Open Stack

Hi Sergio,

With respect to the rabbit security - you can (and probably should) use 
a different rabbit server for the trove message queue i.e not your 
openstack rabbit. I *think* this is mentioned in the trove deployment 
docs these days (it didn't used to be), and it is easy to miss wherever 
it is mentioned! However this by itself is not enough really - as your 
trove rabbit can be dos'd/hacked to cause mayhem to all running trove 
instances.


The shadow tenant seems like the plan. However you are absolutely 
correct - how to actually set it up is...err not that well documented. 
I've made a comment on one of the various blogs to that effect. I'm 
hoping it will spur one of the experts to show us in detail how it is 
done :-)


regards


Mark


On 04/02/17 05:42, Sergio Morales Acuña wrote:
> Hi.
>
> I'm looking for information about the "Trove Shadow Tenant" feature.
>
> There some blogs talking about this but I can't find any information 
> about the configuration.
>
> I have a working implementation of Trove but the instance is created 
> in the same project as the user requesting the database. This is a 
> problem for me because the user can create a snapshot of the instance 
> and capture the RabbitMQ password.
>
> I tried  a non-admin credentials for nova_proxy_*, but the instance is 
> still been created in the user project. I'm using the branch 
> stable/newton.
>
> Cheers.
>
>
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack