Yeah, the part I wasn't sure about was visibility at the horizon / API level. Since host aggregates are largely invisible from the enduser it seemed to me to provide better UX to simply use aggregates without AZ affiliation. I guess the other question is if you are using volume types to route to different storage backends, can you set a default volume type for each tenant? I know you can set one globally in the cinder.conf but that wouldn't work if you wanted to different tenants to be isolated on their own storage appliances. ________________________________ From: Sean Mooney <smooney@redhat.com> Sent: 09 January 2023 11:11 To: Danny Webb <Danny.Webb@thehutgroup.com>; Nguyễn Hữu Khôi <nguyenhuukhoinw@gmail.com>; OpenStack Discuss <openstack-discuss@lists.openstack.org> Subject: Re: [Nova][Horizon] CAUTION: This email originates from outside THG On Mon, 2023-01-09 at 09:50 +0000, Danny Webb wrote:
If you want to do this you'd have to use host aggregates rather than AZs I think. Setup a host aggregate that is then mapped to specific flavors which are RBAC'd to specific projects. AZ are just host aggreates with AZ metadata added To do tenant affintiy at the schduler level on older clouds you can use the AggregateMultiTenancyIsolation filter to map tenant to hostaggreates. from rocky on the perfer approch is to use teant isolation via placement aggreates https://docs.openstack.org/nova/latest/admin/aggregates.html#tenant-isolation-with-placement<https://docs.openstack.org/nova/latest/admin/aggregates.html#tenant-isolation-with-placement>
you do not need to modify falvors for that use case. host aggreates are not viabel to endusers at the api so you cannot adjust policy to limit them to specific tenants. if you really want to support this in horizon you would haveto apply the ```Openstack aggregate set --property filter_tenant_id=9691591f913949818a514f95286a6b90 myagg``` to the aggreate that has the AZ defintion and modify horizon to check if the tenant id in the aggreate matched the tenant that is logged in. basically horizon would have to implement the filtering of AZs in its ui. nova does not provide that because we do not require the ```Tenant Isolation with Placement``` feature to be configured on the host aggreate that defines the AZ. normally it is not done that way and you will have a seperate host aggreate that overlaps with multile for a given tenant that defiens which hosts they can run on. anyway case the answer is that you need to tag the AZ with some metadata to track the tenant info (or reuse the filed we support for schduling) and modify horizion to filter by it. the alternitive approch is to propsoe a new feature to nova to allow it to to fileter in some whay but i am not sure what that would look like and it woudl not be backporatbale as it would be an api change so it would be a change in the B/2023.2 release at the earlest.
________________________________ From: Nguyễn Hữu Khôi <nguyenhuukhoinw@gmail.com> Sent: 09 January 2023 00:12 To: OpenStack Discuss <openstack-discuss@lists.openstack.org> Subject: [Nova][Horizon]
CAUTION: This email originates from outside THG
________________________________ Hello guys. Is there any way to assign AZ to a specified project? After searching, I cannot find any answer.
Example.
Sale project will only see Sale AZ to select. Tech project will only see Tech AZ to select
Thank you. Regards Nguyen Huu Khoi
Danny Webb Principal OpenStack Engineer Danny.Webb@thehutgroup.com [THG Ingenuity Logo] www.thg.com<http://www.thg.com><https://www.thg.com<https://www.thg.com>> [https://i.imgur.com/wbpVRW6.png<https://i.imgur.com/wbpVRW6.png>]<https://www.linkedin.com/company/thg-ingenuity/?originalSubdomain=uk<https://www.linkedin.com/company/thg-ingenuity/?originalSubdomain=uk>> [https://i.imgur.com/c3040tr.png<https://i.imgur.com/c3040tr.png>] <https://twitter.com/thgingenuity?lang=en<https://twitter.com/thgingenuity?lang=en>>
Danny Webb Principal OpenStack Engineer Danny.Webb@thehutgroup.com [THG Ingenuity Logo] www.thg.com<https://www.thg.com> [https://i.imgur.com/wbpVRW6.png]<https://www.linkedin.com/company/thg-ingenuity/?originalSubdomain=uk> [https://i.imgur.com/c3040tr.png] <https://twitter.com/thgingenuity?lang=en>