[openstack-dev] [openstack][magnum]Create trustee user for each bay

王华 wanghua.humble at gmail.com
Thu Dec 24 08:54:13 UTC 2015 

Hi yuanying,

How can user know about other user's trust_id? If the user can know the
trust_id in other user's instance(maybe login to the instance), then other
secrets can be known, too.
In this case, creating a different user for each bay also has a security
risk. So I think the security is based on the security of instance.

Regards,
Wanghua


On Thu, Dec 24, 2015 at 4:20 PM, 大塚元央 <yuanying at oeilvert.org> wrote:

> Hi, Hua.
>
> I agree with you if trust_id is secret.
> But I think trust_id is not a secret.
> User can know trustee_user_name and trustee_password from k8s/swarm
> instances.
> If user knows about other user's trust_id, user can use a other user's
> swift resources.
> This wii be a security risk.
>
> Thanks
> -yuanying
>
> 2015年12月24日(木) 16:49 王华 <wanghua.humble at gmail.com>:
>
>> Hi all,
>>
>> I want to create a trustee user for each bay [1]. The discussion for
>> trust is in [2].
>>
>> Here is my solution:
>> I don't create a user for each bay. All the bays no matter who creates it
>> use the same user.
>> But we create different trust for the user for different bay. The user
>> can not access any service without the trust id. So there is no need to
>> create a user for each bay.
>>
>>
>> [1]
>> https://blueprints.launchpad.net/magnum/+spec/create-trustee-user-for-each-bay
>> [2]https://review.openstack.org/#/c/254705/
>>
>> Regards,
>> Wanghua
>> __________________________________________________________________________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe:
>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20151224/6f6cb58a/attachment.html>

More information about the OpenStack-dev mailing list