[openstack-dev] [murano] [congress] Congress needs to fetch environments from all tenants.
Tim Hinrichs
tim at styra.com
Wed Jul 8 13:57:27 UTC 2015
There are two things to remember here.
1) When you configure the Congress datasource driver to talk to Murano, you
choose which user rights Congress should use. If you need to get all of
the tenants data, you want to choose an admin user for the Murano driver.
Personally I always use admin users so that I can write policy over
everything. Typically we think of Congress as an admin tool.
2) As you point out, if the Murano driver doesn't provide all_tenants=true
argument when it makes the API call into Murano, it won't get all the data
for all the tenants; it'll only get the data for the user you provided in
(1). Ideally whether all_tenants=true would be a datasource configuration
option, but it's not today. The datasource drivers I've looked at all use
all_tenants=true.
Tim
On Wed, Jul 8, 2015 at 5:16 AM Kirill Zaitsev <kzaitsev at mirantis.com> wrote:
> 1) This does raise a security concern. We can however cover it with a
> separate policy-based permission, that would check if a user can view all
> tenants. nova seem to do so, see:
> https://github.com/openstack/nova/blob/4209d0140774adf3e162b7bde3cbd6b417065dd5/etc/nova/policy.json#L13
>
> 2) Will give it some thought, but it does seem like an ok practice.
>
> --
> Kirill Zaitsev
> Murano team
> Software Engineer
> Mirantis, Inc
>
> On 8 Jul 2015 at 14:44:51, Filip Blaha (filip.blaha at hp.com) wrote:
>
> Hi all,
>
> I started implement bp [1]. Problem is that congress needs data about
> environments from all tenants but murano API lists only environments of
> user's current tenant. We decided to ipmplement it similarly like
> listing servers in nova where is query parameter all_tenants=true for
> that (user must be admin) I have 2 questions about that:
>
> 1) Are there any security concerns about this approach?
> 2) Has someone better idea how to implement this?
>
> [1]
> https://blueprints.launchpad.net/murano/+spec/murano-api-all-tenants-search
>
> Regards
> Filip
>
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150708/f262f8e9/attachment.html>
More information about the OpenStack-dev
mailing list