[openstack-dev] [swift] [keystone] Keystone v3 API domains in Swift

Yee, Guang guang.yee at hp.com
Wed Jan 9 00:08:29 UTC 2013 

Yeah, I don't see a need to add domain_id to Swift account either as project
ID is globally unique. Since domain name/id are returned as part of token
validation, you may be able to use them with Swift ACLs. I am sure Swift
ACLs will need to be updated if and when we remove the globally uniqueness
name requirement.

 

 

Guang

 

 

From: Dolph Mathews [mailto:dolph.mathews at gmail.com] 
Sent: Tuesday, January 08, 2013 2:38 PM
To: OpenStack Development Mailing List
Subject: Re: [openstack-dev] [swift] [keystone] Keystone v3 API domains in
Swift

 

TENANT_ID in v2 is exactly equal to PROJECT_ID in v3. ID's are guaranteed to
be globally unique (implemented as service-defined UUID's) and are
url-friendly.

 

Names in keystone are freeform, user-supplied unicode strings. They may not
work in URL's without proper encoding and may collide in the future...

 

On that note, TENANT_NAME in v2 will become PROJECT_NAME in v3, however
we're also talking about namespacing project names to the owning domain, so
that two domains may have otherwise conflicting project names. Once we open
up the namespace, we can't go back, so we're going about it very carefully.
This may apply to user names, as well, but that's a subtly different
conversation.

 

If we do make this change then you also need to identify the domain for a
project name to be meaningful.

 

ID's will still uniquely identify a project regardless of domain or
deployment.

 

-Dolph

 

On Tue, Jan 8, 2013 at 2:11 PM, Alexandra Shulman-Peleg
<SHULMANA at il.ibm.com> wrote:

I think that there is a problem with simply using  <https://swift/AUTH_>
https://SWIFT/AUTH_{PROJECT_ID} instead of the current
<https://swift/AUTH_> https://SWIFT/AUTH_{TENANT_ID} since it will loose the
proper level in the hierarchy. We need something that will represent the
hosted enterprises and this is the goal of domains. Project are more
fine-grained and can represent departments or projects.  For example,
following the description of Henry if two different enterprises with use the
project name "Test" both with map to  <https://swift/AUTH_>
https://SWIFT/AUTH_Test. 

I think that we need to have both the domain id and the project id in the
URL/account name. For example as  <https://swift/AUTH_>
https://SWIFT/AUTH_{DOMAIN_ID}_{PROJECT_ID} or as  <https://swift/>
https://SWIFT/{DOMAIN_ID}_{PROJECT_ID}. In the second option we may try
using the existing reseller prefix mechanism to simplify the implementation.
Having the doman_id in the account name/URL is important to isolate the
accounts that belong to different domains and remove the requirements for
the global uniqueness of project names. 

Best Regards, 
Alex. 



From:        Chuck Thier <cthier at gmail.com> 
To:        OpenStack Development Mailing List
<openstack-dev at lists.openstack.org>, 
Date:        08/01/2013 09:38 PM 
Subject:        Re: [openstack-dev] [swift] [keystone] Keystone v3 API
domains in        Swift 

  _____  




Hi Henry,

>From a swift perspective, I think we are fine there, as we do not use
the user name or project name anywhere.  At the moment, I'm thinking
that we can do auth in a similar way as we did with v2.0 api.  An
"account" in swift is still tied to the project_id (which used to be
tennant_id), which is in the storage url like:
 <https://swift/AUTH_> https://SWIFT/AUTH_{PROJECT_ID}.  Keystone middleware
in swift
validates that the given token has permission for the given Project
ID.

>From this point of view domains are an abstract concept in keystone
only, and wouldn't mean anything directly in swift.

Please let me know if any of my assumptions are incorrect.

