[openstack-dev] [swift] [keystone] Keystone v3 API domains in Swift
Alexandra Shulman-Peleg
SHULMANA at il.ibm.com
Tue Jan 8 20:11:39 UTC 2013
I think that there is a problem with simply using https://SWIFT/AUTH_
{PROJECT_ID} instead of the current https://SWIFT/AUTH_{TENANT_ID} since
it will loose the proper level in the hierarchy. We need something that
will represent the hosted enterprises and this is the goal of domains.
Project are more fine-grained and can represent departments or projects.
For example, following the description of Henry if two different
enterprises with use the project name "Test" both with map to
https://SWIFT/AUTH_Test.
I think that we need to have both the domain id and the project id in the
URL/account name. For example as https://SWIFT/AUTH_
{DOMAIN_ID}_{PROJECT_ID} or as https://SWIFT/{DOMAIN_ID}_{PROJECT_ID}. In
the second option we may try using the existing reseller prefix mechanism
to simplify the implementation. Having the doman_id in the account
name/URL is important to isolate the accounts that belong to different
domains and remove the requirements for the global uniqueness of project
names.
Best Regards,
Alex.
From: Chuck Thier <cthier at gmail.com>
To: OpenStack Development Mailing List
<openstack-dev at lists.openstack.org>,
Date: 08/01/2013 09:38 PM
Subject: Re: [openstack-dev] [swift] [keystone] Keystone v3 API
domains in Swift
Hi Henry,
>From a swift perspective, I think we are fine there, as we do not use
the user name or project name anywhere. At the moment, I'm thinking
that we can do auth in a similar way as we did with v2.0 api. An
"account" in swift is still tied to the project_id (which used to be
tennant_id), which is in the storage url like:
https://SWIFT/AUTH_{PROJECT_ID}. Keystone middleware in swift
validates that the given token has permission for the given Project
ID.
>From this point of view domains are an abstract concept in keystone
only, and wouldn't mean anything directly in swift.
Please let me know if any of my assumptions are incorrect.
Thanks,
--
Chuck
On Tue, Jan 8, 2013 at 1:23 PM, Henry Nash <henryn at linux.vnet.ibm.com>
wrote:
> Chuck,
>
> So user_id and project_id are always globally unique - so we are safe
there. The problem is when you specify user name or project name in the
cases when we have to handle enterprises being represented by a domain and
they insist that their name attributes (e.g. user names, project names
etc.) be private to that domain (e.g. "what do you mean I can't call my
project "Test" because some other customer in another domain got there
first!?!"). See the following blueprint which introduces this ability as
optional for domains: https://review.openstack.org/#/c/18805/
>
> For such domains, we cannot assume that user_name or project_name (or
tenant_name as it used to be called) are globally unique. "Domain_name
(or id) plus user_name" as well as "Domain_name (or id) plus
project_name" will be unique however.
>
> Henry
> On 8 Jan 2013, at 19:05, Chuck Thier wrote:
>
>> Yeah, I was hoping for more clarity, as it would help to figure out
>> how to best map the concepts in swift. A couple of quick questions
>> come to mind. When a request is validated, is the domain required, or
>> is a user_id and project_id sufficient? Is the concept of a domain
>> useful in the context of swift?
>>
>> --
>> Chuck
>>
>> On Tue, Jan 8, 2013 at 11:37 AM, heckj <heckj at mac.com> wrote:
>>> The best is probably
https://github.com/openstack/identity-api/blob/master/openstack-identity-api/src/markdown/identity-api-v3.md
, but it's a bit light on use-cases around the concepts I'm afraid.
>>>
>>> -joe
>>>
>>> On Jan 8, 2013, at 9:19 AM, Chuck Thier <cthier at gmail.com> wrote:
>>>> Is there documentation anywhere that defines all of these, and the
use
>>>> cases? That would help us figure out how to map these concepts to
>>>> swift.
>>>>
>>>> --
>>>> Chuck
>>>>
>>>> On Tue, Jan 8, 2013 at 11:13 AM, Dolph Mathews
<dolph.mathews at gmail.com> wrote:
>>>>> I think it would be practical to expose the authenticated user's
DOMAIN_ID
>>>>> and DOMAIN_NAME into the request environment for the underlying
service /
>>>>> middleware to consume, as we do today with TENANT_ID / TENANT_NAME
(soon to
>>>>> be deprecated in favor of PROJECT_ID / PROJECT_NAME).
>>>>>
>>>>>
>>>>> -Dolph
>>>>>
>>>>>
>>>>> On Tue, Jan 8, 2013 at 7:22 AM, Alexandra Shulman-Peleg
>>>>> <SHULMANA at il.ibm.com> wrote:
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> As most of you know, Keystone v3 API will introduce the notions of
>>>>>> "domains" and "projects" which will replace the existing notion of
tenants.
>>>>>> It is important to allow using the same concepts in Swift. Since
different
>>>>>> domains may represent different companies, it is important to allow
>>>>>> reflecting the Keystone "domain name" in the Swift "account name",
providing
>>>>>> an option to isolate the requests of different domains. Are there
existing
>>>>>> plans of adjusting Swift to Keystone v3 API? If not, I would like
to start
>>>>>> discussing the potential solutions.
>>>>>>
>>>>>> Thank you all,
>>>>>> Alex.
>>>>>>
>>>>>>
>>>>>> ----------------------------------------------------------
>>>>>> Alexandra Shulman-Peleg, PhD
>>>>>> Storage Research, Cloud Platforms Dept.
>>>>>> IBM Haifa Research Lab
>>>>>> Tel: +972-3-7689530 | Fax: +972-3-7689545
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> OpenStack-dev mailing list
>>>>>> OpenStack-dev at lists.openstack.org
>>>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> OpenStack-dev mailing list
>>>>> OpenStack-dev at lists.openstack.org
>>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>>>
>>>>
>>>> _______________________________________________
>>>> OpenStack-dev mailing list
>>>> OpenStack-dev at lists.openstack.org
>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>
>>>
>>> _______________________________________________
>>> OpenStack-dev mailing list
>>> OpenStack-dev at lists.openstack.org
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
_______________________________________________
OpenStack-dev mailing list
OpenStack-dev at lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130108/a83f6217/attachment.html>
More information about the OpenStack-dev
mailing list