Hi Dolph
Thanks for idea. Is this approach used somewhere for similar use-case I
described? If so please point it out. Thanks
Filip
On 07/10/2015 04:57 PM, Dolph Mathews wrote:
How about using domain-based role assignments in keystone and
requiring domain-level authorization in policy, and
Hi Tim,
The change was already merged to master. Withe next release of
python-muranoclient it can be used in Congress.
Regards
Filip
On 07/08/2015 03:57 PM, Tim Hinrichs wrote:
There are two things to remember here.
1) When you configure the Congress datasource driver to talk to
Murano,
How about using domain-based role assignments in keystone and requiring
domain-level authorization in policy, and then only returning data about
the collection of tenants that belong to the authorized domain? That way
you don't have an API that violates multi-tenant isolation, consumable only
by
We sometimes want the ability to write policy across tenants, e.g. VMs from
Coke and Pepsi must always be deployed on different hosts.
I didn't think there were any roles that could see everything without
all_tenants=true. If there are such roles, I'd be happy to remove the
all_tenants=true from
There are two things to remember here.
1) When you configure the Congress datasource driver to talk to Murano, you
choose which user rights Congress should use. If you need to get all of
the tenants data, you want to choose an admin user for the Murano driver.
Personally I always use admin users
