Hello guys. Is there any way to assign AZ to a specified project? After searching, I cannot find any answer. Example. Sale project will only see Sale AZ to select. Tech project will only see Tech AZ to select Thank you. Regards Nguyen Huu Khoi
If you want to do this you'd have to use host aggregates rather than AZs I think. Setup a host aggregate that is then mapped to specific flavors which are RBAC'd to specific projects. ________________________________ From: Nguyễn Hữu Khôi <nguyenhuukhoinw@gmail.com> Sent: 09 January 2023 00:12 To: OpenStack Discuss <openstack-discuss@lists.openstack.org> Subject: [Nova][Horizon] CAUTION: This email originates from outside THG ________________________________ Hello guys. Is there any way to assign AZ to a specified project? After searching, I cannot find any answer. Example. Sale project will only see Sale AZ to select. Tech project will only see Tech AZ to select Thank you. Regards Nguyen Huu Khoi Danny Webb Principal OpenStack Engineer Danny.Webb@thehutgroup.com [THG Ingenuity Logo] www.thg.com<https://www.thg.com> [https://i.imgur.com/wbpVRW6.png]<https://www.linkedin.com/company/thg-ingenuity/?originalSubdomain=uk> [https://i.imgur.com/c3040tr.png] <https://twitter.com/thgingenuity?lang=en>
Thank you very much for the information. On Mon, Jan 9, 2023, 4:50 PM Danny Webb <Danny.Webb@thehutgroup.com> wrote:
If you want to do this you'd have to use host aggregates rather than AZs I think. Setup a host aggregate that is then mapped to specific flavors which are RBAC'd to specific projects. ------------------------------ *From:* Nguyễn Hữu Khôi <nguyenhuukhoinw@gmail.com> *Sent:* 09 January 2023 00:12 *To:* OpenStack Discuss <openstack-discuss@lists.openstack.org> *Subject:* [Nova][Horizon]
* CAUTION: This email originates from outside THG * ------------------------------ Hello guys. Is there any way to assign AZ to a specified project? After searching, I cannot find any answer.
Example.
Sale project will only see Sale AZ to select. Tech project will only see Tech AZ to select
Thank you. Regards Nguyen Huu Khoi
*Danny Webb* Principal OpenStack Engineer Danny.Webb@thehutgroup.com [image: THG Ingenuity Logo] www.thg.com <https://www.linkedin.com/company/thg-ingenuity/?originalSubdomain=uk> <https://twitter.com/thgingenuity?lang=en>
On Mon, 2023-01-09 at 09:50 +0000, Danny Webb wrote:
If you want to do this you'd have to use host aggregates rather than AZs I think. Setup a host aggregate that is then mapped to specific flavors which are RBAC'd to specific projects. AZ are just host aggreates with AZ metadata added To do tenant affintiy at the schduler level on older clouds you can use the AggregateMultiTenancyIsolation filter to map tenant to hostaggreates. from rocky on the perfer approch is to use teant isolation via placement aggreates https://docs.openstack.org/nova/latest/admin/aggregates.html#tenant-isolatio...
you do not need to modify falvors for that use case. host aggreates are not viabel to endusers at the api so you cannot adjust policy to limit them to specific tenants. if you really want to support this in horizon you would haveto apply the ```Openstack aggregate set --property filter_tenant_id=9691591f913949818a514f95286a6b90 myagg``` to the aggreate that has the AZ defintion and modify horizon to check if the tenant id in the aggreate matched the tenant that is logged in. basically horizon would have to implement the filtering of AZs in its ui. nova does not provide that because we do not require the ```Tenant Isolation with Placement``` feature to be configured on the host aggreate that defines the AZ. normally it is not done that way and you will have a seperate host aggreate that overlaps with multile for a given tenant that defiens which hosts they can run on. anyway case the answer is that you need to tag the AZ with some metadata to track the tenant info (or reuse the filed we support for schduling) and modify horizion to filter by it. the alternitive approch is to propsoe a new feature to nova to allow it to to fileter in some whay but i am not sure what that would look like and it woudl not be backporatbale as it would be an api change so it would be a change in the B/2023.2 release at the earlest.
