<div dir="ltr">AFAIK nova and cinder support --all-tenants when we list servers and volumes, it's a admin only operation, like Kirill point out in above comments.<div><br></div><div>And in the other side I think we should be careful to use this option, because the huge results are pulled at one time when we want to get the cross tenant data. Think about, we get all tenant's servers or volumes.</div><div><br></div><div>In Congress, admin user need a whole cloud data views so that using policy to find out some conflict between different tenants, for example, tenant A's ports is attached on tenant B's servers.</div><div><br></div><div>I think it's should be OK to support all-tenants in Murano.</div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">2015-07-08 21:57 GMT+08:00 Tim Hinrichs <span dir="ltr"><<a href="mailto:tim@styra.com" target="_blank">tim@styra.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">There are two things to remember here.<div><br></div><div>1) When you configure the Congress datasource driver to talk to Murano, you choose which user rights Congress should use. If you need to get all of the tenants data, you want to choose an admin user for the Murano driver. Personally I always use admin users so that I can write policy over everything. Typically we think of Congress as an admin tool.</div><div><br></div><div>2) As you point out, if the Murano driver doesn't provide all_tenants=true argument when it makes the API call into Murano, it won't get all the data for all the tenants; it'll only get the data for the user you provided in (1). Ideally whether all_tenants=true would be a datasource configuration option, but it's not today. The datasource drivers I've looked at all use all_tenants=true.</div><span class="HOEnZb"><font color="#888888"><div><br></div><div>Tim</div><div><br><div><br></div><div> <br></div></div></font></span></div><div class="HOEnZb"><div class="h5"><br><div class="gmail_quote"><div dir="ltr">On Wed, Jul 8, 2015 at 5:16 AM Kirill Zaitsev <<a href="mailto:kzaitsev@mirantis.com" target="_blank">kzaitsev@mirantis.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word"><div style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto">1) This does raise a security concern. We can however cover it with a separate policy-based permission, that would check if a user can view all tenants. nova seem to do so, see: <a href="https://github.com/openstack/nova/blob/4209d0140774adf3e162b7bde3cbd6b417065dd5/etc/nova/policy.json#L13" target="_blank">https://github.com/openstack/nova/blob/4209d0140774adf3e162b7bde3cbd6b417065dd5/etc/nova/policy.json#L13</a></div><div style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto"><br></div><div style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto">2) Will give it some thought, but it does seem like an ok practice.</div></div><div style="word-wrap:break-word"> <br> <div><div style="font-family:helvetica,arial;font-size:13px">-- <br>Kirill Zaitsev<br>Murano team</div><div style="font-family:helvetica,arial;font-size:13px">Software Engineer</div><div style="font-family:helvetica,arial;font-size:13px">Mirantis, Inc</div></div></div><div style="word-wrap:break-word"> <br><p style="color:#000">On 8 Jul 2015 at 14:44:51, Filip Blaha (<a href="mailto:filip.blaha@hp.com" target="_blank">filip.blaha@hp.com</a>) wrote:</p> <blockquote type="cite"><span><div><div></div><div>Hi all,
<br>
<br>I started implement bp [1]. Problem is that congress needs data about
<br>environments from all tenants but murano API lists only environments of
<br>user's current tenant. We decided to ipmplement it similarly like
<br>listing servers in nova where is query parameter all_tenants=true for
<br>that (user must be admin) I have 2 questions about that:
<br>
<br>1) Are there any security concerns about this approach?
<br>2) Has someone better idea how to implement this?
<br>
<br>[1]
<br><a href="https://blueprints.launchpad.net/murano/+spec/murano-api-all-tenants-search" target="_blank">https://blueprints.launchpad.net/murano/+spec/murano-api-all-tenants-search</a>
<br>
<br>Regards
<br>Filip
<br>
<br>
<br>
<br>__________________________________________________________________________
<br>OpenStack Development Mailing List (not for usage questions)
<br>Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a>
<br><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
<br></div></div></span></blockquote></div>__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
</blockquote></div>
</div></div><br>__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br></div>