On 7 December 2015 at 05:38, Clint Byrum <cl...@fewbar.com> wrote: > Excerpts from Xav Paice's message of 2015-12-05 13:26:23 -0800: > > > > > I respect that this is what works for you and we shouldn't require you to > change your ways without good reason. However, I just want to point out > that if you don't trust Keystone's own ACL's to prevent administrative > access by users who haven't been granted access, then you also don't > trust Keystone to keep users out of each-others accounts! > > That's an excellent point, and one which scares me quite a lot. But that's the sad reason we need two lots of API servers - so even if someone were to get hold of an admin userid/password, they still can't go deleting the entire cloud. It does at least limit the damage.
> That said, if there really is a desire to keep admin functions separate > from user functions, why not formalize that and make it an entirely > separate service in the catalog? So far, Keystone is the only service > to make use of "adminurl". So a valid path forward is to simply make it > a different entry. > Keystone is indeed the only one that does this - I hesitate to say "right" because it might not be. I'm not sure I follow when you say separate service - you mean a completely different service, with a full set of endpoints? Makes sense if the projects that use the catalogue also honour that, but I don't know I see the difference between having a different service for admin requests, and a split admin url and public url. Maybe I'm just being thick here, but I had thought that was the original intention despite it never being used by anyone other than Keystone. > > _______________________________________________ > OpenStack-operators mailing list > OpenStack-operators@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators >
_______________________________________________ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