________________________________ From: Nguyễn Hữu Khôi <nguyenhuukhoinw@gmail.com> Sent: 09 January 2023 00:12 To: OpenStack Discuss <openstack-discuss@lists.openstack.org> Subject: [Nova][Horizon]
CAUTION: This email originates from outside THG
________________________________ Hello guys. Is there any way to assign AZ to a specified project? After searching, I cannot find any answer.
Example.
Sale project will only see Sale AZ to select. Tech project will only see Tech AZ to select
Thank you. Regards Nguyen Huu Khoi
Danny Webb Principal OpenStack Engineer Danny.Webb@thehutgroup.com [THG Ingenuity Logo] www.thg.com<https://www.thg.com> [https://i.imgur.com/wbpVRW6.png]<https://www.linkedin.com/company/thg-ingenuity/?originalSubdomain=uk> [https://i.imgur.com/c3040tr.png] <https://twitter.com/thgingenuity?lang=en>
I will test and let you know. Thank you so much? On Mon, Jan 9, 2023, 6:12 PM Sean Mooney <smooney@redhat.com> wrote:
If you want to do this you'd have to use host aggregates rather than AZs I think. Setup a host aggregate that is then mapped to specific flavors which are RBAC'd to specific projects. AZ are just host aggreates with AZ metadata added To do tenant affintiy at the schduler level on older clouds you can use
On Mon, 2023-01-09 at 09:50 +0000, Danny Webb wrote: the AggregateMultiTenancyIsolation filter to map tenant to hostaggreates. from rocky on the perfer approch is to use teant isolation via placement aggreates
https://docs.openstack.org/nova/latest/admin/aggregates.html#tenant-isolatio...
you do not need to modify falvors for that use case.
host aggreates are not viabel to endusers at the api so you cannot adjust policy to limit them to specific tenants.
if you really want to support this in horizon you would haveto apply the
```Openstack aggregate set --property filter_tenant_id=9691591f913949818a514f95286a6b90 myagg```
to the aggreate that has the AZ defintion and modify horizon to check if the tenant id in the aggreate matched the tenant that is logged in. basically horizon would have to implement the filtering of AZs in its ui. nova does not provide that because we do not require the ```Tenant Isolation with Placement``` feature to be configured on the host aggreate that defines the AZ. normally it is not done that way and you will have a seperate host aggreate that overlaps with multile for a given tenant that defiens which hosts they can run on.
anyway case the answer is that you need to tag the AZ with some metadata to track the tenant info (or reuse the filed we support for schduling) and modify horizion to filter by it. the alternitive approch is to propsoe a new feature to nova to allow it to to fileter in some whay but i am not sure what that would look like and it woudl not be backporatbale as it would be an api change so it would be a change in the B/2023.2 release at the earlest.
________________________________ From: Nguyễn Hữu Khôi <nguyenhuukhoinw@gmail.com> Sent: 09 January 2023 00:12 To: OpenStack Discuss <openstack-discuss@lists.openstack.org> Subject: [Nova][Horizon]
CAUTION: This email originates from outside THG
________________________________ Hello guys. Is there any way to assign AZ to a specified project? After searching, I cannot find any answer.
Example.
