Re: [openstack-dev] [Neutron]Do you think tanent_id should be verified

2014-02-26 Thread Lingxian Kong 
2014-02-25 19:48 GMT+08:00 Salvatore Orlando sorla...@nicira.com:

 I understand the fact that resources with invalid tenant_ids can be
 created (only with admin rights at least for Neutron) can be annoying.

 However, I support Jay's point on cross-project interactions. If tenant_id
 validation (and orphaned resource management) can't be efficiently handled,
 then I'd rather let 3rd party scripts dealing with orphaned and invalid
 resources.

 I reckon that it might be worth experimenting whether the notifications
 sent by Keystone (see Dolph's post on this thread) can be used to deal with
 orphaned resources.
 For tenant_id validation, anything involving an extra round trip to
 keystone would not be efficient in my opinion. If there is a way to perform
 this validation in the same call which validates the tenant auth_token then
 it's a different story.
 Notifications from keystone *could* be used to build a local (persistent
 perhaps) cache of active tenant identifiers. However, this would require
 reliable notifications, as well as appropriate cache management, which is
 often less simple than what it looks like.

 Salvatore


Thanks for your explanation and suggestion, Salvatore, I still think it's
a problem that we should handle in OpenStack or outside(through what you
said, say 3rd party scripts), maybe we could add some contents in wiki or
doc? any idea?


-- 
*---*
*Lingxian Kong*
Huawei Technologies Co.,LTD.
IT Product Line CloudOS PDU
China, Xi'an
Mobile: +86-18602962792
Email: konglingx...@huawei.com; anlin.kong@gmail.c anlin.k...@gmail.com
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [Neutron]Do you think tanent_id should be verified

2014-02-25 Thread Salvatore Orlando 
I understand the fact that resources with invalid tenant_ids can be created
(only with admin rights at least for Neutron) can be annoying.

However, I support Jay's point on cross-project interactions. If tenant_id
validation (and orphaned resource management) can't be efficiently handled,
then I'd rather let 3rd party scripts dealing with orphaned and invalid
resources.

I reckon that it might be worth experimenting whether the notifications
sent by Keystone (see Dolph's post on this thread) can be used to deal with
orphaned resources.
For tenant_id validation, anything involving an extra round trip to
keystone would not be efficient in my opinion. If there is a way to perform
this validation in the same call which validates the tenant auth_token then
it's a different story.
Notifications from keystone *could* be used to build a local (persistent
perhaps) cache of active tenant identifiers. However, this would require
reliable notifications, as well as appropriate cache management, which is
often less simple than what it looks like.

Salvatore


On 25 February 2014 05:23, Lingxian Kong anlin.k...@gmail.com wrote:



 2014-02-25 11:25 GMT+08:00 Dong Liu willowd...@gmail.com:

 Thanks Jay, now I know maybe neutron will not handle tenant
 creating/deleting notifications which from keystone.

 There is another question, such as creating subnet request body:
 {
   subnet: {
 name: test_subnet,
 enable_dhcp: true,
 network_id: 57596b26-080d-4802-8cce-4318b7e543d5,
 ip_version: 4,
 cidr: 10.0.0.0/24,
 tenant_id: 4209c294d1bb4c36acdfaa885075e0f1


 So, this is exactly what I mean for 'temant_id' here that should be
 validated.
 I insist this could be done via some middleware or else.

   }
 }
 As we know, the tenant_id can only be specified by admin tenant.

 In my test, the tenant_id I filled in the body can be any string (e.g., a
 name, an uuid, etc.) But I think this tenant existence (I mean if the
 tenant exists in keystone) should be verified, if not, the subnet I created
 will be an useless resource.

 Regards,
 Dong Liu


 On 2014-02-25 0:22, Jay Pipes Wrote:

 On Mon, 2014-02-24 at 16:23 +0800, Lingxian Kong wrote:

 I think 'tenant_id' should always be validated when creating neutron
 resources, whether or not Neutron can handle the notifications from
 Keystone when tenant is deleted.


