<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<tt>Hi openstack list.<br>
<br>
Sorry to ask this, but i have a strong doubt on how the "endpoint"
config in keystone actually works when you make a nova api call
(we are using Essex-3)<br>
<br>
First, let me setup a use case :<br>
<br>
user1 -> tenant1 -> zone1 (private nova endpoint)<br>
user2 -> tenant2 -> zone2 (</tt><tt>private </tt><tt>nova
endpoint)<br>
<br>
So, we know that python-novaclient actually checks for a "nova" to
exists in order to make a request, but what about nova api call
directly ? ( curl for example )<br>
We realized that if we use the tenant1 token to query or create
instances on zone2 is possible, and with tenant2, is possible to
query or create instances on zone1.<br>
And still, tenant1 token, can query and create instances over
tenant2 id on the resource "v1.1/TENANT_ID/server"<br>
<br>
So, if there is any, is there a way to configure keystone / nova
to actually do, what python nova-client does regarding the sanity
check whether there is a "nova" endpoint asociated with the tenant
when curling the nova-api port ?<br>
Second, how can we prevent for token from tenant1 to access
resources of tenant2 ?<br>
<br>
Best regards.<br>
</tt>
<div class="moz-signature"><font color="#666666">alejandro.</font><br>
</div>
</body>
</html>