[openstack-dev] [neutron] Why does nova.network.neutronv2.get_client(context, admin=True) drop auth_token?
Dolph Mathews
dolph.mathews at gmail.com
Thu Aug 29 01:42:36 UTC 2013
On Wed, Aug 28, 2013 at 7:22 PM, Yongsheng Gong <gongysh at unitedstack.com>wrote:
> For admin, we must use admin token. In general, the token from API
> context is not of role admin.
>
So... because the authenticated user making the API request *may not* have
"admin" access, you're dropping that authorization in favor of using
CONF.neutron_admin_username, etc, to escalate the available privileges?
Yikes.
>
> I think the BP can help
> https://blueprints.launchpad.net/keystone/+spec/reuse-token
>
I don't see how?
>
>
> On Thu, Aug 29, 2013 at 8:12 AM, Roman Verchikov <rverchikov at mirantis.com>wrote:
>
>> Hi stackers!
>>
>> Sorry for the stupid question, but why does
>> nova.network.neutronv2.get_client() [1] drop auth_token for admin? Is it
>> really necessary to make another check for username/password when trying to
>> get a list of ports or floating IPs?..
>>
>> When keystone is configured with LDAP backed this leads to a bunch of
>> LDAP requests which tend to be quite slow. Plus those LDAP requests could
>> have been simply skipped when keystone is configured with token cache
>> enabled.
>>
>> Thanks,
>> Roman
>>
>> [1]
>> https://github.com/openstack/nova/blob/master/nova/network/neutronv2/__init__.py#L68
>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
--
-Dolph
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130828/4c7adb97/attachment.html>
More information about the OpenStack-dev
mailing list