On 04/10/2012 09:44 PM, Nguyen, Liem Manh wrote:
Hi fellow Stackers,
I am reading http://keystone.openstack.org/configuringservices.html, and it
appears that for service registration, all services (or rather service users)
reside within the same tenant with the same Admin role. So, if I understand it
correctly, it is then possible that a service user for Nova can actually
accidentally nuke an endpoint for a Glance service, for example? Don't we want
isolation among services, i.e., a user owning one service may not modify
another service that he/she did not create?
Hi Liem!
As Joe Heck noted, the concept of roles hasn't changed from the Diablo
codebase, and there is certainly the danger of a service tenant user
nuking an endpoint for a different service, as you describe above. In
Glance, we added a config option "admin_role" that can be set to guard
against this, however. Just set admin_role = glance_admin and create a
glance_admin role in Keystone and just assign the Glance service user
(and only that user) that role...
Kind of a hacky workaround, but it works...
Best,
-jay
_______________________________________________
Mailing list: https://launchpad.net/~openstack
Post to : [email protected]
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
