<div dir="ltr"><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Oct 21, 2013 at 1:32 AM, Lingxian Kong <span dir="ltr"><<a href="mailto:anlin.kong@gmail.com" target="_blank">anlin.kong@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div style="font-family:verdana,sans-serif">two questions here:</div><div style="font-family:verdana,sans-serif">
1. whther '--all-tenants' should be with '--tenant' or not.</div>
<div style="font-family:verdana,sans-serif">2. can admin see other tenant's server using its name instead of id?</div></div><div class="gmail_extra"><div><div class="h5"><br></div></div></div></blockquote><div><br></div>
<div>I think a name search as well as id makes sense, though that change lies entirely within<br>python-novaclient and could potentially take a long time and could be avoided by passing 'all_tenants 0'.<br></div><div>
<br></div><div>btw I have submitted a series of patches (IMO some cleanup is required as well) which addresses<br>the tenant_id/all_tenants issue:<br><br><a href="https://review.openstack.org/#/c/52007/">https://review.openstack.org/#/c/52007/</a><br>
<a href="https://review.openstack.org/#/c/52864/">https://review.openstack.org/#/c/52864/</a><br><a href="https://review.openstack.org/#/c/52919/">https://review.openstack.org/#/c/52919/</a><br><br></div><div>Chris.<br></div>
<div> <br><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div class="gmail_extra"><div><div class="h5"><br><div class="gmail_quote">2013/10/16 Robert Collins <span dir="ltr"><<a href="mailto:robertc@robertcollins.net" target="_blank">robertc@robertcollins.net</a>></span><br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">I think that would be fine: --tenant FOO implying 'show me results<br>
from FOO if I have access to that' makes total sense to me.<br>
<div><div><br>
On 16 October 2013 17:52, Christopher Yeoh <<a href="mailto:cbkyeoh@gmail.com" target="_blank">cbkyeoh@gmail.com</a>> wrote:<br>
><br>
> --all-tenants would only be turned on if --tenant was specified, not a<br>
> general default. Do you see that causing any problems for non trivial<br>
> clouds?<br>
><br>
> Chris<br>
><br>
><br>
> On Tue, Oct 15, 2013 at 7:26 PM, Robert Collins <<a href="mailto:robertc@robertcollins.net" target="_blank">robertc@robertcollins.net</a>><br>
> wrote:<br>
>><br>
>> Please don't invert the bug though: if --all-tenants becomes the<br>
>> default nova server behaviour in v3, please ensure there is a<br>
>> --no-all-tenants to unbreak it for non-trivial clouds.<br>
>><br>
>> Thanks!<br>
>> -Rob<br>
>><br>
>> On 15 October 2013 20:54, Lingxian Kong <<a href="mailto:anlin.kong@gmail.com" target="_blank">anlin.kong@gmail.com</a>> wrote:<br>
>> > then, what's the conclusion that we can begin to start?<br>
>> ><br>
>> ><br>
>> > 2013/10/15 Christopher Yeoh <<a href="mailto:cbkyeoh@gmail.com" target="_blank">cbkyeoh@gmail.com</a>><br>
>> >><br>
>> >> On Tue, Oct 15, 2013 at 10:25 AM, Caitlin Bestler<br>
>> >> <<a href="mailto:caitlin.bestler@nexenta.com" target="_blank">caitlin.bestler@nexenta.com</a>> wrote:<br>
>> >>><br>
>> >>> On 10/14/2013 8:37 AM, Ben Nemec wrote:<br>
>> >>>><br>
>> >>>> I agree that this needs to be fixed. It's very counterintuitive, if<br>
>> >>>> nothing else (which is also my argument against requiring all-tenants<br>
>> >>>> for admin users in the first place). The only question for me is<br>
>> >>>> whether to fix it in novaclient or in Nova itself.<br>
>> >>><br>
>> >>><br>
>> >>> If it is fixed in novaclient, then any unscrupulous tenant would be<br>
>> >>> able<br>
>> >>> to unfix it in novaclient themselves and gain the same information<br>
>> >>> about<br>
>> >>> other tenants that the bug is allowing.<br>
>> >>><br>
>> >>> So if the intent is to protect leakage of information across tenant<br>
>> >>> lines<br>
>> >>> then the correct solution is a real lock (i.e. in Nova) rather<br>
>> >>> than just a screen door "lock".<br>
>> >>><br>
>> >><br>
>> >> The novaclient fix for V2 would be simply to automatically pass<br>
>> >> all-tenants where needed. It would not give a non admin user any extra<br>
>> >> privileges even if they modified novaclient.<br>
>> >><br>
>> >> Chris<br>
>> >><br>
>> >> _______________________________________________<br>
>> >> OpenStack-dev mailing list<br>
>> >> <a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>
>> >> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
>> >><br>
>> ><br>
>> ><br>
>> ><br>
>> > --<br>
>> > --------------------------------------------<br>
>> > Lingxian Kong<br>
>> > Huawei Technologies Co.,LTD.<br>
>> > IT Product Line CloudOS PDU<br>
>> > China, Xi'an<br>
>> > Mobile: <a href="tel:%2B86-18602962792" value="+8618602962792" target="_blank">+86-18602962792</a><br>
>> > Email: <a href="mailto:konglingxian@huawei.com" target="_blank">konglingxian@huawei.com</a>; <a href="mailto:anlin.kong@gmail.com" target="_blank">anlin.kong@gmail.com</a><br>
>> ><br>
>> > _______________________________________________<br>
>> > OpenStack-dev mailing list<br>
>> > <a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>
>> > <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
>> ><br>
>><br>
>><br>
>><br>
>> --<br>
>> Robert Collins <<a href="mailto:rbtcollins@hp.com" target="_blank">rbtcollins@hp.com</a>><br>
>> Distinguished Technologist<br>
>> HP Converged Cloud<br>
>><br>
>> _______________________________________________<br>
>> OpenStack-dev mailing list<br>
>> <a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>
>> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
><br>
><br>
><br>
> _______________________________________________<br>
> OpenStack-dev mailing list<br>
> <a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>
> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
><br>
<br>
<br>
<br>
--<br>
Robert Collins <<a href="mailto:rbtcollins@hp.com" target="_blank">rbtcollins@hp.com</a>><br>
Distinguished Technologist<br>
HP Converged Cloud<br>
<br>
_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
</div></div></blockquote></div><br><br clear="all"><div><br></div></div></div>-- <br><div class="im"><div dir="ltr"><div><b><font style="background-color:rgb(243,243,243)" color="#000000" face="courier new, monospace">---------------------------------------</font></b></div>
<div><font color="#0000ff" face="comic sans ms, sans-serif"><b>Lingxian Kong</b></font></div><div><font color="#ff00ff" face="comic sans ms, sans-serif">Huawei Technologies Co.,LTD.</font></div><div><font color="#ff00ff" face="comic sans ms, sans-serif">IT Product Line CloudOS PDU</font></div>
<div><font color="#ff00ff" face="comic sans ms, sans-serif">China, Xi'an</font></div><div><font color="#ff00ff" face="comic sans ms, sans-serif">Mobile: <a href="tel:%2B86-18602962792" value="+8618602962792" target="_blank">+86-18602962792</a></font></div>
<div><font color="#ff00ff" face="comic sans ms, sans-serif">Email: <a href="mailto:konglingxian@huawei.com" target="_blank">konglingxian@huawei.com</a>; <a href="mailto:anlin.kong@gmail.com" target="_blank">anlin.kong@gmail.com</a></font></div>
</div>
</div></div>
<br>_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br></div></div>