[Openstack] Essex-3 : Nova api calls with keystone doubt

Alejandro Comisario alejandro.comisario at mercadolibre.com
Fri Mar 2 20:28:55 UTC 2012


Hi openstack list.

Sorry to ask this, but i have a strong doubt on how the "endpoint" 
config in keystone actually works when you make a nova api call (we are 
using Essex-3)

First, let me setup a use case :

     user1 -> tenant1 -> zone1 (private nova endpoint)
     user2 -> tenant2 -> zone2 (private nova endpoint)

So, we know that python-novaclient actually checks for a "nova" to 
exists in order to make a request, but what about nova api call directly 
? ( curl for example )
We realized that if we use the tenant1 token to query or create 
instances on zone2 is possible, and with tenant2, is possible to query 
or create instances on zone1.
And still, tenant1 token, can query and create instances over tenant2 id 
on the resource "v1.1/TENANT_ID/server"

So, if there is any, is there a way to configure keystone / nova to 
actually do, what python nova-client does regarding the sanity check 
whether there is a "nova" endpoint asociated with the tenant when 
curling the nova-api port ?
Second, how can we prevent for token from tenant1 to access resources of 
tenant2 ?

Best regards.
alejandro.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20120302/b29c72ea/attachment.html>


More information about the Openstack mailing list