Comments (4)
As you mentioned a domain admin account can't be used to set quotas. For this reason we currently run the adapter with admin privileges. This might not the best solution, but is this really a big problem ? Since the adapter do not delete resources automatically this seems to be ok for me.
from perunkeystoneadapter.
It's a matter of security vs. effort. I prefer to use the least privileges necessary to perform a task, even if this means extra effort in the implementation. And storing cloud admin credentials for any automated task is kind of a no-go in my opinion.
I'm preparing a branch for the necessary fixes in the current master; extensions for quota support will be added after the initial quota implementation is complete.
from perunkeystoneadapter.
It's fine from Freiburg's side, @jkrue. We already store cloud admin credentials (on our management nodes) for automated tasks like syncing flavor lists. Given our threat model, it isn't a big concern to likewise provide the adapter with credentials.
Glad you have the time to put in the extra effort for the extra security @Be-El.
from perunkeystoneadapter.
Quota management as domain admin is no problem......except for the cinder quotas. You need to add the domain admin as project admin to each managed project; retrieving and setting quotas requires as new project scope authentication token.
If the current work at the quota implementation in branch feature/transfer-quotas is finished, I would start implementing a token cache and do the necessary changes to handle cinder quotas correctly.
The important question we need to answer before:
Do we want to add the service account as project admin permanently to each project, or do we want to assign roles on the fly? How often does perun trigger the keystone adapter?
(Another alternative are nested projects.....currently evalutating)
from perunkeystoneadapter.
Related Issues (20)
- Update Instructions
- Service accounts HOT 2
- --dry-run ?
- Remove location specific subfolder
- Maintaining referential integrity in (users|projects)_terminate HOT 1
- Enhancement: pending deletion report HOT 1
- Configurable target domain
- Working as domain administrator
- Link pem and chain HOT 1
- Support/Use propagated ssh-keys HOT 2
- Extend logging HOT 1
- Properties "denbiVolumeCounter" and "denbiVolumeLimit" are not considered HOT 2
- Tests lack support for quotas HOT 1
- Project descriptions should not include non-ascii characters HOT 1
- Consider additional values propagated by Perun HOT 1
- Improve testing (using DevStack) HOT 1
- Support clouds.yaml / application credentials HOT 1
- Improve documention HOT 1
- Updated resource quotas not considered for existing projects anymore. HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from perunkeystoneadapter.