← Back to team overview

openstack team mailing list archive

Nova + KeyStone Admin Question

 

Hi,

I've got a quick question regarding RightScale's OpenStack integration.  At
one point, when someone decides to connect their OpenStack cloud with
RightScale, we need to authenticate that that user is authorized to connect
their cloud to RightScale.  (Those users get some extra privileges, not the
least of which is the ability to delete the cloud from the system, which
could have an impact to an unaware user).

We recognize authorization by requesting that the user give us admin
credentials to their cloud.  (Think of this as an enterprise user who wants
to connect their Piston OpenStack cloud with RightScale.)  The question I
have is -- how do you recommend we validate that the credentials we've
received are in fact Admin?

In our current integration of Diablo + KeyStone, we post to the provided
KeyStone endpoint with the supposedly admin credentials.  We then ensure
that the role "Admin" is included in the response along with the Nova
service in the service catalog.

Should we add a check to see if the user is associated with any tenant?  We
are currently thinking about checking if TenantID is nil hoping that this
means 'admin of all tenants'.

What would you recommend we do?  Ideally, there would be an API call that
only admin credentials on Nova would be allowed to make.  Is there such an
API call (we couldn't see any such call in the Nova API Documentation)?  Do
you have any other suggestions?

Thanks!

--
Shivan Bindal
Product Manager
shivan@xxxxxxxxxxxxxx

Follow ups