[openstack-dev] [openstack][Magnum] ways to get CA certificate in make-cert.sh from Magnum
王华
wanghua.humble at gmail.com
Fri Feb 5 03:51:55 UTC 2016
Hi all,
Magnum now use a token to get CA certificate in make-cert.sh. Token has a
expiration time. So we should change this method. Here are two proposals.
1. Use trust which I have introduced in [1]. The way has a disadvantage. We
can't limit the access to some APIs. For example, if we want to add a
limitation that some APIs can only be accessed from Bay and can't be
accessed by users outside. We need a way to distinguish these users, from
Bay or from outside.
2. We create a user with the role to access Magnum. The way is used in
Heat. Heat creates a user for each stack to communicate with Heat. We can
add a role to the user which is already introduced in [1]. The user can
directly access Magnum for some limited APIs. With trust id, the user can
access other services.
[1] https://review.openstack.org/#/c/268852/
Regards,
Wanghua
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160205/2215c596/attachment.html>
More information about the OpenStack-dev
mailing list