Hi Vijay--
The recommended way for supporting that use case is to use Barbican's
ACLs. It allows user's from another project/tenant to access specific
secrets
If the "demo admin" owns a secret and wants to give read access to
"admin admin", the "demo admin" should create a ACL for the secret.
If an LBaaS user needs access to a tenant secret, the tenant admin can
create an ACL granting read access to the LBaaS user.
http://docs.openstack.org/developer/barbican/api/quickstart/acls.html
--Dave
On 11/10/15, 3:41 AM, "Vijay Venkatachalam"
<vijay.venkatacha...@citrix.com> wrote:
>Hi,
>
>Can we enable GET of secrets to work irrespective of Tenant name in the
>login?
>
>Consider there is an "admin" with "admin" role in "demo" tenant. I tried
>to query the "demo" tenant's secret using a login token which was
>generated from "admin" user & "admin" tenant. And I am getting a
>Forbidden error. Could we make this scenario work?
>
>UseCase:
>========
>LBaaS extension has admin credentials and generates a token and uses it
>to contact services like nova, barbican etc. It is currently using the
>same token to get the tenant's secret/certificates with the href and it
>is not working.
>
>Thanks,
>Vijay V.
>
>__________________________________________________________________________
>OpenStack Development Mailing List (not for usage questions)
>Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
