[Openstack] [openstack][keystone] Service isolation?
Jay Pipes
jaypipes at gmail.com
Wed Apr 11 17:23:32 UTC 2012
On 04/10/2012 09:44 PM, Nguyen, Liem Manh wrote:
> Hi fellow Stackers,
>
> I am reading http://keystone.openstack.org/configuringservices.html, and it appears that for service registration, all services (or rather service users) reside within the same tenant with the same Admin role. So, if I understand it correctly, it is then possible that a service user for Nova can actually accidentally nuke an endpoint for a Glance service, for example? Don't we want isolation among services, i.e., a user owning one service may not modify another service that he/she did not create?
Hi Liem!
As Joe Heck noted, the concept of roles hasn't changed from the Diablo
codebase, and there is certainly the danger of a service tenant user
nuking an endpoint for a different service, as you describe above. In
Glance, we added a config option "admin_role" that can be set to guard
against this, however. Just set admin_role = glance_admin and create a
glance_admin role in Keystone and just assign the Glance service user
(and only that user) that role...
Kind of a hacky workaround, but it works...
Best,
-jay
More information about the Openstack
mailing list