[openstack-dev] [swift] [keystone] Keystone v3 API domains in Swift
Henry Nash
henryn at linux.vnet.ibm.com
Wed Jan 9 10:01:28 UTC 2013
So there are a couple of issues intertwined in this thread:
1) Uniqueness of identifiers in Swift given the keystone Identity v3 api. This is the issue of whether Swift uses tenant names (now called project names) at all to uniquely identify any objects - if it did, then it would need to also consider storing a domain name or id. From the discussion, it sounds like tenant/project ID is used instead, which (from a uniqueness point of view) is fine. A separate issue exists needs to be discussed around swift ACLs and whether username potentially becoming unique only within a domain will have an impact.
2) Given that keystone identity v3 domains are likely to be usually used to represent an enterprise (or "account holder" in common cloud terminology) and contain the collection of projects owned by that enterprise, is it important for Swift to have that domain knowledge? Will there be operations either within swift (or more likely layered on top of swift) that need that information? E.g. How would someone layer a billing engine on top of swift that could collate all the swift containers that were part of one domain? Obviously that engine could call keystone with each project_id in turn and find the domain_id.....but that sounds pretty inefficient.
Henry
On 9 Jan 2013, at 00:08, Yee, Guang wrote:
> Yeah, I don’t see a need to add domain_id to Swift account either as project ID is globally unique. Since domain name/id are returned as part of token validation, you may be able to use them with Swift ACLs. I am sure Swift ACLs will need to be updated if and when we remove the globally uniqueness name requirement.
>
>
> Guang
>
>
> From: Dolph Mathews [mailto:dolph.mathews at gmail.com]
> Sent: Tuesday, January 08, 2013 2:38 PM
> To: OpenStack Development Mailing List
> Subject: Re: [openstack-dev] [swift] [keystone] Keystone v3 API domains in Swift
>
> TENANT_ID in v2 is exactly equal to PROJECT_ID in v3. ID's are guaranteed to be globally unique (implemented as service-defined UUID's) and are url-friendly.
>
> Names in keystone are freeform, user-supplied unicode strings. They may not work in URL's without proper encoding and may collide in the future...
>
> On that note, TENANT_NAME in v2 will become PROJECT_NAME in v3, however we're also talking about namespacing project names to the owning domain, so that two domains may have otherwise conflicting project names. Once we open up the namespace, we can't go back, so we're going about it very carefully. This may apply to user names, as well, but that's a subtly different conversation.
>
> If we do make this change then you also need to identify the domain for a project name to be meaningful.
>
> ID's will still uniquely identify a project regardless of domain or deployment.
>
> -Dolph
>
>
> On Tue, Jan 8, 2013 at 2:11 PM, Alexandra Shulman-Peleg <SHULMANA at il.ibm.com> wrote:
> I think that there is a problem with simply using https://SWIFT/AUTH_{PROJECT_ID} instead of the current https://SWIFT/AUTH_{TENANT_ID} since it will loose the proper level in the hierarchy. We need something that will represent the hosted enterprises and this is the goal of domains. Project are more fine-grained and can represent departments or projects. For example, following the description of Henry if two different enterprises with use the project name "Test" both with map to https://SWIFT/AUTH_Test.
>
> I think that we need to have both the domain id and the project id in the URL/account name. For example ashttps://SWIFT/AUTH_{DOMAIN_ID}_{PROJECT_ID} or as https://SWIFT/{DOMAIN_ID}_{PROJECT_ID}. In the second option we may try using the existing reseller prefix mechanism to simplify the implementation. Having the doman_id in the account name/URL is important to isolate the accounts that belong to different domains and remove the requirements for the global uniqueness of project names.
>
> Best Regards,
> Alex.
>
>
>
> From: Chuck Thier <cthier at gmail.com>
> To: OpenStack Development Mailing List <openstack-dev at lists.openstack.org>,
> Date: 08/01/2013 09:38 PM
> Subject: Re: [openstack-dev] [swift] [keystone] Keystone v3 API domains in Swift
>
>
>
> Hi Henry,
>
> From a swift perspective, I think we are fine there, as we do not use
> the user name or project name anywhere. At the moment, I'm thinking
> that we can do auth in a similar way as we did with v2.0 api. An
> "account" in swift is still tied to the project_id (which used to be
> tennant_id), which is in the storage url like:
> https://SWIFT/AUTH_{PROJECT_ID}. Keystone middleware in swift
> validates that the given token has permission for the given Project
> ID.
