On 06/06/2018 06:59 AM, Mike Carden wrote: > > \o/ - care to add the links on the doc? Would be really helpful for > others I guess :). > > > Doc? What doc?
This one: https://docs.openstack.org/oslo.privsep/latest/index.html I just created https://review.openstack.org/#/c/572670/ So. back to business: we need some spec and discussions in order to get a consensus and implement best practices. Using privsep will allow to drop the sudo part, as it uses rootwrap instead. This way also allows to filter out the rights, and we can ensure we actually don't let people do bad things. The mentioned blog posts also points to the test process, and shows how we can ensure we actually mock the calls. It also proposes a directory structure, and stress on the way to actually call the privileged methods. All of that makes perfectly sense, as it has a simple logic: if you need privileges, show them without any hide-and-seek game. Those advice should be followed, and integrated in any spec/blueprint we're to write prior the implementation. Regarding the tripleoclient part: there's currently one annoying issue, as the generated files aren't owned by the deploy user (usually named "stack"). This isn't a really urgent correction, but I'm pretty sure we have to lock any change toward a "quick'n'dirty resolution". Cheers, C. > > -- > MC > > > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > -- Cédric Jeanneret Software Engineer DFG:DF
signature.asc
Description: OpenPGP digital signature
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev