Code review comment for lp:~sandy-walsh/nova/admin-only-api
Revision history for this message
| Soren Hansen (soren) wrote | # |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
2010/11/24 Sandy Walsh <email address hidden>:
> There seems to be a need to stand up api servers inside the firewall
> which can perform privileged operations.
>
> I had mentioned that this sort of sandboxing should be performed by
> the normal RBAC capabilities of the auth system. But others would
> rather draw hard lines in what is available to the public API in the
> event of a breach.
That makes sense. Sorry, I completely missed the fact that there was
actually a blueprint linked to the branch.
I apprecite your wanting to make this mechanism generic, but I think I
would prefer a more specific --allow_admin_api flag instead:
a) I question the usefulness of being able to pick and choose which of
e.g. flavors, images, and servers you want to expose. At least for now,
it's pretty clear which operations should be admin-only and which ones
should not.
b) It ensures that when adding new operations, you don't necessarily
have to change your config to get access to them (or, worse, deny access
to them in case of --nova_
--
Soren Hansen
Ubuntu Developer http://
OpenStack Developer http://