[openstack-dev] [ceilometer] Could we use admin privilege in compute node?

Jiang, Yunhong yunhong.jiang at intel.com
Sun Nov 11 15:01:37 UTC 2012


Hey!
	This is asked in IRC metering list. Decide to discuss in the mailing list to avoid ignored in the IRC during weekend. Sorry for dual discussion.

	I noticed latest ceilometer code use nova client to get all instance in the host. I'm not sure if it will have some security issue because this query requires admin, while it's executed in the compute node. Usually compute node is not that trusted comparing to other service node. 
	If this is really an issue, it raised a more generic question. According to http://ceilometer.readthedocs.org/en/latest/configuration.html, Ceilometer has option os-username/os-password to access openstack service. Should we provide two configurations, one is for functions like collector, which is separated with compute node and may require administrator privilege, another one is for functions like compute pollster, which is in compute node?

	I'm not sure if my concerns make sense and hope get some feedback from the list. If yes, I plan to cook patches for followed changes:
	a) Update that nova side, so that if "all_tenants" is passed, and policy.jason support the role's compute.get_all access, will return all instances. Not depends on admin privilege.
	b) Update ceilometer, with two options for os_usename/os_password. 

	BTW, I noticed os-username in ./ceilometer/service.py and os_username in./ceilometer/nova_client.py, is it a typo, or it will work in the cfg environment? I have no test environment at hand, and can't test it.

Thanks
--jyh



More information about the OpenStack-dev mailing list