[openstack-dev] [murano] [congress] Congress needs to fetch environments from all tenants.

Dolph Mathews dolph.mathews at gmail.com
Fri Jul 10 14:57:37 UTC 2015

How about using domain-based role assignments in keystone and requiring
domain-level authorization in policy, and then only returning data about
the collection of tenants that belong to the authorized domain? That way
you don't have an API that violates multi-tenant isolation, consumable only
by cloud operators.

On Wed, Jul 8, 2015 at 6:27 AM, Filip Blaha <filip.blaha at hp.com> wrote:

> Hi all,
> I started implement bp [1]. Problem is that congress needs data about
> environments from all tenants but murano API lists only environments of
> user's current tenant. We decided to ipmplement it similarly like listing
> servers in nova where is query parameter all_tenants=true for that (user
> must be admin) I have 2 questions about that:
> 1) Are there any security concerns about this approach?
> 2) Has someone better idea how to implement this?
> [1]
> https://blueprints.launchpad.net/murano/+spec/murano-api-all-tenants-search
> Regards
> Filip
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150710/a785216d/attachment.html>

More information about the OpenStack-dev mailing list