subject:"\[openstack\-dev\] \[Barbican\] Enabling GET of secrets to work irrespective of Tenant name in login"

Re: [openstack-dev] [Barbican] Enabling GET of secrets to work irrespective of Tenant name in login

2015-11-16 Thread Dave McCowan (dmccowan)

Hi Vijay--
The recommended way for supporting that use case is to use Barbican's
ACLs.  It allows user's from another project/tenant to access specific
secrets 

If the "demo admin" owns a secret and wants to give read access to
"admin admin", the "demo admin" should create a ACL for the secret.
If an LBaaS user needs access to a tenant secret, the tenant admin can
create an ACL granting read access to the LBaaS user.

http://docs.openstack.org/developer/barbican/api/quickstart/acls.html

--Dave



On 11/10/15, 3:41 AM, "Vijay Venkatachalam"
 wrote:

>Hi,
>
>Can we enable GET of secrets to work irrespective of Tenant name in the
>login?
>
>Consider there is an "admin" with "admin" role in "demo" tenant. I tried
>to query the "demo" tenant's secret using  a login token which was
>generated from "admin" user  & "admin" tenant. And I am getting a
>Forbidden error. Could we make this scenario work?
>
>UseCase:
> 
>LBaaS extension has admin credentials and generates a token and uses it
>to contact services like nova, barbican etc. It is currently using  the
>same token to get the tenant's secret/certificates with the href and it
>is not working.
>
>Thanks,
>Vijay V.
>
>__
>OpenStack Development Mailing List (not for usage questions)
>Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

[openstack-dev] [Barbican] Enabling GET of secrets to work irrespective of Tenant name in login

2015-11-10 Thread Vijay Venkatachalam

Hi,

Can we enable GET of secrets to work irrespective of Tenant name in the login?

Consider there is an "admin" with "admin" role in "demo" tenant. I tried to 
query the "demo" tenant's secret using  a login token which was generated from 
"admin" user  & "admin" tenant. And I am getting a Forbidden error. Could we 
make this scenario work?

UseCase:
 
LBaaS extension has admin credentials and generates a token and uses it to 
contact services like nova, barbican etc. It is currently using  the same token 
to get the tenant's secret/certificates with the href and it is not working.

Thanks,
Vijay V.

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [Barbican] Enabling GET of secrets to work irrespective of Tenant name in login

[openstack-dev] [Barbican] Enabling GET of secrets to work irrespective of Tenant name in login

2 matches

Site Navigation

Mail list logo

Footer information