<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Hi Tim,<br>
<br>
The change was already merged to master. Withe next release of
python-muranoclient it can be used in Congress.<br>
<br>
Regards<br>
Filip<br>
<br>
<div class="moz-cite-prefix">On 07/08/2015 03:57 PM, Tim Hinrichs
wrote:<br>
</div>
<blockquote
cite="mid:CAJjxPADD5CmBaCYVv3S-J7dAxx9A5E78Q2ePKf+47Zz2pSZ-Vw@mail.gmail.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<div dir="ltr">There are two things to remember here.
<div><br>
</div>
<div>1) When you configure the Congress datasource driver to
talk to Murano, you choose which user rights Congress should
use. If you need to get all of the tenants data, you want to
choose an admin user for the Murano driver. Personally I
always use admin users so that I can write policy over
everything. Typically we think of Congress as an admin tool.</div>
<div><br>
</div>
<div>2) As you point out, if the Murano driver doesn't provide
all_tenants=true argument when it makes the API call into
Murano, it won't get all the data for all the tenants; it'll
only get the data for the user you provided in (1). Ideally
whether all_tenants=true would be a datasource configuration
option, but it's not today. The datasource drivers I've
looked at all use all_tenants=true.</div>
<div><br>
</div>
<div>Tim</div>
<div><br>
<div><br>
</div>
<div> <br>
</div>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr">On Wed, Jul 8, 2015 at 5:16 AM Kirill Zaitsev
<<a moz-do-not-send="true"
href="mailto:kzaitsev@mirantis.com">kzaitsev@mirantis.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word">
<div
style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto">1)
This does raise a security concern. We can however cover
it with a separate policy-based permission, that would
check if a user can view all tenants. nova seem to do so,
see: <a moz-do-not-send="true"
href="https://github.com/openstack/nova/blob/4209d0140774adf3e162b7bde3cbd6b417065dd5/etc/nova/policy.json#L13"
target="_blank">https://github.com/openstack/nova/blob/4209d0140774adf3e162b7bde3cbd6b417065dd5/etc/nova/policy.json#L13</a></div>
<div
style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto"><br>
</div>
<div
style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto">2)
Will give it some thought, but it does seem like an ok
practice.</div>
</div>
<div style="word-wrap:break-word"> <br>
<div>
<div style="font-family:helvetica,arial;font-size:13px">-- <br>
Kirill Zaitsev<br>
Murano team</div>
<div style="font-family:helvetica,arial;font-size:13px">Software
Engineer</div>
<div style="font-family:helvetica,arial;font-size:13px">Mirantis,
Inc</div>
</div>
</div>
<div style="word-wrap:break-word"> <br>
<p style="color:#000">On 8 Jul 2015 at 14:44:51, Filip Blaha
(<a moz-do-not-send="true"
href="mailto:filip.blaha@hp.com" target="_blank">filip.blaha@hp.com</a>)
wrote:</p>
<blockquote type="cite"><span>
<div>
<div>Hi all,
<br>
<br>
I started implement bp [1]. Problem is that congress
needs data about <br>
environments from all tenants but murano API lists
only environments of <br>
user's current tenant. We decided to ipmplement it
similarly like <br>
listing servers in nova where is query parameter
all_tenants=true for <br>
that (user must be admin) I have 2 questions about
that:
<br>
<br>
1) Are there any security concerns about this
approach?
<br>
2) Has someone better idea how to implement this?
<br>
<br>
[1] <br>
<a moz-do-not-send="true"
href="https://blueprints.launchpad.net/murano/+spec/murano-api-all-tenants-search"
target="_blank">https://blueprints.launchpad.net/murano/+spec/murano-api-all-tenants-search</a>
<br>
<br>
Regards
<br>
Filip
<br>
<br>
<br>
<br>
__________________________________________________________________________
<br>
OpenStack Development Mailing List (not for usage
questions)
<br>
Unsubscribe: <a moz-do-not-send="true"
href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe"
target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a>
<br>
<a moz-do-not-send="true"
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev"
target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
<br>
</div>
</div>
</span></blockquote>
</div>
__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a moz-do-not-send="true"
href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe"
rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a moz-do-not-send="true"
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev"
rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
</blockquote>
</div>
</blockquote>
<br>
</body>
</html>