<div dir="ltr">We sometimes want the ability to write policy across tenants, e.g. VMs from Coke and Pepsi must always be deployed on different hosts. <div><br></div><div>I didn't think there were any roles that could see everything without all_tenants=true. If there are such roles, I'd be happy to remove the all_tenants=true from the datasource drivers. <div><br></div><div>Tim</div><div><span style="line-height:1.5;font-size:13.1999998092651px"> </span><br></div></div></div><br><div class="gmail_quote"><div dir="ltr">On Fri, Jul 10, 2015 at 8:00 AM Dolph Mathews <<a href="mailto:dolph.mathews@gmail.com">dolph.mathews@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">How about using domain-based role assignments in keystone and requiring domain-level authorization in policy, and then only returning data about the collection of tenants that belong to the authorized domain? That way you don't have an API that violates multi-tenant isolation, consumable only by cloud operators.</div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Jul 8, 2015 at 6:27 AM, Filip Blaha <span dir="ltr"><<a href="mailto:filip.blaha@hp.com" target="_blank">filip.blaha@hp.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi all,<br>
<br>
I started implement bp [1]. Problem is that congress needs data about environments from all tenants but murano API lists only environments of user's current tenant. We decided to ipmplement it similarly like listing servers in nova where is query parameter all_tenants=true for that (user must be admin) I have 2 questions about that:<br>
<br>
1) Are there any security concerns about this approach?<br>
2) Has someone better idea how to implement this?<br>
<br>
[1] <a href="https://blueprints.launchpad.net/murano/+spec/murano-api-all-tenants-search" rel="noreferrer" target="_blank">https://blueprints.launchpad.net/murano/+spec/murano-api-all-tenants-search</a><br>
<br>
Regards<br>
Filip<br>
<br>
<br>
<br>
__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
</blockquote></div><br></div>
__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
</blockquote></div>