frickler | noonedeadpunk: gtema: you can define endpoint filters in keystone in order to drop internal/admin endpoints per project. the problem is that things like nova break then, if they are configured to use the internal endpoints to talk to other services, since they will query the catalog with the user creds, too | 06:57 |
---|---|---|
gtema | frickler, but they are using service accounts. It should be possible to hide non public data with a regular access and expose them on other access types. But I agree this is all bit tricky, at least how should osc differentiate an admin willing to do some service configuration from regular user. | 07:23 |
noonedeadpunk | I would say it smth that could be covered by policy | 09:25 |
noonedeadpunk | or based on passed `endpoint` in credentials or whenever | 09:25 |
gtema | I would suggest we can implement default filter = public in the OSC so that by default user will not get other EPs, only when explicitly requested | 09:26 |
gtema | this will surely not properly hide all other EPs, but at least can be treated as first step on filtering stuff not usefull for end user by default | 09:27 |
noonedeadpunk | Well, I don't think it's smth that should be done on client side to be frank | 09:27 |
noonedeadpunk | Maybe endpoint filtering is a thing indeed, need to play with that | 09:27 |
gtema | I mean before something is done on the server it can be filtered on client side (same as we go in publiccloud with flavors and images while waiting for serverside to be extended) | 09:28 |
noonedeadpunk | it somehow reminds me of "security by obscurity", except it's not really a security thing in this case | 09:30 |
gtema | sure, it is not currently about security, but rather about usability and sense-bility | 09:30 |
noonedeadpunk | (it depends how stupid your setup is ofc) | 09:31 |
gtema | but I suggest we discuss this deeper during summit/ptg in person | 09:31 |
noonedeadpunk | ++ | 09:31 |
noonedeadpunk | frickler: yeah, endpoint filtering is quite close, in case put some extra work to it to be able to assiciate with domains, so that all users with the domain scope would be filtered. And remove limitation using interface as a filter, ie if I wanna create `public2` interface and return only it to some domain | 09:37 |
noonedeadpunk | (and don't return it to others) | 09:40 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!