Saturday, 2023-05-20

fricklernoonedeadpunk: gtema: you can define endpoint filters in keystone in order to drop internal/admin endpoints per project. the problem is that things like nova break then, if they are configured to use the internal endpoints to talk to other services, since they will query the catalog with the user creds, too06:57
gtemafrickler, but they are using service accounts. It should be possible to hide non public data with a regular access and expose them on other access types. But I agree this is all bit tricky, at least how should osc differentiate an admin willing to do some service configuration from regular user.07:23
noonedeadpunkI would say it smth that could be covered by policy09:25
noonedeadpunkor based on passed `endpoint` in credentials or whenever09:25
gtemaI would suggest we can implement default filter = public in the OSC so that by default user will not get other EPs, only when explicitly requested09:26
gtemathis will surely not properly hide all other EPs, but at least can be treated as first step on filtering stuff not usefull for end user by default09:27
noonedeadpunkWell, I don't think it's smth that should be done on client side to be frank09:27
noonedeadpunkMaybe endpoint filtering is a thing indeed, need to play with that09:27
gtemaI mean before something is done on the server it can be filtered on client side (same as we go in publiccloud with flavors and images while waiting for serverside to be extended)09:28
noonedeadpunkit somehow reminds me of "security by obscurity", except it's not really a security thing in this case09:30
gtemasure, it is not currently about security, but rather about usability and sense-bility09:30
noonedeadpunk(it depends how stupid your setup is ofc)09:31
gtemabut I suggest we discuss this deeper during summit/ptg in person09:31
noonedeadpunk++09:31
noonedeadpunkfrickler: yeah, endpoint filtering is quite close, in case put some extra work to it to be able to assiciate with domains, so that all users with the domain scope would be filtered. And remove limitation using interface as a filter, ie if I wanna create `public2` interface and return only it to some domain09:37
noonedeadpunk(and don't return it to others)09:40

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!