We have been treating 'Admin' (or 'admin' as I prefer) as meaning admin of the entire cloud, regardless of whether a tenant id is set. The recent rbac changes introduced allows the policy to be completely customized by the deployer however, so they would be free to define a different role such as 'superuser'. We currently do however have some special handling in nova based on the role 'admin', so that seems like the best choice.
As a side note, we do want to remove the special handling, but at that point we might introduce a flag to represent a role that should be considered to have superuser privileges. Vish On Jan 31, 2012, at 4:08 PM, Shivan Bindal wrote: > Hi, > > I've got a quick question regarding RightScale's OpenStack integration. At > one point, when someone decides to connect their OpenStack cloud with > RightScale, we need to authenticate that that user is authorized to connect > their cloud to RightScale. (Those users get some extra privileges, not the > least of which is the ability to delete the cloud from the system, which > could have an impact to an unaware user). > > We recognize authorization by requesting that the user give us admin > credentials to their cloud. (Think of this as an enterprise user who wants > to connect their Piston OpenStack cloud with RightScale.) The question I > have is -- how do you recommend we validate that the credentials we've > received are in fact Admin? > > In our current integration of Diablo + KeyStone, we post to the provided > KeyStone endpoint with the supposedly admin credentials. We then ensure that > the role "Admin" is included in the response along with the Nova service in > the service catalog. > > Should we add a check to see if the user is associated with any tenant? We > are currently thinking about checking if TenantID is nil hoping that this > means 'admin of all tenants'. > > What would you recommend we do? Ideally, there would be an API call that > only admin credentials on Nova would be allowed to make. Is there such an > API call (we couldn't see any such call in the Nova API Documentation)? Do > you have any other suggestions? > > Thanks! > > -- > Shivan Bindal > Product Manager > shi...@rightscale.com > > _______________________________________________ > Mailing list: https://launchpad.net/~openstack > Post to : openstack@lists.launchpad.net > Unsubscribe : https://launchpad.net/~openstack > More help : https://help.launchpad.net/ListHelp
_______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
