← Back to team overview

openstack team mailing list archive

Re: Nova + KeyStone Admin Question

 

Great.  Thanks Vish!  We'll revert with further questions if they come up.

--
Shivan Bindal
Product Manager
shivan@xxxxxxxxxxxxxx



On Tue, Jan 31, 2012 at 4:43 PM, Vishvananda Ishaya
<vishvananda@xxxxxxxxx>wrote:

> We have been treating 'Admin' (or 'admin' as I prefer) as meaning admin of
> the entire cloud, regardless of whether a tenant id is set.  The recent
> rbac changes introduced allows the policy to be completely customized by
> the deployer however, so they would be free to define a different role such
> as 'superuser'. We currently do however have some special handling in nova
> based on the role 'admin', so that seems like the best choice.
>
> As a side note, we do want to remove the special handling, but at that
> point we might introduce a flag to represent a role that should be
> considered to have superuser privileges.
>
> Vish
>
> On Jan 31, 2012, at 4:08 PM, Shivan Bindal wrote:
>
> Hi,
>
> I've got a quick question regarding RightScale's OpenStack integration.
> At one point, when someone decides to connect their OpenStack cloud with
> RightScale, we need to authenticate that that user is authorized to connect
> their cloud to RightScale.  (Those users get some extra privileges, not the
> least of which is the ability to delete the cloud from the system, which
> could have an impact to an unaware user).
>
> We recognize authorization by requesting that the user give us admin
> credentials to their cloud.  (Think of this as an enterprise user who wants
> to connect their Piston OpenStack cloud with RightScale.)  The question I
> have is -- how do you recommend we validate that the credentials we've
> received are in fact Admin?
>
> In our current integration of Diablo + KeyStone, we post to the provided
> KeyStone endpoint with the supposedly admin credentials.  We then ensure
> that the role "Admin" is included in the response along with the Nova
> service in the service catalog.
>
> Should we add a check to see if the user is associated with any tenant?
> We are currently thinking about checking if TenantID is nil hoping that
> this means 'admin of all tenants'.
>
> What would you recommend we do?  Ideally, there would be an API call that
> only admin credentials on Nova would be allowed to make.  Is there such an
> API call (we couldn't see any such call in the Nova API Documentation)?  Do
> you have any other suggestions?
>
> Thanks!
>
> --
> Shivan Bindal
> Product Manager
> shivan@xxxxxxxxxxxxxx
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp
>
>
>

References