

3.      User creates LB config with the container reference

4.      LBaaS plugin using the service user will then access container reference provided in LB config and proceeds to implement.

Ideally we would want to avoid step 2 in the process. Instead add a step 5 where the lbaas plugin's service user checks if the user configuring the LB has read access to the container reference provided.

Thanks,
Vijay V.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150917/9a2da227/attachment.html>


More information about the OpenStack-dev mailing list