<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
<base href="x-msg://58/">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">
<div>You're right in that there exists an association between a request and a tenant -- but that's not the defining relationship. A tenant is at it's core simply a container that holds a collection of resources. That's why it makes sense to be in a URI. The
idea is to allow a way of organizing resources as a means of providing an abstraction between the OpenStack implementation and someone who is operating an OpenStack deployment (the operator).</div>
<div><br>
</div>
<div>An operator may map one or more tenants to a project, an account, an identity, a customer, whatever.</div>
<div><br>
</div>
<div>Now a request may have permission to access one or more tenants -- and I think that's where a lot of the confusion lies.</div>
<div><br>
</div>
<div>I did a writeup for this a bit back you can find it here: <a href="https://github.com/RackerWilliams/multi-tenant-accounting/blob/master/tenants.pdf">https://github.com/RackerWilliams/multi-tenant-accounting/blob/master/tenants.pdf</a></div>
<div><br>
</div>
<div>-jOrGe W.</div>
<div><br>
</div>
<br>
<div>
<div>On Nov 1, 2012, at 2:47 PM, Gabriel Hurley wrote:</div>
<br class="Apple-interchange-newline">
<blockquote type="cite"><span class="Apple-style-span" style="border-collapse: separate; font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; font-size: medium; ">
<div lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1" style="page: WordSection1; ">
<div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">
<span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">IMHO the current tenant (or theoretically tenants) associated with a request is contextual to the request, not an inherent part of the RESTful endpoint. That’s a complicated
way of saying that I don’t think tenant IDs belong in any URL except Keystone’s /tenants/ urlspace. There are lots of valid ways to pass the tenant ID in a contextual manner, a query parameter being one, a header being another. Putting it into the URL path
only complicates things and (in some cases currently) is redundant.<o:p></o:p></span></div>
<div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">
<span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "><o:p> </o:p></span></div>
<div style="margin-top: 0in; margin-right: 0in; margin-left: 27pt; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; text-indent: -0.25in; ">
<span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "><span>-<span style="font: normal normal normal 7pt/normal 'Times New Roman'; "> <span class="Apple-converted-space"> </span></span></span></span><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Gabriel<o:p></o:p></span></div>
<div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">
<span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "><o:p> </o:p></span></div>
<div style="border-top-style: none; border-right-style: none; border-bottom-style: none; border-width: initial; border-color: initial; border-left-style: solid; border-left-color: blue; border-left-width: 1.5pt; padding-top: 0in; padding-right: 0in; padding-bottom: 0in; padding-left: 4pt; ">
<div>
<div style="border-right-style: none; border-bottom-style: none; border-left-style: none; border-width: initial; border-color: initial; border-top-style: solid; border-top-color: rgb(181, 196, 223); border-top-width: 1pt; padding-top: 3pt; padding-right: 0in; padding-bottom: 0in; padding-left: 0in; ">
<div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">
<b><span style="font-size: 10pt; font-family: Tahoma, sans-serif; ">From:</span></b><span style="font-size: 10pt; font-family: Tahoma, sans-serif; "><span class="Apple-converted-space"> </span>heckj [mailto:heckj@mac.com]<span class="Apple-converted-space"> </span><br>
<b>Sent:</b><span class="Apple-converted-space"> </span>Thursday, November 01, 2012 12:29 PM<br>
<b>To:</b><span class="Apple-converted-space"> </span>OpenStack Development Mailing List<br>
<b>Subject:</b><span class="Apple-converted-space"> </span>Re: [openstack-dev] Specifying Tenant-ID in Openstack REST API URLs and Quatum 2.0 APIs<o:p></o:p></span></div>
</div>
</div>
<div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">
<o:p> </o:p></div>
<div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">
Hey Peter,<o:p></o:p></div>
<div>
<div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">
<o:p> </o:p></div>
</div>
<div>
<div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">
I'm not sure that's an entirely safe assumption. Although that's totally what we're doing today, and in most implementations the authorization is scoped to a single tenant, there's a request outstanding to allow a token to be applicable to more than one tenant,
which would leave this kind of request in a very indeterminate status if you're relying on Keystone.<o:p></o:p></div>
</div>
<div>
<div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">
<o:p> </o:p></div>
</div>
<div>
<div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">
I'm not terribly in favor of having a token scoped so widely - but it's technically possible to have a token that's scoped more broadly with the V2 API. V3 was attempting to lock that down to mandate a bit of interoperability, but so far there's a far bit of
push back on wanting that open.<o:p></o:p></div>
</div>
<div>
<div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">
<o:p> </o:p></div>
</div>
<div>
<div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">
Needless to say, your feedback on that topic would be nice as it related to the Quantum 2.0 API.<o:p></o:p></div>
</div>
<div>
<div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">
<o:p> </o:p></div>
</div>
<div>
<div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">
For this specific purpose, I would encourage the API to require a specific tenant_id - either in the URL, or as part of the posted query parameter elements if it's tied to the resource in question (i.e CRUD operations that are specific to a tenant)<o:p></o:p></div>
