Hello to all.<br><br>On Sunday, January 11, 2015, Mark Kirkwood <<a href="mailto:mark.kirkwood@catalyst.net.nz">mark.kirkwood@catalyst.net.nz</a>> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 18/12/14 14:30, 乔建 wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
When using trove, we need to configure nova’s user information in the<br>
configuration file of trove-guestagent, such as<br>
<br>
lnova_proxy_admin_user<br>
<br>
lnova_proxy_admin_pass<br>
<br>
lnova_proxy_admin_tenant_name<br>
<br><br><br><br>
Is it necessary? In a public cloud environment, It will lead to serious<br>
security risks.<br>
<br><br>
I traced the code, and noticed that the auth data mentioned above is<br>
packaged in a context object, then passed to the trove-conductor via<br>
message queue.<br>
<br>
Is it more suitable for trove-conductor to get the corresponding<br>
information from its own conf file? </blockquote></blockquote><div><div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br></blockquote><div><br></div><div><font><span style="background-color:rgba(255,255,255,0)">Guest agent doesn't need configuration options described above. IIRC, only taskmanager needs them.</span></font></div><div><font><span style="background-color:rgba(255,255,255,0)">About passing auth data. What are those benefits of changing the way in which auth data is shipped? If you still think of security risks - you may use SSL protocol that is available in most of messaging services.</span></font></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Yes - all good points. Experimenting with devstack Juno branch, it seems you can happily remove these three settings.<br>
<br>
However the guest agent does seem to need the rabbit host and password, which is probably undesirable for the same reasons that you mentioned above.<br>
<br>
Regards<br>
<br>
Mark<br>
<br>
<br>
______________________________<u></u>______________________________<u></u>______________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank">OpenStack-dev-request@lists.<u></u>openstack.org?subject:<u></u>unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/<u></u>cgi-bin/mailman/listinfo/<u></u>openstack-dev</a><br>
</blockquote><div><br></div><div>Kind regards,</div><div>Denis M. </div></div></div><div><br></div>