Hi Soren, On 10 February 2014 08:27, Soren Hansen <so...@linux2go.dk> wrote: > I've just taken a look at the feedback in the whiteboard. If it's ok, > I'd like to take this discussion back to the mailing list. I find the > whiteboards somewhat clumsy for discussions. > > Akihiro Motoki points out that all services should work without the > dashboard. Keystone already exposes an API to create new users, so > that requirement is already fulfilled, whether there's an intermediate > service or not, so I don't really understand this objection. > > Kieran Spear argues in favour of a separate registration service that > Horizon talks to over some sort of RPC interface. He argues that > putting Keystone admin credentials on public facing webserver is a > security risk. > > I agree that putting admin credentials on a public web server is a > security risk, but I'm not sure why a set of restricted admin > credentials that only allow you to create users and tenants is a > bigger problem than the credentials for separate registration service > that performs the exact same operations?
The third (and most dangerous) operation here is the role grant. I don't think any Keystone policy could be specific enough to prevent arbitrary member role assignment in this case. How do you express the following as a set of policies in Keystone? "Allow a user to create a new user and a new project and grant the member role for only that user on only that project." There may be other ways around this particular case, but in these situations I accept that mistakes are inevitable, and another layer of isolation helps to reduce the impact when things go wrong. Cheers, Kieran > > Soren Hansen | http://linux2go.dk/ > Ubuntu Developer | http://www.ubuntu.com/ > OpenStack Developer | http://www.openstack.org/ > > > 2014-02-01 18:24 GMT+01:00 Saju M <sajup...@gmail.com>: >> Hi folks, >> >> Could you please spend 5 minutes on the blueprint >> https://blueprints.launchpad.net/horizon/+spec/user-registration and add >> your suggestions in the white board. >> >> >> Thanks, >> >> _______________________________________________ >> OpenStack-dev mailing list >> OpenStack-dev@lists.openstack.org >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> > > _______________________________________________ > OpenStack-dev mailing list > OpenStack-dev@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
_______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev