[openstack-dev] [Sahara] Questions about how Sahara use trust ?

michael mccune msm at redhat.com
Tue Jul 14 03:47:02 UTC 2015


On 07/13/2015 09:40 PM, Li, Chen wrote:
> Hi mike,
>
> Thanks, this is very helpful.
>
> Summary:
>
> 1. The purpose of admin user & proxy user are the same =>  to work without user's own username & password.

sort of, the proxy user is to work without the user's credentials, 
whereas the admin user needs a trust to operate on the user's project 
resources (clusters).

> 2. For transient cluster, what sahara need is to be able to operate.

correct.

> 3. For swift access , using user's own credentials is not safe.  Because the credentials  is not used by sahara only, it will appear in "user space" (on the cluster nodes) at end.
>      Using admin user is silly, doesn't gain any benefit, but create a more huge risk.

correct.

> =>  proxy user must(better to) use proxy user, for security reason.
> =>  transient cluster can work both way, but proxy user introduce extra effect which is not nessary, so admin user is enough.

i would say that is accurate.

mike



More information about the OpenStack-dev mailing list