
<div dir="ltr"><div class="gmail_default" style="font-family:tahoma,sans-serif;color:#000066">Thanks Adam and Remo, I'll check it out.</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On 21 April 2014 01:59, Remo Mattei <span dir="ltr"><<a href="mailto:remo@italy1.com" target="_blank">remo@italy1.com</a>></span> wrote:<br>


<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word">Hi Reza, <div>as Adam suggested, I have in fact, created a new lab for some of the new hire regarding this topic. Here is the public URL you can use to follow the instruction on how to do this. </div>


<div><br></div><div><a href="http://docs.openstack.org/developer/horizon/topics/policy.html" target="_blank">http://docs.openstack.org/developer/horizon/topics/policy.html</a></div><div><br></div><div><br><div><br><blockquote type="cite">


<div></div>

  
  <div bgcolor="#FFFFFF" text="#000000"><div><div class="h5">

    <div>On 04/17/2014 02:15 AM, Reza

      Bakhshayeshi wrote:<br>

    </div>

    <blockquote type="cite">

      <div dir="ltr">

        <div class="gmail_default" style="font-family:tahoma,sans-serif;color:#000066">Hi,</div>

        <div class="gmail_default" style="font-family:tahoma,sans-serif;color:#000066"><br>

        </div>

        <div class="gmail_default" style="font-family:tahoma,sans-serif;color:#000066">

          I want to integrate an external service with keystone, in a

          way that only an authorized user in keystone could make access

          to that service.</div>

        <div class="gmail_default" style="font-family:tahoma,sans-serif;color:#000066">

          In the simplest form, consider it as a web service which

          receive the user's request and return a specific feature of

          his/her instance.</div>

        <div class="gmail_default" style="font-family:tahoma,sans-serif;color:#000066">

          Surely, users should be unable to see other's instance

          specifications, and must be authorized in the keystone.</div>

        <div class="gmail_default" style="font-family:tahoma,sans-serif;color:#000066">What do

          you think is the best way of performing this scenario?</div>

      </div>

    </blockquote>

    <br>

    Use RBAC, create a Role specific to your new service, and only

    assign that role to people that you trust.  Create a policy file

    that checks for that the calling user has that role before any

    operations. <br>

    <blockquote type="cite">

      <div dir="ltr">

        <div class="gmail_default" style="font-family:tahoma,sans-serif;color:#000066"><br>

        </div>

        <div class="gmail_default" style="font-family:tahoma,sans-serif;color:#000066">Thanks,</div>

        <div class="gmail_default" style="font-family:tahoma,sans-serif;color:#000066">

          Reza</div>

        <div class="gmail_default" style="font-family:tahoma,sans-serif;color:#000066"><br>

        </div>

      </div>

      <br>

      <fieldset></fieldset>

      <br>

      <pre>_______________________________________________

Mailing list: <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a>

Post to     : <a href="mailto:openstack@lists.openstack.org" target="_blank">openstack@lists.openstack.org</a>

Unsubscribe : <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a>

</pre>

    </blockquote>

    <br></div></div>

  
!DSPAM:1,53543175213691779914982!


</div><div class="">


_______________________________________________<br>Mailing list: <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>


Post to     : <a href="mailto:openstack@lists.openstack.org" target="_blank">openstack@lists.openstack.org</a><br>Unsubscribe : <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>


<br><br></div>!DSPAM:1,53543175213691779914982!<br></blockquote></div><br><div><br></div></div></div><br>_______________________________________________<br>

Mailing list: <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>

Post to     : <a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a><br>

Unsubscribe : <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>

<br></blockquote></div><br></div>