On 11/8/2016 7:14 PM, Adrian Turjak wrote:
On 09/11/16 11:12, Gage Hugo wrote:
This spec was discussed at the keystone meeting today and during the
conversation that continued afterwards, an idea of using the keystone
configuration to set a list of keys was mentioned.
The idea is that a cloud admin could define a list of keys that they
need for their setup within keystone's configuration file, then only
those keys will be valid for storing values in the project properties
table. Then each call would check against the list of valid keys and
deny any calls that are sent with an invalid key.
This idea seems to help with the issue to avoid allowing anyone to
throw any arbitrary values into these project properties vs just a set
number of values.
That feels far more restricting than it needs to be...
If done like this, the list should be optional, as having to restarting
Keystone to register the new config if you decide you need to add
additional values is a terrible approach.
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Agree, whitelisting this in config sounds like a really bad idea.
--
Thanks,
Matt Riedemann
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