Sale project will only see Sale AZ to select. Tech project will only see Tech AZ to select
Thank you. Regards Nguyen Huu Khoi
Danny Webb Principal OpenStack Engineer Danny.Webb@thehutgroup.com [THG Ingenuity Logo] www.thg.com<https://www.thg.com> [https://i.imgur.com/wbpVRW6.png]<; https://www.linkedin.com/company/thg-ingenuity/?originalSubdomain=uk> [ https://i.imgur.com/c3040tr.png] <https://twitter.com/thgingenuity?lang=en
Yeah, the part I wasn't sure about was visibility at the horizon / API level. Since host aggregates are largely invisible from the enduser it seemed to me to provide better UX to simply use aggregates without AZ affiliation. I guess the other question is if you are using volume types to route to different storage backends, can you set a default volume type for each tenant? I know you can set one globally in the cinder.conf but that wouldn't work if you wanted to different tenants to be isolated on their own storage appliances. ________________________________ From: Sean Mooney <smooney@redhat.com> Sent: 09 January 2023 11:11 To: Danny Webb <Danny.Webb@thehutgroup.com>; Nguyễn Hữu Khôi <nguyenhuukhoinw@gmail.com>; OpenStack Discuss <openstack-discuss@lists.openstack.org> Subject: Re: [Nova][Horizon] CAUTION: This email originates from outside THG On Mon, 2023-01-09 at 09:50 +0000, Danny Webb wrote:
If you want to do this you'd have to use host aggregates rather than AZs I think. Setup a host aggregate that is then mapped to specific flavors which are RBAC'd to specific projects. AZ are just host aggreates with AZ metadata added To do tenant affintiy at the schduler level on older clouds you can use the AggregateMultiTenancyIsolation filter to map tenant to hostaggreates. from rocky on the perfer approch is to use teant isolation via placement aggreates https://docs.openstack.org/nova/latest/admin/aggregates.html#tenant-isolation-with-placement<https://docs.openstack.org/nova/latest/admin/aggregates.html#tenant-isolation-with-placement>
you do not need to modify falvors for that use case. host aggreates are not viabel to endusers at the api so you cannot adjust policy to limit them to specific tenants. if you really want to support this in horizon you would haveto apply the ```Openstack aggregate set --property filter_tenant_id=9691591f913949818a514f95286a6b90 myagg``` to the aggreate that has the AZ defintion and modify horizon to check if the tenant id in the aggreate matched the tenant that is logged in. basically horizon would have to implement the filtering of AZs in its ui. nova does not provide that because we do not require the ```Tenant Isolation with Placement``` feature to be configured on the host aggreate that defines the AZ. normally it is not done that way and you will have a seperate host aggreate that overlaps with multile for a given tenant that defiens which hosts they can run on. anyway case the answer is that you need to tag the AZ with some metadata to track the tenant info (or reuse the filed we support for schduling) and modify horizion to filter by it. the alternitive approch is to propsoe a new feature to nova to allow it to to fileter in some whay but i am not sure what that would look like and it woudl not be backporatbale as it would be an api change so it would be a change in the B/2023.2 release at the earlest.
________________________________ From: Nguyễn Hữu Khôi <nguyenhuukhoinw@gmail.com> Sent: 09 January 2023 00:12 To: OpenStack Discuss <openstack-discuss@lists.openstack.org> Subject: [Nova][Horizon]
CAUTION: This email originates from outside THG
________________________________ Hello guys. Is there any way to assign AZ to a specified project? After searching, I cannot find any answer.
Example.
Sale project will only see Sale AZ to select. Tech project will only see Tech AZ to select
Thank you. Regards Nguyen Huu Khoi
Danny Webb Principal OpenStack Engineer Danny.Webb@thehutgroup.com [THG Ingenuity Logo] www.thg.com<http://www.thg.com><https://www.thg.com<https://www.thg.com>> [https://i.imgur.com/wbpVRW6.png<https://i.imgur.com/wbpVRW6.png>]<https://www.linkedin.com/company/thg-ingenuity/?originalSubdomain=uk<https://www.linkedin.com/company/thg-ingenuity/?originalSubdomain=uk>> [https://i.imgur.com/c3040tr.png<https://i.imgur.com/c3040tr.png>] <https://twitter.com/thgingenuity?lang=en<https://twitter.com/thgingenuity?lang=en>>
Danny Webb Principal OpenStack Engineer Danny.Webb@thehutgroup.com [THG Ingenuity Logo] www.thg.com<https://www.thg.com> [https://i.imgur.com/wbpVRW6.png]<https://www.linkedin.com/company/thg-ingenuity/?originalSubdomain=uk> [https://i.imgur.com/c3040tr.png] <https://twitter.com/thgingenuity?lang=en>
On Mon, 2023-01-09 at 12:01 +0000, Danny Webb wrote:
Yeah, the part I wasn't sure about was visibility at the horizon / API level. Since host aggregates are largely invisible from the enduser it seemed to me to provide better UX to simply use aggregates without AZ affiliation.
