Open Stack

We have been treating 'Admin' (or 'admin' as I prefer) as meaning admin of the entire cloud, regardless of whether a tenant id is set.  The recent rbac changes introduced allows the policy to be completely customized by the deployer however, so they would be free to define a different role such as 'superuser'. We currently do however have some special handling in nova based on the role 'admin', so that seems like the best choice.

As a side note, we do want to remove the special handling, but at that point we might introduce a flag to represent a role that should be considered to have superuser privileges.

Vish
 
On Jan 31, 2012, at 4:08 PM, Shivan Bindal wrote:

> Hi,
> 
> I've got a quick question regarding RightScale's OpenStack integration.  At one point, when someone decides to connect their OpenStack cloud with RightScale, we need to authenticate that that user is authorized to connect their cloud to RightScale.  (Those users get some extra privileges, not the least of which is the ability to delete the cloud from the system, which could have an impact to an unaware user).
> 
> We recognize authorization by requesting that the user give us admin credentials to their cloud.  (Think of this as an enterprise user who wants to connect their Piston OpenStack cloud with RightScale.)  The question I have is -- how do you recommend we validate that the credentials we've received are in fact Admin?
> 
> In our current integration of Diablo + KeyStone, we post to the provided KeyStone endpoint with the supposedly admin credentials.  We then ensure that the role "Admin" is included in the response along with the Nova service in the service catalog.
> 
> Should we add a check to see if the user is associated with any tenant?  We are currently thinking about checking if TenantID is nil hoping that this means 'admin of all tenants'. 
> 
> What would you recommend we do?  Ideally, there would be an API call that only admin credentials on Nova would be allowed to make.  Is there such an API call (we couldn't see any such call in the Nova API Documentation)?  Do you have any other suggestions?
> 
> Thanks!
> 
> --
> Shivan Bindal
> Product Manager
> shivan at rightscale.com
> 
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack at lists.launchpad.net
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20120131/23485bbd/attachment.html>