I'm not sure I understand the use case. Can you explain the use case you are trying to solve?
Corey On Fri, Feb 5, 2016, 02:07 王华 <[email protected]> wrote: > Hi Corey, > > The user is root on those nodes and can get any credentials on those > nodes. We can not avoid that, but by this way we can disallow those users > who can not login into nodes to access some limited APIs. > > Regards, > Wanghua > > On Fri, Feb 5, 2016 at 12:24 PM, Corey O'Brien <[email protected]> > wrote: > >> There currently isn't a way to distinguish between user who creates the >> bay and the nodes in the bay because the user is root on those nodes. Any >> credential that the node uses to communicate with Magnum is going to be >> accessible to the user. >> >> Since we already have the trust, that seems like the best way to proceed >> for now just to get something working. >> >> Corey >> >> On Thu, Feb 4, 2016 at 10:53 PM 王华 <[email protected]> wrote: >> >>> Hi all, >>> >>> Magnum now use a token to get CA certificate in make-cert.sh. Token has >>> a expiration time. So we should change this method. Here are two proposals. >>> >>> 1. Use trust which I have introduced in [1]. The way has a disadvantage. >>> We can't limit the access to some APIs. For example, if we want to add a >>> limitation that some APIs can only be accessed from Bay and can't be >>> accessed by users outside. We need a way to distinguish these users, from >>> Bay or from outside. >>> >>> 2. We create a user with the role to access Magnum. The way is used in >>> Heat. Heat creates a user for each stack to communicate with Heat. We can >>> add a role to the user which is already introduced in [1]. The user can >>> directly access Magnum for some limited APIs. With trust id, the user can >>> access other services. >>> >>> [1] https://review.openstack.org/#/c/268852/ >>> >>> Regards, >>> Wanghua >>> >>> __________________________________________________________________________ >>> OpenStack Development Mailing List (not for usage questions) >>> Unsubscribe: >>> [email protected]?subject:unsubscribe >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >>> >> >> __________________________________________________________________________ >> OpenStack Development Mailing List (not for usage questions) >> Unsubscribe: >> [email protected]?subject:unsubscribe >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> >> > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: [email protected]?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