I guess the other question is if you are using volume types to route to different storage backends, can you set a default volume type for each tenant? I know you can set one globally in the cinder.conf but that wouldn't work if you wanted to different tenants to be isolated on their own storage appliances.
i think in general most service dont have the concep of per teanat defaults so nova does not have a concept of filtering AZ by tenat in the az list api and im not sure that cinder has the concept for voluem types. nova does have the idea of private flavors that can be limited to project but when you do a flaovr list you will still see the public flavors too. in general if we wanted to supprot this cleanly we woudl neeed to modify multiple project to supprot this so they havce the same behavior. for nova that would mean adding a way to assocate az and tenant for cidner that could be volume types. in generall openstack considers AZs, Flavors, volume types, Qos poicies to be "system scoped" ie resouces that are not assocated with tenants that is why they are not filtered by tenant at the api level since form a data model point of view that is not a usecase that is supported.
________________________________ From: Sean Mooney <smooney@redhat.com> Sent: 09 January 2023 11:11 To: Danny Webb <Danny.Webb@thehutgroup.com>; Nguyễn Hữu Khôi <nguyenhuukhoinw@gmail.com>; OpenStack Discuss <openstack-discuss@lists.openstack.org> Subject: Re: [Nova][Horizon]
CAUTION: This email originates from outside THG
On Mon, 2023-01-09 at 09:50 +0000, Danny Webb wrote:
If you want to do this you'd have to use host aggregates rather than AZs I think. Setup a host aggregate that is then mapped to specific flavors which are RBAC'd to specific projects. AZ are just host aggreates with AZ metadata added To do tenant affintiy at the schduler level on older clouds you can use the AggregateMultiTenancyIsolation filter to map tenant to hostaggreates. from rocky on the perfer approch is to use teant isolation via placement aggreates https://docs.openstack.org/nova/latest/admin/aggregates.html#tenant-isolation-with-placement<https://docs.openstack.org/nova/latest/admin/aggregates.html#tenant-isolation-with-placement>
you do not need to modify falvors for that use case.
host aggreates are not viabel to endusers at the api so you cannot adjust policy to limit them to specific tenants.
if you really want to support this in horizon you would haveto apply the
```Openstack aggregate set --property filter_tenant_id=9691591f913949818a514f95286a6b90 myagg```
to the aggreate that has the AZ defintion and modify horizon to check if the tenant id in the aggreate matched the tenant that is logged in. basically horizon would have to implement the filtering of AZs in its ui. nova does not provide that because we do not require the ```Tenant Isolation with Placement``` feature to be configured on the host aggreate that defines the AZ. normally it is not done that way and you will have a seperate host aggreate that overlaps with multile for a given tenant that defiens which hosts they can run on.
anyway case the answer is that you need to tag the AZ with some metadata to track the tenant info (or reuse the filed we support for schduling) and modify horizion to filter by it. the alternitive approch is to propsoe a new feature to nova to allow it to to fileter in some whay but i am not sure what that would look like and it woudl not be backporatbale as it would be an api change so it would be a change in the B/2023.2 release at the earlest.
________________________________ From: Nguyễn Hữu Khôi <nguyenhuukhoinw@gmail.com> Sent: 09 January 2023 00:12 To: OpenStack Discuss <openstack-discuss@lists.openstack.org> Subject: [Nova][Horizon]
CAUTION: This email originates from outside THG
________________________________ Hello guys. Is there any way to assign AZ to a specified project? After searching, I cannot find any answer.
Example.
Sale project will only see Sale AZ to select. Tech project will only see Tech AZ to select
Thank you. Regards Nguyen Huu Khoi
Danny Webb Principal OpenStack Engineer Danny.Webb@thehutgroup.com [THG Ingenuity Logo] www.thg.com<http://www.thg.com><https://www.thg.com<https://www.thg.com>> [https://i.imgur.com/wbpVRW6.png<https://i.imgur.com/wbpVRW6.png>]<https://www.linkedin.com/company/thg-ingenuity/?originalSubdomain=uk<https://www.linkedin.com/company/thg-ingenuity/?originalSubdomain=uk>> [https://i.imgur.com/c3040tr.png<https://i.imgur.com/c3040tr.png>] <https://twitter.com/thgingenuity?lang=en<https://twitter.com/thgingenuity?lang=en>>
Danny Webb Principal OpenStack Engineer Danny.Webb@thehutgroup.com [THG Ingenuity Logo] www.thg.com<https://www.thg.com> [https://i.imgur.com/wbpVRW6.png]<https://www.linkedin.com/company/thg-ingenuity/?originalSubdomain=uk> [https://i.imgur.com/c3040tr.png] <https://twitter.com/thgingenuity?lang=en>
Hello. Thanks for your reply, I can set default volume type for tenants by using cli and it works fine with horizon. I will test with your guys suggests and let you know. On Mon, Jan 9, 2023, 7:01 PM Danny Webb <Danny.Webb@thehutgroup.com> wrote:
Yeah, the part I wasn't sure about was visibility at the horizon / API level. Since host aggregates are largely invisible from the enduser it seemed to me to provide better UX to simply use aggregates without AZ affiliation.
