Why not have lbaas do step 2? Even better would be to help with the instance
user spec and combined with lbaas doing step 2, you could restrict secret
access to just the amphora that need the secret?
Thanks,
Kevin
________________________________
From: Vijay Venkatachalam
Sent: Tuesday, September 15, 2015 7:06:39 PM
To: OpenStack Development Mailing List (openstack-dev@lists.openstack.org)
Subject: [openstack-dev] [Barbican] Providing service user read access to all
tenant's certificates
Hi,
Is there a way to provide read access to a certain user to all
secrets/containers of all project/tenant’s certificates?
This user with universal “read” privilege’s will be used as a
service user by LBaaS plugin to read tenant’s certificates during LB
configuration implementation.
Today’s LBaaS users are following the below mentioned process
1. tenant’s creator/admin user uploads a certificate info as secrets and
container
2. User then have to create ACLs for the LBaaS service user to access the
containers and secrets
3. User creates LB config with the container reference
4. LBaaS plugin using the service user will then access container
reference provided in LB config and proceeds to implement.
Ideally we would want to avoid step 2 in the process. Instead add a step 5
where the lbaas plugin’s service user checks if the user configuring the LB has
read access to the container reference provided.
Thanks,
Vijay V.
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
