Great. Thanks Vish! We'll revert with further questions if they come up. -- Shivan Bindal Product Manager shi...@rightscale.com
On Tue, Jan 31, 2012 at 4:43 PM, Vishvananda Ishaya <vishvana...@gmail.com>wrote: > We have been treating 'Admin' (or 'admin' as I prefer) as meaning admin of > the entire cloud, regardless of whether a tenant id is set. The recent > rbac changes introduced allows the policy to be completely customized by > the deployer however, so they would be free to define a different role such > as 'superuser'. We currently do however have some special handling in nova > based on the role 'admin', so that seems like the best choice. > > As a side note, we do want to remove the special handling, but at that > point we might introduce a flag to represent a role that should be > considered to have superuser privileges. > > Vish > > On Jan 31, 2012, at 4:08 PM, Shivan Bindal wrote: > > Hi, > > I've got a quick question regarding RightScale's OpenStack integration. > At one point, when someone decides to connect their OpenStack cloud with > RightScale, we need to authenticate that that user is authorized to connect > their cloud to RightScale. (Those users get some extra privileges, not the > least of which is the ability to delete the cloud from the system, which > could have an impact to an unaware user). > > We recognize authorization by requesting that the user give us admin > credentials to their cloud. (Think of this as an enterprise user who wants > to connect their Piston OpenStack cloud with RightScale.) The question I > have is -- how do you recommend we validate that the credentials we've > received are in fact Admin? > > In our current integration of Diablo + KeyStone, we post to the provided > KeyStone endpoint with the supposedly admin credentials. We then ensure > that the role "Admin" is included in the response along with the Nova > service in the service catalog. > > Should we add a check to see if the user is associated with any tenant? > We are currently thinking about checking if TenantID is nil hoping that > this means 'admin of all tenants'. > > What would you recommend we do? Ideally, there would be an API call that > only admin credentials on Nova would be allowed to make. Is there such an > API call (we couldn't see any such call in the Nova API Documentation)? Do > you have any other suggestions? > > Thanks! > > -- > Shivan Bindal > Product Manager > shi...@rightscale.com > > _______________________________________________ > Mailing list: https://launchpad.net/~openstack > Post to : openstack@lists.launchpad.net > Unsubscribe : https://launchpad.net/~openstack > More help : https://help.launchpad.net/ListHelp > > >
_______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
