<div dir="ltr">Hi Corey,<div><br></div><div>The user is root on those nodes and can get any credentials on those nodes. We can not avoid that, but by this way we can disallow those users who can not login into nodes to access some limited APIs. </div><div><br></div><div>Regards,</div><div>Wanghua</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Feb 5, 2016 at 12:24 PM, Corey O'Brien <span dir="ltr"><<a href="mailto:coreypobrien@gmail.com" target="_blank">coreypobrien@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">There currently isn't a way to distinguish between user who creates the bay and the nodes in the bay because the user is root on those nodes. Any credential that the node uses to communicate with Magnum is going to be accessible to the user.<div><br></div><div>Since we already have the trust, that seems like the best way to proceed for now just to get something working.<br><div><div><div><br></div><div>Corey</div></div></div></div></div><br><div class="gmail_quote"><div><div class="h5"><div dir="ltr">On Thu, Feb 4, 2016 at 10:53 PM 王华 <<a href="mailto:wanghua.humble@gmail.com" target="_blank">wanghua.humble@gmail.com</a>> wrote:<br></div></div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="h5"><div dir="ltr">Hi all,<div><br></div><div>Magnum now use a token to get CA certificate in make-cert.sh. Token has a expiration time. So we should change this method. Here are two proposals.</div><div><br></div><div>1. Use trust which I have introduced in [1]. The way has a disadvantage. We can't limit the access to some APIs. For example, if we want to add a limitation that some APIs can only be accessed from Bay and can't be accessed by users outside. We need a way to distinguish these users, from</div><div>Bay or from outside.</div><div><br></div><div>2. We create a user with the role to access Magnum. The way is used in Heat. Heat creates a user for each stack to communicate with Heat. We can add a role to the user which is already introduced in [1]. The user can directly access Magnum for some limited APIs. With trust id, the user can access other services.</div><div><br></div><div>[1] <a href="https://review.openstack.org/#/c/268852/" target="_blank">https://review.openstack.org/#/c/268852/</a></div><div><br></div><div>Regards,</div><div>Wanghua</div></div></div></div>
__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
</blockquote></div>
<br>__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br></div>