[Openstack] User separation in nova (w/o keystone)
Lorin Hochstein
lorin at isi.edu
Tue Oct 18 18:17:15 UTC 2011
Does nova (without keystone) provide any isolation across users' instances? In our deployment (which is based on code merged from trunk from about two weeks ago), we've found that one user can see another user's instances, terminate another user's instances, etc. Keypairs do seem to be isolated, though.
On the other hand, I tried out devstack, which uses keystone and the demo user wasn't able to see instances launched by the admin user. Is this isolation a feature of keystone, or is this some issue in our setup (e.g., set up users incorrectly, wrong flag somewhere).
Here's what we saw when testing this out:
Root:
# nova-manage user create test_user1
# nova-manage project create test_user1 admin
# nova-manage project add test_user1 test_user1
# nova-manage project environment test_user1 test_user1 novarc-user1
# nova-manage user create test_user2
# nova-manage project create test_user2 admin
# nova-manage project add test_user2 test_user2
# nova-manage project environment test_user2 test_user2 novarc-user2
test_user1:
test_user1 at cluster ~ $ source novarc-user1
test_user1 at cluster ~ $ euca-describe-keypairs
KEYPAIR user1 d0:56:69:08:9b:60:e3:82:b2:7d:ee:e6:57:84:dd:65
test_user1 at cluster ~ $ euca-run-instances -t m1.tiny -k user1 ami-0000000b
RESERVATION r-4a722y62 test_user1 default
INSTANCE i-00000009 ami-0000000b pending user1 (test_user1, gpu1) 1 m1.tiny 2011-10-18T15:09:54Z nova ami-00000000 ami-00000000
test_user1 at cluster ~ $ euca-describe-instances
RESERVATION r-4a722y62 test_user1 default
INSTANCE i-00000009 ami-0000000b 10.99.1.3 10.99.1.3 pending user1 (test_user1, gpu1) 1 m1.tiny 2011-10-18T15:09:54Z nova ami-00000000 ami-00000000
test_user2:
test_user2 at cluster ~ $ source novarc-user2
test_user2 at cluster ~ $ euca-describe-keypairs
test_user2 at cluster ~ $ euca-describe-instances
RESERVATION r-4a722y62 test_user1 default
INSTANCE i-00000009 ami-0000000b 10.99.1.3 10.99.1.3 running user1 (test_user1, gpu1) 1 m1.tiny 2011-10-18T15:09:54Z nova ami-00000000 ami-00000000
Lorin
--
Lorin Hochstein, Computer Scientist
USC Information Sciences Institute
703.812.3710
http://www.east.isi.edu/~lorin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20111018/28e5d302/attachment.html>
More information about the Openstack
mailing list