<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="Generator" content="Microsoft Exchange Server">
<!-- converted from text --><style><!-- .EmailQuote { margin-left: 1pt; padding-left: 4pt; border-left: #800000 2px solid; } --></style>
</head>
<body>
<div>+1. Id like to see a similar thing for keystone validate user tokens.<br>
<br>
Thanks,<br>
Kevin <strong>
<div><font face="Tahoma" color="#000000" size="2"> </font></div>
</strong>
<hr tabindex="-1">
<font face="Tahoma" size="2"><b>From:</b> Johannes Grassler<br>
<b>Sent:</b> Monday, July 04, 2016 2:43:47 AM<br>
<b>To:</b> openstack-dev@lists.openstack.org<br>
<b>Subject:</b> [openstack-dev] [magnum][heat] Global stack-list for Magnum service user<br>
</font><br>
<div></div>
</div>
<font size="2"><span style="font-size:10pt;">
<div class="PlainText">Hello,<br>
<br>
Magnum has a periodic task that checks the state of the Heat stacks it creates<br>
for its bays. It does this across all users/tenants that have Magnum bays.<br>
Currently it uses a global stack-list operation to query these Heat stacks:<br>
<br>
<a href="https://github.com/openstack/magnum/blob/master/magnum/service/periodic.py#L83">https://github.com/openstack/magnum/blob/master/magnum/service/periodic.py#L83</a><br>
<br>
Now the Magnum service user does not normally have permission to perform this operation,<br>
hence the Magnum documentation currently suggests the following change to<br>
Heat's policy.json:<br>
<br>
| stacks:global_index: "role:admin",<br>
<br>
This is less than optimal since it allows any tenant's admin user to perform a<br>
global stack-list. Would it be an option to have something like this in Heat's<br>
default policy.json?<br>
<br>
| stacks:global_index: "role:service",<br>
<br>
That way the global stack-list would be restricted to service users and seting<br>
Magnum (or other services that use Heat internally) wouldn't need a change to<br>
Heat's policy.json.<br>
<br>
If that kind of approach is feasible I'd be happy to submit a change.<br>
<br>
Cheers,<br>
<br>
Johannes<br>
<br>
-- <br>
Johannes Grassler, Cloud Developer<br>
SUSE Linux GmbH, HRB 21284 (AG Nürnberg)<br>
GF: Felix Imendörffer, Jane Smithard, Graham Norton<br>
Maxfeldstr. 5, 90409 Nürnberg, Germany<br>
<br>
__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe<br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
</div>
</span></font>
</body>
</html>