[openstack-dev] [Barbican] Enabling GET of secrets to work irrespective of Tenant name in login
Dave McCowan (dmccowan)
dmccowan at cisco.com
Tue Nov 17 02:51:28 UTC 2015
Hi Vijay--
The recommended way for supporting that use case is to use Barbican's
ACLs. It allows user's from another project/tenant to access specific
secrets
If the "demo admin" owns a secret and wants to give read access to
"admin admin", the "demo admin" should create a ACL for the secret.
If an LBaaS user needs access to a tenant secret, the tenant admin can
create an ACL granting read access to the LBaaS user.
http://docs.openstack.org/developer/barbican/api/quickstart/acls.html
--Dave
On 11/10/15, 3:41 AM, "Vijay Venkatachalam"
<Vijay.Venkatachalam at citrix.com> wrote:
>Hi,
>
>Can we enable GET of secrets to work irrespective of Tenant name in the
>login?
>
>Consider there is an "admin" with "admin" role in "demo" tenant. I tried
>to query the "demo" tenant's secret using a login token which was
>generated from "admin" user & "admin" tenant. And I am getting a
>Forbidden error. Could we make this scenario work?
>
>UseCase:
>========
>LBaaS extension has admin credentials and generates a token and uses it
>to contact services like nova, barbican etc. It is currently using the
>same token to get the tenant's secret/certificates with the href and it
>is not working.
>
>Thanks,
>Vijay V.
>
>__________________________________________________________________________
>OpenStack Development Mailing List (not for usage questions)
>Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
More information about the OpenStack-dev
mailing list