 -1

 Personally, I think this cross-service request is likely too expensive
 to do on every single request to Neutron. It's already expensive enough
 to use Keystone when not using PKI tokens, and adding another round trip
 to Keystone for this kind of thing is not appealing to me. The tenant is
 already validated when it is used to get the authentication token used
 in requests to Neutron, so other than the scenarios where a tenant is
 deleted in Keystone (which, with notifications in Keystone, there is now
 a solution for), I don't see much value in the extra expense this would
 cause.

 Best,
 -jay



 ___
 OpenStack-dev mailing list
 OpenStack-dev@lists.openstack.org
 http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


 ___
 OpenStack-dev mailing list
 OpenStack-dev@lists.openstack.org
 http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev




 --
 *---*
 *Lingxian Kong*
 Huawei Technologies Co.,LTD.
 IT Product Line CloudOS PDU
 China, Xi'an
 Mobile: +86-18602962792
 Email: konglingx...@huawei.com; anlin.k...@gmail.com

 ___
 OpenStack-dev mailing list
 OpenStack-dev@lists.openstack.org
 http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [Neutron]Do you think tanent_id should be verified

2014-02-25 Thread Dong Liu 

Salvatore, thank you very much for your reply.

I know that there was a proposal[1] to handle the message security 
stuff. For this proposal implementation, there was a blueprint[2] of 
keystone will merge in Icehouse.


I'm looking forward to the notification handling could implemente in 
Juno. Although I'm a new bee here, if it is possible, I wish I can take 
part in this in the days to come.


[1] https://wiki.openstack.org/wiki/MessageSecurity
[2] https://blueprints.launchpad.net/keystone/+spec/key-distribution-server

Regards,
Dong Liu

On 2014-02-25 19:48, Salvatore Orlando Wrote:

I understand the fact that resources with invalid tenant_ids can be
created (only with admin rights at least for Neutron) can be annoying.

However, I support Jay's point on cross-project interactions. If
tenant_id validation (and orphaned resource management) can't be
efficiently handled, then I'd rather let 3rd party scripts dealing with
orphaned and invalid resources.

I reckon that it might be worth experimenting whether the notifications
sent by Keystone (see Dolph's post on this thread) can be used to deal
with orphaned resources.
For tenant_id validation, anything involving an extra round trip to
keystone would not be efficient in my opinion. If there is a way to
perform this validation in the same call which validates the tenant
auth_token then it's a different story.
Notifications from keystone *could* be used to build a local (persistent
perhaps) cache of active tenant identifiers. However, this would require
reliable notifications, as well as appropriate cache management, which
is often less simple than what it looks like.

Salvatore


On 25 February 2014 05:23, Lingxian Kong anlin.k...@gmail.com
mailto:anlin.k...@gmail.com wrote:



2014-02-25 11:25 GMT+08:00 Dong Liu willowd...@gmail.com
mailto:willowd...@gmail.com:

Thanks Jay, now I know maybe neutron will not handle tenant
creating/deleting notifications which from keystone.

There is another question, such as creating subnet request body:
{
   subnet: {
 name: test_subnet,
 enable_dhcp: true,
 network_id: 57596b26-080d-4802-8cce-__4318b7e543d5,
 ip_version: 4,
 cidr: 10.0.0.0/24 http://10.0.0.0/24,
 tenant_id: __4209c294d1bb4c36acdfaa885075e0__f1


So, this is exactly what I mean for 'temant_id' here that should be
validated.
I insist this could be done via some middleware or else.

   }
}
As we know, the tenant_id can only be specified by admin tenant.

In my test, the tenant_id I filled in the body can be any string
(e.g., a name, an uuid, etc.) But I think this tenant existence
(I mean if the tenant exists in keystone) should be verified, if
not, the subnet I created will be an useless resource.

Regards,
Dong Liu


On 2014-02-25 0:22, Jay Pipes Wrote:

On Mon, 2014-02-24 at 16:23 +0800, Lingxian Kong wrote:

I think 'tenant_id' should always be validated when
creating neutron
resources, whether or not Neutron can handle the
notifications from
Keystone when tenant is deleted.


