openstack team mailing list archive

Thread
Date

Essex-3 : Nova api calls with keystone doubt

To: openstack@xxxxxxxxxxxxxxxxxxx
From: Alejandro Comisario <alejandro.comisario@xxxxxxxxxxxxxxxx>
Date: Fri, 02 Mar 2012 17:28:55 -0300
User-agent: Mozilla/5.0 (X11; Linux i686; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2

Hi openstack list.

Sorry to ask this, but i have a strong doubt on how the "endpoint"config in keystone actually works when you make a nova api call (we areusing Essex-3)


First, let me setup a use case :

    user1 -> tenant1 -> zone1 (private nova endpoint)
    user2 -> tenant2 -> zone2 (private nova endpoint)

So, we know that python-novaclient actually checks for a "nova" toexists in order to make a request, but what about nova api call directly? ( curl for example )We realized that if we use the tenant1 token to query or createinstances on zone2 is possible, and with tenant2, is possible to queryor create instances on zone1.And still, tenant1 token, can query and create instances over tenant2 idon the resource "v1.1/TENANT_ID/server"

So, if there is any, is there a way to configure keystone / nova toactually do, what python nova-client does regarding the sanity checkwhether there is a "nova" endpoint asociated with the tenant whencurling the nova-api port ?Second, how can we prevent for token from tenant1 to access resources oftenant2 ?


Best regards.
alejandro.