[openstack-dev] [Sahara] Questions about how Sahara use trust ?

Li, Chen chen.li at intel.com
Mon Jul 13 01:45:18 UTC 2015


Hi Andrew,

Thanks for the reply.

Are you mean :

1.       admin user is used by transient cluster is mainly to make it work.

2.       The proxy user is the more secure  way to do the same thing.

Should we use proxy user at all situation then ? Should this be a bp or just a bug ?


Thanks.
-chen


From: Andrew Lazarev [mailto:alazarev at mirantis.com]
Sent: Friday, July 10, 2015 11:39 PM
To: OpenStack Development Mailing List (not for usage questions)
Subject: Re: [openstack-dev] [Sahara] Questions about how Sahara use trust ?

Hi Chen,

As I remember, proxy users were added for security reasons. When one user creates cluster in Sahara he should not get access to data of other users.

Thanks,
Andrew.

On Thu, Jul 9, 2015 at 11:12 PM, Li, Chen <chen.li at intel.com<mailto:chen.li at intel.com>> wrote:
Hi Sahara guys,


When sahara create a transient cluster, it create a trust with sahara admin user.
https://github.com/openstack/sahara/blob/master/sahara/service/ops.py#L239-L240
https://github.com/openstack/sahara/blob/master/sahara/service/trusts.py#L79

When sahara deal with swift, it create a trust too, but :
sahara admin user => create a proxy domain =>  set in sahara.conf

=>  sahara create proxy user in the domain.

=>  create a trust with the proxy user.
https://github.com/openstack/sahara/blob/master/sahara/utils/proxy.py#L110
https://github.com/openstack/sahara/blob/master/sahara/utils/proxy.py#L265


My questions are :
Why not user proxy user for transient cluster ?
Or, why a proxy user is needed for swift but not use sahara admin user directly ?

Looking forward to your reply.


Thanks.
-chen

__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe<http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe>
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150713/84f5cd25/attachment.html>


More information about the OpenStack-dev mailing list