-1

Personally, I think this cross-service request is likely too
expensive
to do on every single request to Neutron. It's already
expensive enough
to use Keystone when not using PKI tokens, and adding
another round trip
to Keystone for this kind of thing is not appealing to me.
The tenant is
already validated when it is used to get the
authentication token used
in requests to Neutron, so other than the scenarios where a
tenant is
deleted in Keystone (which, with notifications in Keystone,
there is now
a solution for), I don't see much value in the extra expense
this would
cause.

Best,
-jay



_
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.__org
mailto:OpenStack-dev@lists.openstack.org

http://lists.openstack.org/__cgi-bin/mailman/listinfo/__openstack-dev
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


_
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.__org
mailto:OpenStack-dev@lists.openstack.org
http://lists.openstack.org/__cgi-bin/mailman/listinfo/__openstack-dev
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev




--
*---*
*Lingxian Kong*
Huawei Technologies Co.,LTD.
IT Product Line CloudOS PDU
China, Xi'an

Re: [openstack-dev] [Neutron]Do you think tanent_id should be verified

2014-02-24 Thread Lingxian Kong 
I think 'tenant_id' should always be validated when creating neutron
resources, whether or not Neutron can handle the notifications from
Keystone when tenant is deleted.

thoughts?


2014-02-20 20:21 GMT+08:00 Dong Liu willowd...@gmail.com:

 Dolph, thanks for the information you provided.

 Now I have two question:
 1. Will neutron handle this event notification in the future?
 2. I also wish neutron could verify that tenant_id is existent.

 thanks

 于 2014-02-20 4:33, Dolph Mathews 写道:

 There's an open bug [1] against nova  neutron to handle notifications
 [2] from keystone about such events. I'd love to see that happen during
 Juno!

 [1] https://bugs.launchpad.net/nova/+bug/967832
 [2] http://docs.openstack.org/developer/keystone/event_notifications.html

 On Mon, Feb 17, 2014 at 6:35 AM, Yongsheng Gong gong...@unitedstack.com
 mailto:gong...@unitedstack.com wrote:

 It is not easy to enhance it. If we check the tenant_id on creation,
 if should we  also to do some job when keystone delete tenant?


 On Mon, Feb 17, 2014 at 6:41 AM, Dolph Mathews
 dolph.math...@gmail.com mailto:dolph.math...@gmail.com wrote:

 keystoneclient.middlware.auth_token passes a project ID (and
 name, for convenience) to the underlying application through the
 WSGI environment, and already ensures that this value can not be
 manipulated by the end user.

 Project ID's (redundantly) passed through other means, such as
 URLs, are up to the service to independently verify against
 keystone (or equivalently, against the WSGI environment), but
 can be directly manipulated by the end user if no checks are in
 place.

 Without auth_token in place to manage multitenant authorization,
 I'd still expect services to blindly trust the values provided
 in the environment (useful for both debugging the service and
 alternative deployment architectures).

 On Sun, Feb 16, 2014 at 8:52 AM, Dong Liu willowd...@gmail.com
 mailto:willowd...@gmail.com wrote:

 Hi stackers:

 I found that when creating network subnet and other
 resources, the attribute tenant_id
 can be set by admin tenant. But we did not verify that if
 the tanent_id is real in keystone.

 I know that we could use neutron without keystone, but do
 you think tenant_id should
 be verified when we using neutron with keystone.

 thanks
 ___
 OpenStack-dev mailing list
 OpenStack-dev@lists.openstack.org
 mailto:OpenStack-dev@lists.openstack.org

 http://lists.openstack.org/cgi-bin/mailman/listinfo/
 openstack-dev



 ___
 OpenStack-dev mailing list
 OpenStack-dev@lists.openstack.org
 mailto:OpenStack-dev@lists.openstack.org

 http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev



 ___
 OpenStack-dev mailing list
 OpenStack-dev@lists.openstack.org
 mailto:OpenStack-dev@lists.openstack.org

 http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev




 ___
 OpenStack-dev mailing list
 OpenStack-dev@lists.openstack.org
 http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


 ___
 OpenStack-dev mailing list
 OpenStack-dev@lists.openstack.org
 http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev




-- 
*---*
*Lingxian Kong*
Huawei Technologies Co.,LTD.
IT Product Line CloudOS PDU
China, Xi'an
Mobile: +86-18602962792
Email: konglingx...@huawei.com; anlin.k...@gmail.com
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [Neutron]Do you think tanent_id should be verified

2014-02-24 Thread Jay Pipes 
On Mon, 2014-02-24 at 16:23 +0800, Lingxian Kong wrote:
 I think 'tenant_id' should always be validated when creating neutron
 resources, whether or not Neutron can handle the notifications from
 Keystone when tenant is deleted.

