[openstack-dev] [novaclient]should administrator can see all servers of all tenants by default?

Lingxian Kong anlin.kong at gmail.com
Tue Oct 15 07:54:34 UTC 2013


then, what's the conclusion that we can begin to start?


2013/10/15 Christopher Yeoh <cbkyeoh at gmail.com>

> On Tue, Oct 15, 2013 at 10:25 AM, Caitlin Bestler <
> caitlin.bestler at nexenta.com> wrote:
>
>> On 10/14/2013 8:37 AM, Ben Nemec wrote:
>>
>>> I agree that this needs to be fixed.  It's very counterintuitive, if
>>> nothing else (which is also my argument against requiring all-tenants
>>> for admin users in the first place).  The only question for me is
>>> whether to fix it in novaclient or in Nova itself.
>>>
>>
>> If it is fixed in novaclient, then any unscrupulous tenant would be able
>> to unfix it in novaclient themselves and gain the same information about
>> other tenants that the bug is allowing.
>>
>> So if the intent is to protect leakage of information across tenant lines
>> then the correct solution is a real lock (i.e. in Nova) rather
>> than just a screen door "lock".
>>
>>
> The novaclient fix for V2 would be simply to automatically pass
> all-tenants where needed. It would not give a non admin user any extra
> privileges even if they modified novaclient.
>
> Chris
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>


-- 
*--------------------------------------------*
*Lingxian Kong*
Huawei Technologies Co.,LTD.
IT Product Line CloudOS PDU
China, Xi'an
Mobile: +86-18602962792
Email: konglingxian at huawei.com; anlin.kong at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20131015/cc0cb30a/attachment-0001.html>


More information about the OpenStack-dev mailing list