[openstack-dev] [Sahara] Questions about how Sahara use trust ?
michael mccune
msm at redhat.com
Tue Jul 14 03:47:02 UTC 2015
On 07/13/2015 09:40 PM, Li, Chen wrote:
> Hi mike,
>
> Thanks, this is very helpful.
>
> Summary:
>
> 1. The purpose of admin user & proxy user are the same => to work without user's own username & password.
sort of, the proxy user is to work without the user's credentials,
whereas the admin user needs a trust to operate on the user's project
resources (clusters).
> 2. For transient cluster, what sahara need is to be able to operate.
correct.
> 3. For swift access , using user's own credentials is not safe. Because the credentials is not used by sahara only, it will appear in "user space" (on the cluster nodes) at end.
> Using admin user is silly, doesn't gain any benefit, but create a more huge risk.
correct.
> => proxy user must(better to) use proxy user, for security reason.
> => transient cluster can work both way, but proxy user introduce extra effect which is not nessary, so admin user is enough.
i would say that is accurate.
mike
More information about the OpenStack-dev
mailing list