I guess the other question is if you are using volume types to route to different storage backends, can you set a default volume type for each tenant? I know you can set one globally in the cinder.conf but that wouldn't work if you wanted to different tenants to be isolated on their own storage appliances. ------------------------------ *From:* Sean Mooney <smooney@redhat.com> *Sent:* 09 January 2023 11:11 *To:* Danny Webb <Danny.Webb@thehutgroup.com>; Nguyễn Hữu Khôi < nguyenhuukhoinw@gmail.com>; OpenStack Discuss < openstack-discuss@lists.openstack.org> *Subject:* Re: [Nova][Horizon]
CAUTION: This email originates from outside THG
If you want to do this you'd have to use host aggregates rather than AZs I think. Setup a host aggregate that is then mapped to specific flavors which are RBAC'd to specific projects. AZ are just host aggreates with AZ metadata added To do tenant affintiy at the schduler level on older clouds you can use
On Mon, 2023-01-09 at 09:50 +0000, Danny Webb wrote: the AggregateMultiTenancyIsolation filter to map tenant to hostaggreates. from rocky on the perfer approch is to use teant isolation via placement aggreates
https://docs.openstack.org/nova/latest/admin/aggregates.html#tenant-isolatio...
you do not need to modify falvors for that use case.
host aggreates are not viabel to endusers at the api so you cannot adjust policy to limit them to specific tenants.
if you really want to support this in horizon you would haveto apply the
```Openstack aggregate set --property filter_tenant_id=9691591f913949818a514f95286a6b90 myagg```
to the aggreate that has the AZ defintion and modify horizon to check if the tenant id in the aggreate matched the tenant that is logged in. basically horizon would have to implement the filtering of AZs in its ui. nova does not provide that because we do not require the ```Tenant Isolation with Placement``` feature to be configured on the host aggreate that defines the AZ. normally it is not done that way and you will have a seperate host aggreate that overlaps with multile for a given tenant that defiens which hosts they can run on.
anyway case the answer is that you need to tag the AZ with some metadata to track the tenant info (or reuse the filed we support for schduling) and modify horizion to filter by it. the alternitive approch is to propsoe a new feature to nova to allow it to to fileter in some whay but i am not sure what that would look like and it woudl not be backporatbale as it would be an api change so it would be a change in the B/2023.2 release at the earlest.
________________________________ From: Nguyễn Hữu Khôi <nguyenhuukhoinw@gmail.com> Sent: 09 January 2023 00:12 To: OpenStack Discuss <openstack-discuss@lists.openstack.org> Subject: [Nova][Horizon]
CAUTION: This email originates from outside THG
________________________________ Hello guys. Is there any way to assign AZ to a specified project? After searching, I cannot find any answer.
Example.
Sale project will only see Sale AZ to select. Tech project will only see Tech AZ to select
Thank you. Regards Nguyen Huu Khoi
Danny Webb Principal OpenStack Engineer Danny.Webb@thehutgroup.com [THG Ingenuity Logo] www.thg.com<https://www.thg.com> [https://i.imgur.com/wbpVRW6.png]<; https://www.linkedin.com/company/thg-ingenuity/?originalSubdomain=uk> [ https://i.imgur.com/c3040tr.png] <https://twitter.com/thgingenuity?lang=en
*Danny Webb* Principal OpenStack Engineer Danny.Webb@thehutgroup.com [image: THG Ingenuity Logo] www.thg.com <https://www.linkedin.com/company/thg-ingenuity/?originalSubdomain=uk> <https://twitter.com/thgingenuity?lang=en>
participants (3)
-
Danny Webb
-
Nguyễn Hữu Khôi
-
Sean Mooney