<html><head><meta http-equiv="Content-Type" content="text/html charset=iso-8859-1"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">Hi Reza, <div>as Adam suggested, I have in fact, created a new lab for some of the new hire regarding this topic. Here is the public URL you can use to follow the instruction on how to do this. </div><div><br></div><div><a href="http://docs.openstack.org/developer/horizon/topics/policy.html">http://docs.openstack.org/developer/horizon/topics/policy.html</a></div><div><br></div><div><br><div><br class="Apple-interchange-newline"><blockquote type="cite"><div></div>
<meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type">
<div bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 04/17/2014 02:15 AM, Reza
Bakhshayeshi wrote:<br>
</div>
<blockquote cite="mid:CAMGoRG3X2gdvVP-5GZ-t1Kx5Gn+sqg-E0XqXJBgfXLBJijFMCw@mail.gmail.com" type="cite">
<div dir="ltr">
<div class="gmail_default" style="font-family:tahoma,sans-serif;color:#000066">Hi,</div>
<div class="gmail_default" style="font-family:tahoma,sans-serif;color:#000066"><br>
</div>
<div class="gmail_default" style="font-family:tahoma,sans-serif;color:#000066">
I want to integrate an external service with keystone, in a
way that only an authorized user in keystone could make access
to that service.</div>
<div class="gmail_default" style="font-family:tahoma,sans-serif;color:#000066">
In the simplest form, consider it as a web service which
receive the user's request and return a specific feature of
his/her instance.</div>
<div class="gmail_default" style="font-family:tahoma,sans-serif;color:#000066">
Surely, users should be unable to see other's instance
specifications, and must be authorized in the keystone.</div>
<div class="gmail_default" style="font-family:tahoma,sans-serif;color:#000066">What do
you think is the best way of performing this scenario?</div>
</div>
</blockquote>
<br>
Use RBAC, create a Role specific to your new service, and only
assign that role to people that you trust. Create a policy file
that checks for that the calling user has that role before any
operations. <br>
<blockquote cite="mid:CAMGoRG3X2gdvVP-5GZ-t1Kx5Gn+sqg-E0XqXJBgfXLBJijFMCw@mail.gmail.com" type="cite">
<div dir="ltr">
<div class="gmail_default" style="font-family:tahoma,sans-serif;color:#000066"><br>
</div>
<div class="gmail_default" style="font-family:tahoma,sans-serif;color:#000066">Thanks,</div>
<div class="gmail_default" style="font-family:tahoma,sans-serif;color:#000066">
Reza</div>
<div class="gmail_default" style="font-family:tahoma,sans-serif;color:#000066"><br>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Mailing list: <a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a>
Post to : <a class="moz-txt-link-abbreviated" href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a>
Unsubscribe : <a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a>
</pre>
</blockquote>
<br>
!DSPAM:1,53543175213691779914982!
</div>
_______________________________________________<br>Mailing list: <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>Post to : <a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a><br>Unsubscribe : <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br><br><br>!DSPAM:1,53543175213691779914982!<br></blockquote></div><br><div><br></div></div></body></html>