[openstack-dev] [Barbican] Providing service user read access to all tenant's certificates

Dave McCowan (dmccowan) dmccowan at cisco.com
Thu Sep 17 12:50:02 UTC 2015 

The tenant admin from Step 1, should also do Step 2.

From: Vijay Venkatachalam <Vijay.Venkatachalam at citrix.com<mailto:Vijay.Venkatachalam at citrix.com>>
Reply-To: "OpenStack Development Mailing List (not for usage questions)" <openstack-dev at lists.openstack.org<mailto:openstack-dev at lists.openstack.org>>
Date: Wednesday, September 16, 2015 at 9:57 PM
To: "OpenStack Development Mailing List (not for usage questions)" <openstack-dev at lists.openstack.org<mailto:openstack-dev at lists.openstack.org>>
Subject: Re: [openstack-dev] [Barbican] Providing service user read access to all tenant's certificates


How does lbaas do step 2?
It does not have the privilege for that secret/container using the service user.
Should it use the keystone token through which user created LB config and assign read access for the secret/container to the LBaaS service user?

Thanks,
Vijay V.

From: Fox, Kevin M [mailto:Kevin.Fox at pnnl.gov]
Sent: 16 September 2015 19:24
To: OpenStack Development Mailing List (not for usage questions) <openstack-dev at lists.openstack.org<mailto:openstack-dev at lists.openstack.org>>
Subject: Re: [openstack-dev] [Barbican] Providing service user read access to all tenant's certificates

Why not have lbaas do step 2? Even better would be to help with the instance user spec and combined with lbaas doing step 2, you could restrict secret access to just the amphora that need the secret?

Thanks,
Kevin

________________________________
From: Vijay Venkatachalam
Sent: Tuesday, September 15, 2015 7:06:39 PM
To: OpenStack Development Mailing List (openstack-dev at lists.openstack.org<mailto:openstack-dev at lists.openstack.org>)
Subject: [openstack-dev] [Barbican] Providing service user read access to all tenant's certificates
Hi,
               Is there a way to provide read access to a certain user to all secrets/containers of all project/tenant’s certificates?
               This user with universal “read” privilege’s will be used as a service user by LBaaS plugin to read tenant’s certificates during LB configuration implementation.

               Today’s LBaaS users are following the below mentioned process

1.      tenant’s creator/admin user uploads a certificate info as secrets and container

2.      User then have to create ACLs for the LBaaS service user to access the containers and secrets

3.      User creates LB config with the container reference

4.      LBaaS plugin using the service user will then access container reference provided in LB config and proceeds to implement.

Ideally we would want to avoid step 2 in the process. Instead add a step 5 where the lbaas plugin’s service user checks if the user configuring the LB has read access to the container reference provided.

Thanks,
Vijay V.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150917/9c5e5ced/attachment.html>

More information about the OpenStack-dev mailing list