</div>
<div>
<div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">
<o:p> </o:p></div>
</div>
<div>
<div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">
<o:p> </o:p></div>
</div>
<div>
<div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">
-joe<o:p></o:p></div>
</div>
<div>
<div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">
<o:p> </o:p></div>
<div>
<div>
<div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">
On Nov 1, 2012, at 12:15 PM, "Mellquist, Peter" <<a href="mailto:peter.mellquist@hp.com" style="color: blue; text-decoration: underline; ">peter.mellquist@hp.com</a>> wrote:<o:p></o:p></div>
</div>
<blockquote style="margin-top: 5pt; margin-bottom: 5pt; ">
<div>
<div>
<div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">
<span style="font-size: 11pt; font-family: Calibri, sans-serif; ">The majority of the existing Openstack APIs allow specifying the tenant_id as part of the REST resource URL where resources are structured around tenants. For example within nova APIs, these
API calls are prefixed with /v2/{tenant_id} / ... <a href="http://www.api.openstack.org/" style="color: blue; text-decoration: underline; "><span style="color: purple; ">www.api.openstack.org</span></a><o:p></o:p></span></div>
</div>
<div>
<div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">
<span style="font-size: 11pt; font-family: Calibri, sans-serif; "> <o:p></o:p></span></div>
</div>
<div>
<div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">
<span style="font-size: 11pt; font-family: Calibri, sans-serif; ">Quantum API 2.0 specifies a new way for APIs to reference tenant based resources. As part of the transition from the Quantum API 1.0 to 2.0 , the tenant_id as part of the resource URL has been
dropped and instead the requested resource is assumed to be the Keystone derived tenant_id. This shortens the Quantum API 2.0 calls to exclude {tenant_id} as part of the URL. For example, for LBaaS with Quantum 2.0 we would just have<o:p></o:p></span></div>
</div>
<div>
<div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">
<span style="font-size: 11pt; font-family: Calibri, sans-serif; ">/v1.0/…<o:p></o:p></span></div>
</div>
<div>
<div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">
<span style="font-size: 11pt; font-family: Calibri, sans-serif; ">For cross tenant access, when roles allow so, Quantum 2.0 allows specifying tenant_id as a query parameter, ‘? tenant_id=XXX.’<o:p></o:p></span></div>
</div>
<div>
<div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">
<span style="font-size: 11pt; font-family: Calibri, sans-serif; "> <o:p></o:p></span></div>
</div>
<div>
<div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">
<span style="font-size: 11pt; font-family: Calibri, sans-serif; ">Does the Quantum 2.0 API work in terms of handling multi-tenant resource access? YES<o:p></o:p></span></div>
</div>
<div>
<div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">
<span style="font-size: 11pt; font-family: Calibri, sans-serif; ">Is the Quantum 2.0 API consistent with existing Openstack APIs in regard to tenant resource access? NO<o:p></o:p></span></div>
</div>
<div>
<div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">
<span style="font-size: 11pt; font-family: Calibri, sans-serif; "> <o:p></o:p></span></div>
</div>
<div>
<div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">
<span style="font-size: 11pt; font-family: Calibri, sans-serif; ">Openstack API Community Questions:<o:p></o:p></span></div>
</div>
<div>
<div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">
<span style="font-size: 11pt; font-family: Calibri, sans-serif; ">Does consistency across Openstack APIs in regard to tenant based resource access matter?<o:p></o:p></span></div>
</div>
<div>
<div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">
<span style="font-size: 11pt; font-family: Calibri, sans-serif; ">Does this impact developers, direct REST usage or those using language bindings / libraries?<o:p></o:p></span></div>
</div>
<div>
<div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">
<span style="font-size: 11pt; font-family: Calibri, sans-serif; "> <o:p></o:p></span></div>
</div>
<div>
<div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">
<span style="font-size: 11pt; font-family: Calibri, sans-serif; ">Thank You,<o:p></o:p></span></div>
</div>
<div>
<div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">
<span style="font-size: 11pt; font-family: Calibri, sans-serif; ">Peter Mellquist<o:p></o:p></span></div>
</div>
<div>
<div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">
<span style="font-size: 11pt; font-family: Calibri, sans-serif; ">Hewlett Packard Company<o:p></o:p></span></div>
</div>
<div>
<div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">
<span style="font-size: 11pt; font-family: Calibri, sans-serif; "> <o:p></o:p></span></div>
</div>
<div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">
<span style="font-size: 13.5pt; font-family: Helvetica, sans-serif; ">_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org" style="color: blue; text-decoration: underline; "><span style="color: purple; ">OpenStack-dev@lists.openstack.org</span></a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" style="color: blue; text-decoration: underline; "><span style="color: purple; ">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</span></a><o:p></o:p></span></div>
</div>
</blockquote>
</div>
<div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">
<o:p> </o:p></div>
</div>
</div>
</div>
_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org" style="color: blue; text-decoration: underline; ">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" style="color: blue; text-decoration: underline; ">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
</div>
</span></blockquote>
</div>
<br>
</body>
</html>