Thanks,

--
Chuck

On Tue, Jan 8, 2013 at 1:23 PM, Henry Nash <henryn at linux.vnet.ibm.com>
wrote:
> Chuck,
>
> So user_id and project_id are always globally unique - so we are safe
there.  The problem is when you specify user name or project name in the
cases when we have to handle enterprises being represented by a domain and
they insist that their name attributes (e.g. user names, project names etc.)
be private to that domain (e.g. "what do you mean I can't call my project
"Test" because some other customer in another domain got there first!?!").
See the following blueprint which introduces this ability as optional for
domains:  <https://review.openstack.org/#/c/18805/>
https://review.openstack.org/#/c/18805/
>
> For such domains, we cannot assume that user_name or project_name (or
tenant_name as it used to be called) are globally unique.  "Domain_name (or
id) plus user_name" as well as  "Domain_name (or id) plus project_name" will
be unique however.
>
> Henry
> On 8 Jan 2013, at 19:05, Chuck Thier wrote:
>
>> Yeah, I was hoping for more clarity, as it would help to figure out
>> how to best map the concepts in swift.  A couple of quick questions
>> come to mind.  When a request is validated, is the domain required, or
>> is a user_id and project_id sufficient?  Is the concept of a domain
>> useful in the context of swift?
>>
>> --
>> Chuck
>>
>> On Tue, Jan 8, 2013 at 11:37 AM, heckj <heckj at mac.com> wrote:
>>> The best is probably
<https://github.com/openstack/identity-api/blob/master/openstack-identity-ap
i/src/markdown/identity-api-v3.md>
https://github.com/openstack/identity-api/blob/master/openstack-identity-api
/src/markdown/identity-api-v3.md, but it's a bit light on use-cases around
the concepts I'm afraid.
>>>
>>> -joe
>>>
>>> On Jan 8, 2013, at 9:19 AM, Chuck Thier <cthier at gmail.com> wrote:
>>>> Is there documentation anywhere that defines all of these, and the use
>>>> cases?  That would help us figure out how to map these concepts to
>>>> swift.
>>>>
>>>> --
>>>> Chuck
>>>>
>>>> On Tue, Jan 8, 2013 at 11:13 AM, Dolph Mathews
<dolph.mathews at gmail.com> wrote:
>>>>> I think it would be practical to expose the authenticated user's
DOMAIN_ID
>>>>> and DOMAIN_NAME into the request environment for the underlying
service /
>>>>> middleware to consume, as we do today with TENANT_ID / TENANT_NAME
(soon to
>>>>> be deprecated in favor of PROJECT_ID / PROJECT_NAME).
>>>>>
>>>>>
>>>>> -Dolph
>>>>>
>>>>>
>>>>> On Tue, Jan 8, 2013 at 7:22 AM, Alexandra Shulman-Peleg
>>>>> <SHULMANA at il.ibm.com> wrote:
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> As most of you know, Keystone v3 API will introduce the notions of
>>>>>> "domains" and "projects" which will replace the existing notion of
tenants.
>>>>>> It is important to allow using the same concepts in Swift. Since
different
>>>>>> domains may represent different companies, it is important to allow
>>>>>> reflecting the Keystone "domain name" in the Swift "account name",
providing
>>>>>> an option to isolate the requests of different domains. Are there
existing
>>>>>> plans of adjusting Swift to Keystone v3 API? If not, I would like to
start
>>>>>> discussing the potential solutions.
>>>>>>
>>>>>> Thank you all,
>>>>>> Alex.
>>>>>>
>>>>>>
>>>>>> ----------------------------------------------------------
>>>>>> Alexandra Shulman-Peleg, PhD
>>>>>> Storage Research, Cloud Platforms Dept.
>>>>>> IBM Haifa Research Lab
>>>>>> Tel: +972-3-7689530 <tel:%2B972-3-7689530>  | Fax: +972-3-7689545
<tel:%2B972-3-7689545> 
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> OpenStack-dev mailing list
>>>>>> OpenStack-dev at lists.openstack.org
>>>>>>  <http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev>
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> OpenStack-dev mailing list
>>>>> OpenStack-dev at lists.openstack.org
>>>>>  <http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev>
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>>>
>>>>
>>>> _______________________________________________
>>>> OpenStack-dev mailing list
>>>> OpenStack-dev at lists.openstack.org
>>>>  <http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev>
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>
>>>
>>> _______________________________________________
>>> OpenStack-dev mailing list
>>> OpenStack-dev at lists.openstack.org
>>>  <http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev>
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
>>  <http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev>
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
>  <http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev>
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

_______________________________________________
OpenStack-dev mailing list
OpenStack-dev at lists.openstack.org
 <http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev>
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev




_______________________________________________
OpenStack-dev mailing list
OpenStack-dev at lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130109/bd51ded1/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6186 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130109/bd51ded1/attachment.bin>

More information about the OpenStack-dev mailing list