On 05/05/2016 06:03 PM, Dan Smith wrote: >> I'm currently working on the spec for Project ID Validation in Nova >> using Keystone. The outcome of the Design Summit Session was that the >> Nova service user would use the Keystone policy to establish whether the >> requester had access to the project at all to verify the id. I was >> wondering if there were any code examples of a non-Keystone service >> using the Keystone policy in this way? >> >> Also if I misunderstood something, please feel free to correct me or to >> clarify! > > Just to clarify, the outcome as I understood it is: > > /Instead/ of a Nova service user, Nova should use the credentials of the > user doing the quota manipulation to authenticate a request to keystone > to check for the presence of the target user. That means doing a HEAD or > GET on the tenant in keystone using the credentials provided to Nova for > the quota operation. The only Keystone policy involved is making sure > that the user has permission to do that HEAD or GET operation (which is > really just a deployment thing).
Right, that's how I remember it. The important additional piece of information is these commands are Nova admin commands, so setting quota for other users. I think the important next step forward here is to actually see what the code looks like, as the actual code to check against keystone is going to go right here - https://github.com/openstack/nova/blob/8a93fd13786358f882a53e0bf104eeed23541465/nova/api/openstack/compute/quota_sets.py#L107 And needs to function with what we have at hand, which is a project_id and a nova.context. -Sean -- Sean Dague http://dague.net __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
