[openstack-dev] [murano] [congress] Congress needs to fetch environments from all tenants.

Tim Hinrichs tim at styra.com
Fri Jul 10 16:02:49 UTC 2015


We sometimes want the ability to write policy across tenants, e.g. VMs from
Coke and Pepsi must always be deployed on different hosts.

I didn't think there were any roles that could see everything without
all_tenants=true.  If there are such roles, I'd be happy to remove the
all_tenants=true from the datasource drivers.

Tim


On Fri, Jul 10, 2015 at 8:00 AM Dolph Mathews <dolph.mathews at gmail.com>
wrote:

> How about using domain-based role assignments in keystone and requiring
> domain-level authorization in policy, and then only returning data about
> the collection of tenants that belong to the authorized domain? That way
> you don't have an API that violates multi-tenant isolation, consumable only
> by cloud operators.
>
> On Wed, Jul 8, 2015 at 6:27 AM, Filip Blaha <filip.blaha at hp.com> wrote:
>
>> Hi all,
>>
>> I started implement bp [1]. Problem is that congress needs data about
>> environments from all tenants but murano API lists only environments of
>> user's current tenant. We decided to ipmplement it similarly like listing
>> servers in nova where is query parameter all_tenants=true for that (user
>> must be admin) I have 2 questions about that:
>>
>> 1) Are there any security concerns about this approach?
>> 2) Has someone better idea how to implement this?
>>
>> [1]
>> https://blueprints.launchpad.net/murano/+spec/murano-api-all-tenants-search
>>
>> Regards
>> Filip
>>
>>
>>
>> __________________________________________________________________________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe:
>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150710/53250720/attachment.html>


More information about the OpenStack-dev mailing list