On Tue, Oct 15, 2013 at 10:25 AM, Caitlin Bestler < caitlin.best...@nexenta.com> wrote:
> On 10/14/2013 8:37 AM, Ben Nemec wrote: > >> I agree that this needs to be fixed. It's very counterintuitive, if >> nothing else (which is also my argument against requiring all-tenants >> for admin users in the first place). The only question for me is >> whether to fix it in novaclient or in Nova itself. >> > > If it is fixed in novaclient, then any unscrupulous tenant would be able > to unfix it in novaclient themselves and gain the same information about > other tenants that the bug is allowing. > > So if the intent is to protect leakage of information across tenant lines > then the correct solution is a real lock (i.e. in Nova) rather > than just a screen door "lock". > > The novaclient fix for V2 would be simply to automatically pass all-tenants where needed. It would not give a non admin user any extra privileges even if they modified novaclient. Chris
_______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
