[openstack-dev] Hierarchical Multitenancy and resource ownership

Martin, JC jch.martin at gmail.com
Tue Feb 18 21:12:39 UTC 2014


Vish,

See comments below.

JC
On Feb 18, 2014, at 12:19 PM, Vishvananda Ishaya <vishvananda at gmail.com> wrote:

> 
> On Feb 18, 2014, at 11:31 AM, Martin, JC <jch.martin at gmail.com> wrote:
> 
>> 
>> I see a lot of good things happening on the hierarchical multi tenancy proposal that Vish made a while back.
>> 
>> However, the focus so far is on roles and quota but could not find any discussion related to resource ownership.
>> 
>> Is the plan to allow the creation of resources within any level of the hierarchy or is the plan to allow the visibility of the resources up to a level in the hierarchy ? or both ?
>> 
>> For example, if I have :
>> - orga.vpca.projecta
>> - orga.vpca.projectb
>> 
>> and I want to share a resource like a network between projecta and projectb, should the network be owned by vpca or should it be owned by projecta or projectb, or a vpca.admin project and then shared to all children of vpca ?
>> 
>> I think either would work, and both maybe required.
>> 
>> Opinions ?
> 
> We haven’t discussed inheriting ownership of objects but at first glance it seems confusing: how would one determine if an object in vcpa is “shared” and visible to projects below, and if it is how far down the hierarchy would it be visible? It is probably best to keep this explicit for the moment.
> 
> I’ve been thinking of sharing as objects that appear at multiple places in the hierarchy. This could be a list of “owners” or “shares”, but I think it would support either of your options. My initial thoughts would be to just put the network resource in orga.vcpa and then share it to the projects. This of course gets a little tedious when other projects are added later, but it avoids the complications i mentioned above.


The way it would work is that when one is, for example, is creating a network with a 'shared' semantic (in a leaf project for example), the call would have to be extended with a scope (for backward compatibility, no scope would mean all/domain).

e.g. 
neutron net-create --shared:orga.vpca vpca-shared-net
instead of just
neutron net-create --shared orga-shared-net

another option is to implement the same policy mechanism that AWS has to allow the definition of scope based on rules.
see http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_IAM.html


JC


More information about the OpenStack-dev mailing list