<html>
  <head>
    <meta content="text/html; charset=windows-1252"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    Hi Dolph<br>
    <br>
    Thanks for idea. Is this approach used somewhere for similar
    use-case I described? If so please point it out. Thanks<br>
    <br>
    Filip<br>
    <br>
    <div class="moz-cite-prefix">On 07/10/2015 04:57 PM, Dolph Mathews
      wrote:<br>
    </div>
    <blockquote
cite="mid:CAC=h7gXmd47SHaBb1XN1Ynao7H1g0B-w7Uh6W_PMEw0mHpc3_w@mail.gmail.com"
      type="cite">
      <meta http-equiv="Content-Type" content="text/html;
        charset=windows-1252">
      <div dir="ltr">How about using domain-based role assignments in
        keystone and requiring domain-level authorization in policy, and
        then only returning data about the collection of tenants that
        belong to the authorized domain? That way you don't have an API
        that violates multi-tenant isolation, consumable only by cloud
        operators.</div>
      <div class="gmail_extra"><br>
        <div class="gmail_quote">On Wed, Jul 8, 2015 at 6:27 AM, Filip
          Blaha <span dir="ltr"><<a moz-do-not-send="true"
              href="mailto:filip.blaha@hp.com" target="_blank">filip.blaha@hp.com</a>></span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0
            .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi all,<br>
            <br>
            I started implement bp [1]. Problem is that congress needs
            data about environments from all tenants but murano API
            lists only environments of user's current tenant. We decided
            to ipmplement it similarly like listing servers in nova
            where is query parameter all_tenants=true for that (user
            must be admin) I have 2 questions about that:<br>
            <br>
            1) Are there any security concerns about this approach?<br>
            2) Has someone better idea how to implement this?<br>
            <br>
            [1] <a moz-do-not-send="true"
href="https://blueprints.launchpad.net/murano/+spec/murano-api-all-tenants-search"
              rel="noreferrer" target="_blank">https://blueprints.launchpad.net/murano/+spec/murano-api-all-tenants-search</a><br>
            <br>
            Regards<br>
            Filip<br>
            <br>
            <br>
            <br>
__________________________________________________________________________<br>
            OpenStack Development Mailing List (not for usage questions)<br>
            Unsubscribe: <a moz-do-not-send="true"
href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe"
              rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
            <a moz-do-not-send="true"
              href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev"
              rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
          </blockquote>
        </div>
        <br>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: <a class="moz-txt-link-abbreviated" href="mailto:OpenStack-dev-request@lists.openstack.org?subject:unsubscribe">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a>
<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>