[openstack-dev] [neutron] Creating resources for non-existent tenants

Elena Ezhova eezhova at mirantis.com
Wed Sep 17 10:06:31 UTC 2014


Hi, all!

I have been looking at the bug
https://bugs.launchpad.net/neutron/+bug/1338885 and it turned out that it
is relevant not only for firewall rules but for all resources that take
tenant-is for create and update.

I need a piece of advice on a preferable way of solving the problem.

First of all, there may be two situations:

1. Neutron using Keystone

2. Neutron working without it

In the second case there is obviously nothing to be done.

But when Neutron uses Keystone, tenant-id should be checked against
existing keystone tenants. I can think of 2 ways of doing this. This may be
done either by calling keystone client directly from neutron while
preparing request body [1] or move the check to keystone middleware. In any
case, such check will be performed during each create or update operation
preventing admin from providing non-existent tenants. For now I think that
calling the keystone client from Neutron code is not the best idea and
prefer the second option. I would really appreciate recommendations about
the best way of making the check.

It still leaves the situation when an existing tenant is deleted from
keystone and its resources are left orphaned, but it is being dealt with by
[2].

Thanks,

Elena


[1]
https://github.com/openstack/neutron/blob/master/neutron/api/v2/base.py#L545

[2] https://blueprints.launchpad.net/neutron/+spec/tenant-delete
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140917/2462f841/attachment.html>


More information about the OpenStack-dev mailing list