Hi Sergio,
With respect to the rabbit security - you can (and probably should) use
a different rabbit server for the trove message queue i.e not your
openstack rabbit. I *think* this is mentioned in the trove deployment
docs these days (it didn't used to be), and it is easy to miss wherever
it is mentioned! However this by itself is not enough really - as your
trove rabbit can be dos'd/hacked to cause mayhem to all running trove
instances.
The shadow tenant seems like the plan. However you are absolutely
correct - how to actually set it up is...err not that well documented.
I've made a comment on one of the various blogs to that effect. I'm
hoping it will spur one of the experts to show us in detail how it is
done :-)
regards
Mark
On 04/02/17 05:42, Sergio Morales Acuña wrote:
Hi.
I'm looking for information about the "Trove Shadow Tenant" feature.
There some blogs talking about this but I can't find any information
about the configuration.
I have a working implementation of Trove but the instance is created
in the same project as the user requesting the database. This is a
problem for me because the user can create a snapshot of the instance
and capture the RabbitMQ password.
I tried a non-admin credentials for nova_proxy_*, but the instance is
still been created in the user project. I'm using the branch
stable/newton.
Cheers.
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : [email protected]
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : [email protected]
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
