Hi yuanying, How can user know about other user's trust_id? If the user can know the trust_id in other user's instance(maybe login to the instance), then other secrets can be known, too. In this case, creating a different user for each bay also has a security risk. So I think the security is based on the security of instance.
Regards, Wanghua On Thu, Dec 24, 2015 at 4:20 PM, 大塚元央 <yuany...@oeilvert.org> wrote: > Hi, Hua. > > I agree with you if trust_id is secret. > But I think trust_id is not a secret. > User can know trustee_user_name and trustee_password from k8s/swarm > instances. > If user knows about other user's trust_id, user can use a other user's > swift resources. > This wii be a security risk. > > Thanks > -yuanying > > 2015年12月24日(木) 16:49 王华 <wanghua.hum...@gmail.com>: > >> Hi all, >> >> I want to create a trustee user for each bay [1]. The discussion for >> trust is in [2]. >> >> Here is my solution: >> I don't create a user for each bay. All the bays no matter who creates it >> use the same user. >> But we create different trust for the user for different bay. The user >> can not access any service without the trust id. So there is no need to >> create a user for each bay. >> >> >> [1] >> https://blueprints.launchpad.net/magnum/+spec/create-trustee-user-for-each-bay >> [2]https://review.openstack.org/#/c/254705/ >> >> Regards, >> Wanghua >> __________________________________________________________________________ >> OpenStack Development Mailing List (not for usage questions) >> Unsubscribe: >> openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > >
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
