Re: [Openstack] Authorization Question
That's correct. Right now, all endpoints registered in keystone are returned to all users, regardless of whether they actually have any sort of authorization on those endpoints. I suspect we'll be having a planning session at the design summit on this topic -- I'd be helpful to better understand your ideal use case in suppressing endpoints from the catalog? In Grizzly, users, groups, projects, and domains have absolutely no relationship with services and endpoints within keystone. That becomes deployment specific when you consider how RBAC is applied service-side with policy.json, etc, but those services are not necessarily aware of how they appear in the service catalog, nor does keystone interpret policy files other than it's own. -Dolph On Mon, Mar 4, 2013 at 2:32 PM, Miller, Mark M (EB SW Cloud - RD - Corvallis) mark.m.mil...@hp.com wrote: Hello, ** ** I have been looking over the Keystone v3 API documentation as well as the database table columns. My question concerns endpoint access restrictions. I don’t see any noticeable way to associate endpoints with domains which means that any user can access any endpoint of any domain. Is this correct? The only database column that might come into play is the region column of the endpoint table. ** ** Regards, ** ** Mark Miller ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Authorization Question
Dolph, At this point in time I am still gaining a grasp of the Keystone V3 changes and how domains and groups can be used. I noticed that the service catalog is returned in the GET token response and also in the PKI token when a user obtains a scoped token. The catalog data could be a large amount of extra data to pass around in the PKI token and was wondering why it was included. I thought maybe there was a link between the user's domain and the endpoints included in the catalog but did not see any linking information in the database or API documentation. You have just clarified what I thought was true. Thanks again, Mark Miller From: Dolph Mathews [mailto:dolph.math...@gmail.com] Sent: Monday, March 04, 2013 2:03 PM To: Miller, Mark M (EB SW Cloud - RD - Corvallis) Cc: openstack@lists.launchpad.net (openstack@lists.launchpad.net); Brownell, Jonathan C (Corvallis) Subject: Re: [Openstack] Authorization Question That's correct. Right now, all endpoints registered in keystone are returned to all users, regardless of whether they actually have any sort of authorization on those endpoints. I suspect we'll be having a planning session at the design summit on this topic -- I'd be helpful to better understand your ideal use case in suppressing endpoints from the catalog? In Grizzly, users, groups, projects, and domains have absolutely no relationship with services and endpoints within keystone. That becomes deployment specific when you consider how RBAC is applied service-side with policy.json, etc, but those services are not necessarily aware of how they appear in the service catalog, nor does keystone interpret policy files other than it's own. -Dolph On Mon, Mar 4, 2013 at 2:32 PM, Miller, Mark M (EB SW Cloud - RD - Corvallis) mark.m.mil...@hp.commailto:mark.m.mil...@hp.com wrote: Hello, I have been looking over the Keystone v3 API documentation as well as the database table columns. My question concerns endpoint access restrictions. I don't see any noticeable way to associate endpoints with domains which means that any user can access any endpoint of any domain. Is this correct? The only database column that might come into play is the region column of the endpoint table. Regards, Mark Miller ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.netmailto:openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Authorization Question
Dolph, In our deployments we often want to restrict projects to particular endpoints or regions. We've currently hacked that in to our Folsom systems by adding a 'regions' list to the 'extra' column of the tenant table. With only a few minor tweaks to keystone to return the filtered service catalog based on 'regions' and some minor tweaks to Horizon it all works out fairly well. We would prefer to do this in a much more supported configuration, something like attributes or roles on projects to achieve the same result. Thanks, Nate On Mon, Mar 4, 2013 at 5:02 PM, Dolph Mathews dolph.math...@gmail.comwrote: That's correct. Right now, all endpoints registered in keystone are returned to all users, regardless of whether they actually have any sort of authorization on those endpoints. I suspect we'll be having a planning session at the design summit on this topic -- I'd be helpful to better understand your ideal use case in suppressing endpoints from the catalog? In Grizzly, users, groups, projects, and domains have absolutely no relationship with services and endpoints within keystone. That becomes deployment specific when you consider how RBAC is applied service-side with policy.json, etc, but those services are not necessarily aware of how they appear in the service catalog, nor does keystone interpret policy files other than it's own. -Dolph On Mon, Mar 4, 2013 at 2:32 PM, Miller, Mark M (EB SW Cloud - RD - Corvallis) mark.m.mil...@hp.com wrote: Hello, ** ** I have been looking over the Keystone v3 API documentation as well as the database table columns. My question concerns endpoint access restrictions. I don’t see any noticeable way to associate endpoints with domains which means that any user can access any endpoint of any domain. Is this correct? The only database column that might come into play is the region column of the endpoint table. ** ** Regards, ** ** Mark Miller ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
