Wanghua,
Could you elaborate why using token is problem? Provision cluster takes
deterministic time and expiration time shouldn't be a problem (e.g. we can
always assume that provision shouldn't take more than hour for example). Also
we can generate new token every time when we update stack, can't we? --- Egor
From: Corey O'Brien <coreypobr...@gmail.com>
To: OpenStack Development Mailing List (not for usage questions)
<openstack-dev@lists.openstack.org>
Sent: Thursday, February 4, 2016 8:24 PM
Subject: Re: [openstack-dev] [openstack][Magnum] ways to get CA certificate in
make-cert.sh from Magnum
There currently isn't a way to distinguish between user who creates the bay and
the nodes in the bay because the user is root on those nodes. Any credential
that the node uses to communicate with Magnum is going to be accessible to the
user.
Since we already have the trust, that seems like the best way to proceed for
now just to get something working.
Corey
On Thu, Feb 4, 2016 at 10:53 PM 王华 <wanghua.hum...@gmail.com> wrote:
Hi all,
Magnum now use a token to get CA certificate in make-cert.sh. Token has a
expiration time. So we should change this method. Here are two proposals.
1. Use trust which I have introduced in [1]. The way has a disadvantage. We
can't limit the access to some APIs. For example, if we want to add a
limitation that some APIs can only be accessed from Bay and can't be accessed
by users outside. We need a way to distinguish these users, fromBay or from
outside.
2. We create a user with the role to access Magnum. The way is used in Heat.
Heat creates a user for each stack to communicate with Heat. We can add a role
to the user which is already introduced in [1]. The user can directly access
Magnum for some limited APIs. With trust id, the user can access other services.
[1] https://review.openstack.org/#/c/268852/
Regards,Wanghua__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
