Hi Tim,
The change was already merged to master. Withe next release of
python-muranoclient it can be used in Congress.
Regards
Filip
On 07/08/2015 03:57 PM, Tim Hinrichs wrote:
There are two things to remember here.
1) When you configure the Congress datasource driver to talk to
Murano, yo
Hi Dolph
Thanks for idea. Is this approach used somewhere for similar use-case I
described? If so please point it out. Thanks
Filip
On 07/10/2015 04:57 PM, Dolph Mathews wrote:
How about using domain-based role assignments in keystone and
requiring domain-level authorization in policy, and t
We sometimes want the ability to write policy across tenants, e.g. VMs from
Coke and Pepsi must always be deployed on different hosts.
I didn't think there were any roles that could see everything without
all_tenants=true. If there are such roles, I'd be happy to remove the
all_tenants=true from
How about using domain-based role assignments in keystone and requiring
domain-level authorization in policy, and then only returning data about
the collection of tenants that belong to the authorized domain? That way
you don't have an API that violates multi-tenant isolation, consumable only
by cl
AFAIK nova and cinder support --all-tenants when we list servers and
volumes, it's a admin only operation, like Kirill point out in above
comments.
And in the other side I think we should be careful to use this option,
because the huge results are pulled at one time when we want to get the
cross t
There are two things to remember here.
1) When you configure the Congress datasource driver to talk to Murano, you
choose which user rights Congress should use. If you need to get all of
the tenants data, you want to choose an admin user for the Murano driver.
Personally I always use admin users
1) This does raise a security concern. We can however cover it with a separate
policy-based permission, that would check if a user can view all tenants. nova
seem to do so, see:
https://github.com/openstack/nova/blob/4209d0140774adf3e162b7bde3cbd6b417065dd5/etc/nova/policy.json#L13
2) Will give
Hi all,
I started implement bp [1]. Problem is that congress needs data about
environments from all tenants but murano API lists only environments of
user's current tenant. We decided to ipmplement it similarly like
listing servers in nova where is query parameter all_tenants=true for
that (u