Hi Tim,
The change was already merged to master. Withe next release of
python-muranoclient it can be used in Congress.
Regards
Filip
On 07/08/2015 03:57 PM, Tim Hinrichs wrote:
There are two things to remember here.
1) When you configure the Congress datasource driver to talk to
Murano, you choose which user rights Congress should use. If you need
to get all of the tenants data, you want to choose an admin user for
the Murano driver. Personally I always use admin users so that I can
write policy over everything. Typically we think of Congress as an
admin tool.
2) As you point out, if the Murano driver doesn't provide
all_tenants=true argument when it makes the API call into Murano, it
won't get all the data for all the tenants; it'll only get the data
for the user you provided in (1). Ideally whether all_tenants=true
would be a datasource configuration option, but it's not today. The
datasource drivers I've looked at all use all_tenants=true.
Tim
On Wed, Jul 8, 2015 at 5:16 AM Kirill Zaitsev <[email protected]
<mailto:[email protected]>> wrote:
1) This does raise a security concern. We can however cover it
with a separate policy-based permission, that would check if a
user can view all tenants. nova seem to do so, see:
https://github.com/openstack/nova/blob/4209d0140774adf3e162b7bde3cbd6b417065dd5/etc/nova/policy.json#L13
2) Will give it some thought, but it does seem like an ok practice.
--
Kirill Zaitsev
Murano team
Software Engineer
Mirantis, Inc
On 8 Jul 2015 at 14:44:51, Filip Blaha ([email protected]
<mailto:[email protected]>) wrote:
Hi all,
I started implement bp [1]. Problem is that congress needs data
about
environments from all tenants but murano API lists only
environments of
user's current tenant. We decided to ipmplement it similarly like
listing servers in nova where is query parameter all_tenants=true
for
that (user must be admin) I have 2 questions about that:
1) Are there any security concerns about this approach?
2) Has someone better idea how to implement this?
[1]
https://blueprints.launchpad.net/murano/+spec/murano-api-all-tenants-search
Regards
Filip
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe:
[email protected]?subject:unsubscribe
<http://[email protected]?subject:unsubscribe>
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe:
[email protected]?subject:unsubscribe
<http://[email protected]?subject:unsubscribe>
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: [email protected]?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
