Hi all, Magnum now use a token to get CA certificate in make-cert.sh. Token has a expiration time. So we should change this method. Here are two proposals.
1. Use trust which I have introduced in [1]. The way has a disadvantage. We can't limit the access to some APIs. For example, if we want to add a limitation that some APIs can only be accessed from Bay and can't be accessed by users outside. We need a way to distinguish these users, from Bay or from outside. 2. We create a user with the role to access Magnum. The way is used in Heat. Heat creates a user for each stack to communicate with Heat. We can add a role to the user which is already introduced in [1]. The user can directly access Magnum for some limited APIs. With trust id, the user can access other services. [1] https://review.openstack.org/#/c/268852/ Regards, Wanghua
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
