Hi Dolph Thanks for idea. Is this approach used somewhere for similar use-case I described? If so please point it out. Thanks Filip On 07/10/2015 04:57 PM, Dolph Mathews wrote: > How about using domain-based role assignments in keystone and > requiring domain-level authorization in policy, and then only > returning data about the collection of tenants that belong to the > authorized domain? That way you don't have an API that violates > multi-tenant isolation, consumable only by cloud operators. > > On Wed, Jul 8, 2015 at 6:27 AM, Filip Blaha <filip.blaha at hp.com > <mailto:filip.blaha at hp.com>> wrote: > > Hi all, > > I started implement bp [1]. Problem is that congress needs data > about environments from all tenants but murano API lists only > environments of user's current tenant. We decided to ipmplement it > similarly like listing servers in nova where is query parameter > all_tenants=true for that (user must be admin) I have 2 questions > about that: > > 1) Are there any security concerns about this approach? > 2) Has someone better idea how to implement this? > > [1] > https://blueprints.launchpad.net/murano/+spec/murano-api-all-tenants-search > > Regards > Filip > > > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: > OpenStack-dev-request at lists.openstack.org?subject:unsubscribe > <http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > > > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150713/580b77b4/attachment.html>