← Back to team overview

openstack team mailing list archive

Re: [openstack][keystone] Service isolation?

 

Liem - 

WIth the essex release, the roles are exactly the same as they we defined in the Diablo release - to be interpreted entirely by the service.  Role is not defined beyond that point. Role was originally defined as per-tenant, so an "Admin" role on service tenant is, in effect, an "uber-admin" across all systems at this time. This accounts are, however, intended for services to be interacting agnostic of the user. Users do not, and should not, be assigned a role to this same tenant unless you're intending them to have that uber-admin permission - and that's as a side effect.

There's lots of conversation going on about the need to represent multiple roles, and have those roles relative to a number of different factors. Your own (HPs) domain suggestion is a perfect example of such.

I'm looking forward to HP's talk about domains and suggestions for improving RBAC at the design summit.

-joe


On Apr 10, 2012, at 6:44 PM, Nguyen, Liem Manh wrote:
> Hi fellow Stackers,
> 
> I am reading http://keystone.openstack.org/configuringservices.html, and it appears that for service registration, all services (or rather service users) reside within the same tenant with the same Admin role.  So, if I understand it correctly, it is then possible that a service user for Nova can actually accidentally nuke an endpoint for a Glance service, for example?  Don't we want isolation among services, i.e., a user owning one service may not modify another service that he/she did not create?
> 
> Thanks,
> Liem
> 
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp



References