Hi Kevin, thanks for bringing this up. Agree that with the current approach
to RBAC / ABAC model in OpenStack it is very challenging or nearly
impossible to securely do anything more complicated than just manually
spawn instance. I'm curious whether TC and/or the community could take
constructive a
On 3/10/2017 3:02 PM, Andrea Frittoli wrote:
We had a couple of sessions related to this topic at the PTG [0][1].
We agreed that we want to still maintain integration tests only in
Tempest, which means that API micro versions that have no integration
impact can be tested via functional tests.
Nova needs to either: provide a vouching mechanism for VM's to always be able
to get something that proves the VM is the VM, or provide a mechanism to
securely give the VM a keystone token thats unique to the VM's. Its got to work
and be secure through vm's that are stopped or suspended for sign
No, they are treated as second class citizens. Take Trova again as an example.
The underlying OpenStack infrastructure does not provide a good security
solution for Trove's use case. As its more then just IaaS. So they have spent
years trying to work around it on one way or another, each with ho