← Back to team overview

openstack team mailing list archive

Essex-3 : Nova api calls with keystone doubt

 

Hi openstack list.

Sorry to ask this, but i have a strong doubt on how the "endpoint" config in keystone actually works when you make a nova api call (we are using Essex-3)

First, let me setup a use case :

    user1 -> tenant1 -> zone1 (private nova endpoint)
    user2 -> tenant2 -> zone2 (private nova endpoint)

So, we know that python-novaclient actually checks for a "nova" to exists in order to make a request, but what about nova api call directly ? ( curl for example ) We realized that if we use the tenant1 token to query or create instances on zone2 is possible, and with tenant2, is possible to query or create instances on zone1. And still, tenant1 token, can query and create instances over tenant2 id on the resource "v1.1/TENANT_ID/server"

So, if there is any, is there a way to configure keystone / nova to actually do, what python nova-client does regarding the sanity check whether there is a "nova" endpoint asociated with the tenant when curling the nova-api port ? Second, how can we prevent for token from tenant1 to access resources of tenant2 ?

Best regards.
alejandro.