Open Stack

On Sun, Mar 22, 2015 at 05:05:17PM -0700, Ian Wells wrote:
> On 22 March 2015 at 07:48, Jay Pipes <jaypipes at gmail.com> wrote:
> 
> > On 03/20/2015 05:16 PM, Kevin Benton wrote:
> >
> >> To clarify a bit, we obviously divide lots of things by tenant (quotas,
> >> network listing, etc). The difference is that we have nothing right now
> >> that has to be unique within a tenant. Are there objects that are
> >> uniquely scoped to a tenant in Nova/Glance/etc?
> >>
> >
> > Yes. Virtually everything is :)
> 
> 
> Everything is owned by a tenant.  Very few things are one per tenant, where
> is where this feels like it's leading.

Ah, sorry, yes, I misunderstood Kevin's implication there. That is
correct. Security group names are, AFAIK, the only thing in Nova that is
unique within a tenant.

All other resources are identified via UUID, and are not unique within a
tenant (project).

> Seems to me that an address pool corresponds to a network area that you can
> route across (because routing only works over a network with unique
> addresses and that's what an address pool does for you).  We have those
> areas and we use NAT to separate them (setting aside the occasional
> isolated network area with no external connections).  But NAT doesn't
> separate tenants, it separates externally connected routers: one tenant can
> have many of those routers, or one router can be connected to networks in
> both tenants.  We just happen to frequently use the one external router per
> tenant model, which is why address pools *appear* to be one per tenant.  I
> think, more accurately, an external router should be given an address pool,
> and tenants have nothing to do with it.

Gotcha. Yep, that makes total sense.

Best,
-jay