How about using domain-based role assignments in keystone and requiring domain-level authorization in policy, and then only returning data about the collection of tenants that belong to the authorized domain? That way you don't have an API that violates multi-tenant isolation, consumable only by cloud operators.
On Wed, Jul 8, 2015 at 6:27 AM, Filip Blaha <filip.bl...@hp.com> wrote: > Hi all, > > I started implement bp [1]. Problem is that congress needs data about > environments from all tenants but murano API lists only environments of > user's current tenant. We decided to ipmplement it similarly like listing > servers in nova where is query parameter all_tenants=true for that (user > must be admin) I have 2 questions about that: > > 1) Are there any security concerns about this approach? > 2) Has someone better idea how to implement this? > > [1] > https://blueprints.launchpad.net/murano/+spec/murano-api-all-tenants-search > > Regards > Filip > > > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
