[openstack-dev] [Ceilometer] Event API Access Controls

Julien Danjou julien at danjou.info
Mon Aug 5 08:04:02 UTC 2013


On Sat, Aug 03 2013, Herndon, John Luke (HPCS - Ft. Collins) wrote:

Hi John,

> Hello, I'm currently implementing the event api blueprint[0], and am
> wondering what access controls we should impose on the event api. The
> purpose of the blueprint is to provide a StackTach equivalent in the
> ceilometer api. I believe that StackTach is used as an internal tool which
> end with no access to end users. Given that the event api is targeted at
> administrators, I am currently thinking that it should be limited to admin
> users only. However, I wanted to ask for input on this topic. Any arguments
> for opening it up so users can look at events for their resources? Any
> arguments for not doing so?

You should definitely use the policy system we has in Ceilometer to
check that the user is authenticated and has admin privileges. We
already have such a mechanism in ceilometer.api.acl.

I don't see any point to expose raw operator system data to the users.
That could even be dangerous security wise.

-- 
Julien Danjou
// Free Software hacker / freelance consultant
// http://julien.danjou.info
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 835 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130805/e46db9b5/attachment.pgp>


More information about the OpenStack-dev mailing list