Open Stack

I'm not sure I understand the use case. Can you explain the use case you
are trying to solve?

Corey

On Fri, Feb 5, 2016, 02:07 王华 <wanghua.humble at gmail.com> wrote:

> Hi Corey,
>
> The user is root on those nodes and can get any credentials on those
> nodes. We can not avoid that, but by this way we can disallow those users
> who can not login into nodes to access some limited APIs.
>
> Regards,
> Wanghua
>
> On Fri, Feb 5, 2016 at 12:24 PM, Corey O'Brien <coreypobrien at gmail.com>
> wrote:
>
>> There currently isn't a way to distinguish between user who creates the
>> bay and the nodes in the bay because the user is root on those nodes. Any
>> credential that the node uses to communicate with Magnum is going to be
>> accessible to the user.
>>
>> Since we already have the trust, that seems like the best way to proceed
>> for now just to get something working.
>>
>> Corey
>>
>> On Thu, Feb 4, 2016 at 10:53 PM 王华 <wanghua.humble at gmail.com> wrote:
>>
>>> Hi all,
>>>
>>> Magnum now use a token to get CA certificate in make-cert.sh. Token has
>>> a expiration time. So we should change this method. Here are two proposals.
>>>
>>> 1. Use trust which I have introduced in [1]. The way has a disadvantage.
>>> We can't limit the access to some APIs. For example, if we want to add a
>>> limitation that some APIs can only be accessed from Bay and can't be
>>> accessed by users outside. We need a way to distinguish these users, from
>>> Bay or from outside.
>>>
>>> 2. We create a user with the role to access Magnum. The way is used in
>>> Heat. Heat creates a user for each stack to communicate with Heat. We can
>>> add a role to the user which is already introduced in [1]. The user can
>>> directly access Magnum for some limited APIs. With trust id, the user can
>>> access other services.
>>>
>>> [1] https://review.openstack.org/#/c/268852/
>>>
>>> Regards,
>>> Wanghua
>>>
>>> __________________________________________________________________________
>>> OpenStack Development Mailing List (not for usage questions)
>>> Unsubscribe:
>>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>
>>
>> __________________________________________________________________________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe:
>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160205/f6e3df82/attachment.html>