On Wed, Aug 28, 2013 at 7:22 PM, Yongsheng Gong <gong...@unitedstack.com>wrote:
> For admin, we must use admin token. In general, the token from API > context is not of role admin. > So... because the authenticated user making the API request *may not* have "admin" access, you're dropping that authorization in favor of using CONF.neutron_admin_username, etc, to escalate the available privileges? Yikes. > > I think the BP can help > https://blueprints.launchpad.net/keystone/+spec/reuse-token > I don't see how? > > > On Thu, Aug 29, 2013 at 8:12 AM, Roman Verchikov > <rverchi...@mirantis.com>wrote: > >> Hi stackers! >> >> Sorry for the stupid question, but why does >> nova.network.neutronv2.get_client() [1] drop auth_token for admin? Is it >> really necessary to make another check for username/password when trying to >> get a list of ports or floating IPs?.. >> >> When keystone is configured with LDAP backed this leads to a bunch of >> LDAP requests which tend to be quite slow. Plus those LDAP requests could >> have been simply skipped when keystone is configured with token cache >> enabled. >> >> Thanks, >> Roman >> >> [1] >> https://github.com/openstack/nova/blob/master/nova/network/neutronv2/__init__.py#L68 >> _______________________________________________ >> OpenStack-dev mailing list >> OpenStack-dev@lists.openstack.org >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> > > > _______________________________________________ > OpenStack-dev mailing list > OpenStack-dev@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > -- -Dolph
_______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
