[openstack-dev] [openstack][Magnum] ways to get CA certificate in make-cert.sh from Magnum
wanghua.humble at gmail.com
Fri Feb 5 03:51:55 UTC 2016
Magnum now use a token to get CA certificate in make-cert.sh. Token has a
expiration time. So we should change this method. Here are two proposals.
1. Use trust which I have introduced in . The way has a disadvantage. We
can't limit the access to some APIs. For example, if we want to add a
limitation that some APIs can only be accessed from Bay and can't be
accessed by users outside. We need a way to distinguish these users, from
Bay or from outside.
2. We create a user with the role to access Magnum. The way is used in
Heat. Heat creates a user for each stack to communicate with Heat. We can
add a role to the user which is already introduced in . The user can
directly access Magnum for some limited APIs. With trust id, the user can
access other services.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OpenStack-dev