We sometimes want the ability to write policy across tenants, e.g. VMs from Coke and Pepsi must always be deployed on different hosts.
I didn't think there were any roles that could see everything without all_tenants=true. If there are such roles, I'd be happy to remove the all_tenants=true from the datasource drivers. Tim On Fri, Jul 10, 2015 at 8:00 AM Dolph Mathews <[email protected]> wrote: > How about using domain-based role assignments in keystone and requiring > domain-level authorization in policy, and then only returning data about > the collection of tenants that belong to the authorized domain? That way > you don't have an API that violates multi-tenant isolation, consumable only > by cloud operators. > > On Wed, Jul 8, 2015 at 6:27 AM, Filip Blaha <[email protected]> wrote: > >> Hi all, >> >> I started implement bp [1]. Problem is that congress needs data about >> environments from all tenants but murano API lists only environments of >> user's current tenant. We decided to ipmplement it similarly like listing >> servers in nova where is query parameter all_tenants=true for that (user >> must be admin) I have 2 questions about that: >> >> 1) Are there any security concerns about this approach? >> 2) Has someone better idea how to implement this? >> >> [1] >> https://blueprints.launchpad.net/murano/+spec/murano-api-all-tenants-search >> >> Regards >> Filip >> >> >> >> __________________________________________________________________________ >> OpenStack Development Mailing List (not for usage questions) >> Unsubscribe: >> [email protected]?subject:unsubscribe >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: [email protected]?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
