[Openstack-operators] Service Catalog TNG urls

Xav Paice xavpaice at gmail.com
Sun Dec 6 22:09:58 UTC 2015


On 7 December 2015 at 05:38, Clint Byrum <clint at fewbar.com> wrote:

> Excerpts from Xav Paice's message of 2015-12-05 13:26:23 -0800:
> > >
>
> I respect that this is what works for you and we shouldn't require you to
> change your ways without good reason. However, I just want to point out
> that if you don't trust Keystone's own ACL's to prevent administrative
> access by users who haven't been granted access, then you also don't
> trust Keystone to keep users out of each-others accounts!
>
>
That's an excellent point, and one which scares me quite a lot.  But that's
the sad reason we need two lots of API servers - so even if someone were to
get hold of an admin userid/password, they still can't go deleting the
entire cloud.  It does at least limit the damage.



> That said, if there really is a desire to keep admin functions separate
> from user functions, why not formalize that and make it an entirely
> separate service in the catalog? So far, Keystone is the only service
> to make use of "adminurl". So a valid path forward is to simply make it
> a different entry.
>

Keystone is indeed the only one that does this - I hesitate to say "right"
because it might not be.

I'm not sure I follow when you say separate service - you mean a completely
different service, with a full set of endpoints?  Makes sense if the
projects that use the catalogue also honour that, but I don't know I see
the difference between having a different service for admin requests, and a
split admin url and public url.  Maybe I'm just being thick here, but I had
thought that was the original intention despite it never being used by
anyone other than Keystone.



>
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20151207/d9e2de85/attachment.html>


More information about the OpenStack-operators mailing list