Open Stack

On 11/12/2012 11:33 AM, Mellquist, Peter wrote:
>
> ·How are you proposing to allow cross tenant access? For example, the 
> case where one tenant has an admin role to access another tenant's 
> resources.  With existing OS APIs which organize resources by tenant, 
> {tenantId}/resources/... , the admin's tenant & role are part of the 
> Keystone headers so it is straightforward for the service to control 
> this. Quantum 2.0 has proposed an query param '? tenant_id=X' to 
> handle this.
>
Heat's orchestration model is for a user to orchestrate their own 
resources isolated within their own tenant. This is a design choice 
rather than a technical limitation. For this reason I don't think there 
is a need at this point for cross-tenant API features.
>
> ·Do you need to handle a use case where you would move stacks from one 
> tenant to another? How would this be done with no tenant_id in the 
> resource?
>
Indeed. I'm actually advocating that we always have the tenant_id in the 
URL.

cheers
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20121112/625bb2df/attachment.html>