-1

Personally, I think this cross-service request is likely too expensive
to do on every single request to Neutron. It's already expensive enough
to use Keystone when not using PKI tokens, and adding another round trip
to Keystone for this kind of thing is not appealing to me. The tenant is
already validated when it is used to get the authentication token used
in requests to Neutron, so other than the scenarios where a tenant is
deleted in Keystone (which, with notifications in Keystone, there is now
a solution for), I don't see much value in the extra expense this would
cause.

Best,
-jay



___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [Neutron]Do you think tanent_id should be verified

2014-02-24 Thread Dong Liu 
Thanks Jay, now I know maybe neutron will not handle tenant 
creating/deleting notifications which from keystone.


There is another question, such as creating subnet request body:
{
  subnet: {
name: test_subnet,
enable_dhcp: true,
network_id: 57596b26-080d-4802-8cce-4318b7e543d5,
ip_version: 4,
cidr: 10.0.0.0/24,
tenant_id: 4209c294d1bb4c36acdfaa885075e0f1
  }
}
As we know, the tenant_id can only be specified by admin tenant.

In my test, the tenant_id I filled in the body can be any string (e.g., 
a name, an uuid, etc.) But I think this tenant existence (I mean if the 
tenant exists in keystone) should be verified, if not, the subnet I 
created will be an useless resource.


Regards,
Dong Liu

On 2014-02-25 0:22, Jay Pipes Wrote:

On Mon, 2014-02-24 at 16:23 +0800, Lingxian Kong wrote:

I think 'tenant_id' should always be validated when creating neutron
resources, whether or not Neutron can handle the notifications from
Keystone when tenant is deleted.


-1

Personally, I think this cross-service request is likely too expensive
to do on every single request to Neutron. It's already expensive enough
to use Keystone when not using PKI tokens, and adding another round trip
to Keystone for this kind of thing is not appealing to me. The tenant is
already validated when it is used to get the authentication token used
in requests to Neutron, so other than the scenarios where a tenant is
deleted in Keystone (which, with notifications in Keystone, there is now
a solution for), I don't see much value in the extra expense this would
cause.

Best,
-jay



___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev



___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [Neutron]Do you think tanent_id should be verified

2014-02-24 Thread Lingxian Kong 
2014-02-25 11:25 GMT+08:00 Dong Liu willowd...@gmail.com:

 Thanks Jay, now I know maybe neutron will not handle tenant
 creating/deleting notifications which from keystone.

 There is another question, such as creating subnet request body:
 {
   subnet: {
 name: test_subnet,
 enable_dhcp: true,
 network_id: 57596b26-080d-4802-8cce-4318b7e543d5,
 ip_version: 4,
 cidr: 10.0.0.0/24,
 tenant_id: 4209c294d1bb4c36acdfaa885075e0f1


So, this is exactly what I mean for 'temant_id' here that should be
validated.
I insist this could be done via some middleware or else.

  }
 }
 As we know, the tenant_id can only be specified by admin tenant.

 In my test, the tenant_id I filled in the body can be any string (e.g., a
 name, an uuid, etc.) But I think this tenant existence (I mean if the
 tenant exists in keystone) should be verified, if not, the subnet I created
 will be an useless resource.

 Regards,
 Dong Liu


 On 2014-02-25 0:22, Jay Pipes Wrote:

 On Mon, 2014-02-24 at 16:23 +0800, Lingxian Kong wrote:

 I think 'tenant_id' should always be validated when creating neutron
 resources, whether or not Neutron can handle the notifications from
 Keystone when tenant is deleted.


