| Thread Previous • Date Previous • Date Next • Thread Next |
On 04/10/2012 09:44 PM, Nguyen, Liem Manh wrote:
Hi fellow Stackers, I am reading http://keystone.openstack.org/configuringservices.html, and it appears that for service registration, all services (or rather service users) reside within the same tenant with the same Admin role. So, if I understand it correctly, it is then possible that a service user for Nova can actually accidentally nuke an endpoint for a Glance service, for example? Don't we want isolation among services, i.e., a user owning one service may not modify another service that he/she did not create?
Hi Liem!As Joe Heck noted, the concept of roles hasn't changed from the Diablo codebase, and there is certainly the danger of a service tenant user nuking an endpoint for a different service, as you describe above. In Glance, we added a config option "admin_role" that can be set to guard against this, however. Just set admin_role = glance_admin and create a glance_admin role in Keystone and just assign the Glance service user (and only that user) that role...
Kind of a hacky workaround, but it works... Best, -jay
| Thread Previous • Date Previous • Date Next • Thread Next |
