[openstack-dev] [openstack][Magnum] ways to get CA certificate in make-cert.sh from Magnum

王华 wanghua.humble at gmail.com
Fri Feb 5 03:51:55 UTC 2016

Hi all,

Magnum now use a token to get CA certificate in make-cert.sh. Token has a
expiration time. So we should change this method. Here are two proposals.

1. Use trust which I have introduced in [1]. The way has a disadvantage. We
can't limit the access to some APIs. For example, if we want to add a
limitation that some APIs can only be accessed from Bay and can't be
accessed by users outside. We need a way to distinguish these users, from
Bay or from outside.

2. We create a user with the role to access Magnum. The way is used in
Heat. Heat creates a user for each stack to communicate with Heat. We can
add a role to the user which is already introduced in [1]. The user can
directly access Magnum for some limited APIs. With trust id, the user can
access other services.

[1] https://review.openstack.org/#/c/268852/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160205/2215c596/attachment.html>

More information about the OpenStack-dev mailing list