 -1

 Personally, I think this cross-service request is likely too expensive
 to do on every single request to Neutron. It's already expensive enough
 to use Keystone when not using PKI tokens, and adding another round trip
 to Keystone for this kind of thing is not appealing to me. The tenant is
 already validated when it is used to get the authentication token used
 in requests to Neutron, so other than the scenarios where a tenant is
 deleted in Keystone (which, with notifications in Keystone, there is now
 a solution for), I don't see much value in the extra expense this would
 cause.

 Best,
 -jay



 ___
 OpenStack-dev mailing list
 OpenStack-dev@lists.openstack.org
 http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


 ___
 OpenStack-dev mailing list
 OpenStack-dev@lists.openstack.org
 http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev




-- 
*---*
*Lingxian Kong*
Huawei Technologies Co.,LTD.
IT Product Line CloudOS PDU
China, Xi'an
Mobile: +86-18602962792
Email: konglingx...@huawei.com; anlin.k...@gmail.com
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [Neutron]Do you think tanent_id should be verified

2014-02-20 Thread Dong Liu 

Dolph, thanks for the information you provided.

Now I have two question:
1. Will neutron handle this event notification in the future?
2. I also wish neutron could verify that tenant_id is existent.

thanks

于 2014-02-20 4:33, Dolph Mathews 写道:

There's an open bug [1] against nova  neutron to handle notifications
[2] from keystone about such events. I'd love to see that happen during
Juno!

[1] https://bugs.launchpad.net/nova/+bug/967832
[2] http://docs.openstack.org/developer/keystone/event_notifications.html

On Mon, Feb 17, 2014 at 6:35 AM, Yongsheng Gong gong...@unitedstack.com
mailto:gong...@unitedstack.com wrote:

It is not easy to enhance it. If we check the tenant_id on creation,
if should we  also to do some job when keystone delete tenant?


On Mon, Feb 17, 2014 at 6:41 AM, Dolph Mathews
dolph.math...@gmail.com mailto:dolph.math...@gmail.com wrote:

keystoneclient.middlware.auth_token passes a project ID (and
name, for convenience) to the underlying application through the
WSGI environment, and already ensures that this value can not be
manipulated by the end user.

Project ID's (redundantly) passed through other means, such as
URLs, are up to the service to independently verify against
keystone (or equivalently, against the WSGI environment), but
can be directly manipulated by the end user if no checks are in
place.

Without auth_token in place to manage multitenant authorization,
I'd still expect services to blindly trust the values provided
in the environment (useful for both debugging the service and
alternative deployment architectures).

On Sun, Feb 16, 2014 at 8:52 AM, Dong Liu willowd...@gmail.com
mailto:willowd...@gmail.com wrote:

Hi stackers:

I found that when creating network subnet and other
resources, the attribute tenant_id
can be set by admin tenant. But we did not verify that if
the tanent_id is real in keystone.

I know that we could use neutron without keystone, but do
you think tenant_id should
be verified when we using neutron with keystone.

thanks
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
mailto:OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev



___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
mailto:OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev



___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
mailto:OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev




___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev



___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [Neutron]Do you think tanent_id should be verified

2014-02-19 Thread Dolph Mathews 
There's an open bug [1] against nova  neutron to handle notifications [2]
from keystone about such events. I'd love to see that happen during Juno!

[1] https://bugs.launchpad.net/nova/+bug/967832
[2] http://docs.openstack.org/developer/keystone/event_notifications.html

On Mon, Feb 17, 2014 at 6:35 AM, Yongsheng Gong gong...@unitedstack.comwrote:

 It is not easy to enhance it. If we check the tenant_id on creation, if
 should we  also to do some job when keystone delete tenant?


 On Mon, Feb 17, 2014 at 6:41 AM, Dolph Mathews dolph.math...@gmail.comwrote:

 keystoneclient.middlware.auth_token passes a project ID (and name, for
 convenience) to the underlying application through the WSGI environment,
 and already ensures that this value can not be manipulated by the end user.

 Project ID's (redundantly) passed through other means, such as URLs, are
 up to the service to independently verify against keystone (or
 equivalently, against the WSGI environment), but can be directly
 manipulated by the end user if no checks are in place.

