Comment 3 for bug 1064914
Revision history for this message
| Joseph Heck (heckj) wrote Re: Able to access ec2 resources with out a user-role | #3 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
79ea94a
(Get the code!)
The EC2 mechanisms disregard role entirely, and work from the relationship of the user to the tenant. If that relationship didn't exist, the user shouldn't be able to access the tenant's resources through EC2. WIth the V2 API, just associating a user with a tenant is an implicit "membership" role - and in fact that's how Horizon displays this information.
Actual "roles" as Keystone defines them are irrelevant to the EC2 credential access, and with the V2 API's and the EC2 mechanisms, roles have no function there. They're not checked as a form of RBAC for allowing EC2 credential access.
The V3 API is aiming to clean this up a bit, more for the OpenStack API. V3 API changes does not currently specify any RBAC around EC2 credential authority.