[Openstack] Trove Shadow Tenant
Mark Kirkwood
mark.kirkwood at catalyst.net.nz
Sun Feb 5 22:22:00 UTC 2017
Hi Sergio,
With respect to the rabbit security - you can (and probably should) use
a different rabbit server for the trove message queue i.e not your
openstack rabbit. I *think* this is mentioned in the trove deployment
docs these days (it didn't used to be), and it is easy to miss wherever
it is mentioned! However this by itself is not enough really - as your
trove rabbit can be dos'd/hacked to cause mayhem to all running trove
instances.
The shadow tenant seems like the plan. However you are absolutely
correct - how to actually set it up is...err not that well documented.
I've made a comment on one of the various blogs to that effect. I'm
hoping it will spur one of the experts to show us in detail how it is
done :-)
regards
Mark
On 04/02/17 05:42, Sergio Morales Acuña wrote:
> Hi.
>
> I'm looking for information about the "Trove Shadow Tenant" feature.
>
> There some blogs talking about this but I can't find any information
> about the configuration.
>
> I have a working implementation of Trove but the instance is created
> in the same project as the user requesting the database. This is a
> problem for me because the user can create a snapshot of the instance
> and capture the RabbitMQ password.
>
> I tried a non-admin credentials for nova_proxy_*, but the instance is
> still been created in the user project. I'm using the branch
> stable/newton.
>
> Cheers.
>
>
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
More information about the Openstack
mailing list