 Without auth_token in place to manage multitenant authorization, I'd
 still expect services to blindly trust the values provided in the
 environment (useful for both debugging the service and alternative
 deployment architectures).

 On Sun, Feb 16, 2014 at 8:52 AM, Dong Liu willowd...@gmail.com wrote:

 Hi stackers:

 I found that when creating network subnet and other resources, the
 attribute tenant_id
 can be set by admin tenant. But we did not verify that if the tanent_id
 is real in keystone.

 I know that we could use neutron without keystone, but do you think
 tenant_id should
 be verified when we using neutron with keystone.

 thanks
 ___
 OpenStack-dev mailing list
 OpenStack-dev@lists.openstack.org
 http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev



 ___
 OpenStack-dev mailing list
 OpenStack-dev@lists.openstack.org
 http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev



 ___
 OpenStack-dev mailing list
 OpenStack-dev@lists.openstack.org
 http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [Neutron]Do you think tanent_id should be verified

2014-02-17 Thread Yongsheng Gong 
It is not easy to enhance it. If we check the tenant_id on creation, if
should we  also to do some job when keystone delete tenant?


On Mon, Feb 17, 2014 at 6:41 AM, Dolph Mathews dolph.math...@gmail.comwrote:

 keystoneclient.middlware.auth_token passes a project ID (and name, for
 convenience) to the underlying application through the WSGI environment,
 and already ensures that this value can not be manipulated by the end user.

 Project ID's (redundantly) passed through other means, such as URLs, are
 up to the service to independently verify against keystone (or
 equivalently, against the WSGI environment), but can be directly
 manipulated by the end user if no checks are in place.

 Without auth_token in place to manage multitenant authorization, I'd still
 expect services to blindly trust the values provided in the environment
 (useful for both debugging the service and alternative deployment
 architectures).

 On Sun, Feb 16, 2014 at 8:52 AM, Dong Liu willowd...@gmail.com wrote:

 Hi stackers:

 I found that when creating network subnet and other resources, the
 attribute tenant_id
 can be set by admin tenant. But we did not verify that if the tanent_id
 is real in keystone.

 I know that we could use neutron without keystone, but do you think
 tenant_id should
 be verified when we using neutron with keystone.

 thanks
 ___
 OpenStack-dev mailing list
 OpenStack-dev@lists.openstack.org
 http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev



 ___
 OpenStack-dev mailing list
 OpenStack-dev@lists.openstack.org
 http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

[openstack-dev] [Neutron]Do you think tanent_id should be verified

2014-02-16 Thread Dong Liu 
Hi stackers:

I found that when creating network subnet and other resources, the attribute 
tenant_id 
can be set by admin tenant. But we did not verify that if the tanent_id is real 
in keystone.

I know that we could use neutron without keystone, but do you think tenant_id 
should 
be verified when we using neutron with keystone.

thanks
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [Neutron]Do you think tanent_id should be verified

2014-02-16 Thread Dolph Mathews 
keystoneclient.middlware.auth_token passes a project ID (and name, for
convenience) to the underlying application through the WSGI environment,
and already ensures that this value can not be manipulated by the end user.

Project ID's (redundantly) passed through other means, such as URLs, are up
to the service to independently verify against keystone (or equivalently,
against the WSGI environment), but can be directly manipulated by the end
user if no checks are in place.

Without auth_token in place to manage multitenant authorization, I'd still
expect services to blindly trust the values provided in the environment
(useful for both debugging the service and alternative deployment
architectures).

On Sun, Feb 16, 2014 at 8:52 AM, Dong Liu willowd...@gmail.com wrote:

 Hi stackers:

 I found that when creating network subnet and other resources, the
 attribute tenant_id
 can be set by admin tenant. But we did not verify that if the tanent_id is
 real in keystone.

 I know that we could use neutron without keystone, but do you think
 tenant_id should
 be verified when we using neutron with keystone.

 thanks
 ___
 OpenStack-dev mailing list
 OpenStack-dev@lists.openstack.org
 http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev