openstack team mailing list archive

Thread
Date

Re: [Metering] External API definition

To: Doug Hellmann <doug.hellmann@xxxxxxxxxxxxx>
From: Nick Barcet <nick.barcet@xxxxxxxxxxxxx>
Date: Wed, 09 May 2012 08:48:40 -0700
Cc: openstack@xxxxxxxxxxxxxxxxxxx
In-reply-to: <CADb+p3RxD7XtBG2yVzXiFq5q787jXx_Crv-nomdFLpAJZq8kCQ@mail.gmail.com>
Openpgp: id=5FECBD92
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20120430 Thunderbird/12.0.1

On 05/09/2012 08:36 AM, Doug Hellmann wrote:
> 
> 
> On Tue, May 8, 2012 at 8:43 PM, Nick Barcet <nick.barcet@xxxxxxxxxxxxx
> <mailto:nick.barcet@xxxxxxxxxxxxx>> wrote:
> 
>     On 05/08/2012 11:39 AM, Doug Hellmann wrote:
>     [..]
>     >     * Requests must be authenticated (separate from keystone, or
>     only linked
>     >     to accounting type account)
>     >
>     >
>     > What is the motivation for authenticating with a service other than
>     > keystone?
> 
>     The only thing I am trying to express here is that that profiles that
>     have access to other OpenStack components should not necessarily have
>     access to metering information.  This information should be accessible
>     only a few select users which group may or may not intersect with users
>     stored in Keystone already.
> 
> 
> I see. Is it enough to say that the API is meant for "admin" users only,
> or does that still imply more access than we want to grant?

I don't see the point to try to restrict admins from this, as it would
be mostly pointless in the end, but I do see the need to define a type
of account which only right is to consult this information without any
other privilege.

Nick

Attachment: signature.asc
Description: OpenPGP digital signature

References

[Metering] External API definition
From: Nick Barcet, 2012-05-08
Re: [Metering] External API definition
From: Doug Hellmann, 2012-05-08
Re: [Metering] External API definition
From: Nick Barcet, 2012-05-09
Re: [Metering] External API definition
From: Doug Hellmann, 2012-05-09