Open Stack

On Nov 9, 2012, at 4:00 PM, David Hadas <david.hadas at gmail.com> wrote:
> 
> Bottom line is that we can have authentication and authorization based on headers rather than the URI, but it is important to preserve the ability to create separate per-tenant name-spaces that do not rely on the resource URI to be supplied by the service. The natural way to do that is to keep tenant_id as part of the URI. 
> Otherwise the server would needs to concatenate the authenticated tenant_id, provided by the identity service with whatever the URI is, in order to reach a unique id of a resource... :/
> 
> DH

This makes sense if uris are namable by users, but in order for this to be functional, we would have to allow users to choose a unique namespace for their objects (tenant-name?). I don't think that this should be the canonical name of the resource because it precludes the transfer of ownership of objects. The canonical url of the object should be unique, and in some cases this should involve namespacing, but for the objects that have a uuid, a uuid is sufficient. Note that this doesn't preclude us from having aliases that are more friendly.

GET https://nova.example.com/servers/4fcd7e91-f532-4a12-98fa-d55e941aa87c could refer to the same object as:

GET https://nova.example.com/servers/<tenant-id>/4fcd7e91-f532-4a12-98fa-d55e941aa87c
GET https://nova.example.com/servers/<tenant-id>/myserver
GET https://nova.example.com/servers/vishvananda/4fcd7e91-f532-4a12-98fa-d55e941aa87c
GET https://nova.example.com/servers/vishvananda/myserver

where my tenant-name is vishvanananda and the (tenant-unique) name of my server is myserver

Vish