Open Stack

Sergio,

I spoke with the Trove team at the summit. They recommend the use of a
service tenant and to harden up your DB instances (for example with
AppArmour), as a way to mitigate this risk.

You are right to say that there is little to no documentation and how to
set it up this way. You will find some info about it on a book written by
Amrith Kumar.

At Catalyst we have plans to improve the upstream docs when the time to
implement Trove comes. The current docs may be suitable for a private cloud
scenario (where you may trust your internal customers), but are not
suitable for public clouds.

If you are doing this now, you may consider submitting a few patches to the
docs! ;-)

Cheers
Bruno

On Sat, 4 Feb 2017, 5:52 AM Sergio Morales Acuña <semoac at gmail.com> wrote:

> Hi.
>
> I'm looking for information about the "Trove Shadow Tenant" feature.
>
> There some blogs talking about this but I can't find any information about
> the configuration.
>
> I have a working implementation of Trove but the instance is created in
> the same project as the user requesting the database. This is a problem for
> me because the user can create a snapshot of the instance and capture the
> RabbitMQ password.
>
> I tried  a non-admin credentials for nova_proxy_*, but the instance is
> still been created in the user project. I'm using the branch stable/newton.
>
> Cheers.
> _______________________________________________
> Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20170204/1d688e4c/attachment.html>