How about using domain-based role assignments in keystone and requiring domain-level authorization in policy, and then only returning data about the collection of tenants that belong to the authorized domain? That way you don't have an API that violates multi-tenant isolation, consumable only by cloud operators. On Wed, Jul 8, 2015 at 6:27 AM, Filip Blaha <filip.blaha at hp.com> wrote: > Hi all, > > I started implement bp [1]. Problem is that congress needs data about > environments from all tenants but murano API lists only environments of > user's current tenant. We decided to ipmplement it similarly like listing > servers in nova where is query parameter all_tenants=true for that (user > must be admin) I have 2 questions about that: > > 1) Are there any security concerns about this approach? > 2) Has someone better idea how to implement this? > > [1] > https://blueprints.launchpad.net/murano/+spec/murano-api-all-tenants-search > > Regards > Filip > > > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150710/a785216d/attachment.html>