>
> From this point of view domains are an abstract concept in keystone
> only, and wouldn't mean anything directly in swift.
>
> Please let me know if any of my assumptions are incorrect.
>
> Thanks,
>
> --
> Chuck
>
> On Tue, Jan 8, 2013 at 1:23 PM, Henry Nash <henryn at linux.vnet.ibm.com> wrote:
> > Chuck,
> >
> > So user_id and project_id are always globally unique - so we are safe there. The problem is when you specify user name or project name in the cases when we have to handle enterprises being represented by a domain and they insist that their name attributes (e.g. user names, project names etc.) be private to that domain (e.g. "what do you mean I can't call my project "Test" because some other customer in another domain got there first!?!"). See the following blueprint which introduces this ability as optional for domains: https://review.openstack.org/#/c/18805/
> >
> > For such domains, we cannot assume that user_name or project_name (or tenant_name as it used to be called) are globally unique. "Domain_name (or id) plus user_name" as well as "Domain_name (or id) plus project_name" will be unique however.
> >
> > Henry
> > On 8 Jan 2013, at 19:05, Chuck Thier wrote:
> >
> >> Yeah, I was hoping for more clarity, as it would help to figure out
> >> how to best map the concepts in swift. A couple of quick questions
> >> come to mind. When a request is validated, is the domain required, or
> >> is a user_id and project_id sufficient? Is the concept of a domain
> >> useful in the context of swift?
> >>
> >> --
> >> Chuck
> >>
> >> On Tue, Jan 8, 2013 at 11:37 AM, heckj <heckj at mac.com> wrote:
> >>> The best is probably https://github.com/openstack/identity-api/blob/master/openstack-identity-api/src/markdown/identity-api-v3.md, but it's a bit light on use-cases around the concepts I'm afraid.
> >>>
> >>> -joe
> >>>
> >>> On Jan 8, 2013, at 9:19 AM, Chuck Thier <cthier at gmail.com> wrote:
> >>>> Is there documentation anywhere that defines all of these, and the use
> >>>> cases? That would help us figure out how to map these concepts to
> >>>> swift.
> >>>>
> >>>> --
> >>>> Chuck
> >>>>
> >>>> On Tue, Jan 8, 2013 at 11:13 AM, Dolph Mathews <dolph.mathews at gmail.com> wrote:
> >>>>> I think it would be practical to expose the authenticated user's DOMAIN_ID
> >>>>> and DOMAIN_NAME into the request environment for the underlying service /
> >>>>> middleware to consume, as we do today with TENANT_ID / TENANT_NAME (soon to
> >>>>> be deprecated in favor of PROJECT_ID / PROJECT_NAME).
> >>>>>
> >>>>>
> >>>>> -Dolph
> >>>>>
> >>>>>
> >>>>> On Tue, Jan 8, 2013 at 7:22 AM, Alexandra Shulman-Peleg
> >>>>> <SHULMANA at il.ibm.com> wrote:
> >>>>>>
> >>>>>> Hi,
> >>>>>>
> >>>>>> As most of you know, Keystone v3 API will introduce the notions of
> >>>>>> "domains" and "projects" which will replace the existing notion of tenants.
> >>>>>> It is important to allow using the same concepts in Swift. Since different
> >>>>>> domains may represent different companies, it is important to allow
> >>>>>> reflecting the Keystone "domain name" in the Swift "account name", providing
> >>>>>> an option to isolate the requests of different domains. Are there existing
> >>>>>> plans of adjusting Swift to Keystone v3 API? If not, I would like to start
> >>>>>> discussing the potential solutions.
> >>>>>>
> >>>>>> Thank you all,
> >>>>>> Alex.
> >>>>>>
> >>>>>>
> >>>>>> ----------------------------------------------------------
> >>>>>> Alexandra Shulman-Peleg, PhD
> >>>>>> Storage Research, Cloud Platforms Dept.
> >>>>>> IBM Haifa Research Lab
> >>>>>> Tel: +972-3-7689530 | Fax: +972-3-7689545
> >>>>>>
> >>>>>>
> >>>>>> _______________________________________________
> >>>>>> OpenStack-dev mailing list
> >>>>>> OpenStack-dev at lists.openstack.org
> >>>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >>>>>>
> >>>>>
> >>>>>
> >>>>> _______________________________________________
> >>>>> OpenStack-dev mailing list
> >>>>> OpenStack-dev at lists.openstack.org
> >>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >>>>>
> >>>>
> >>>> _______________________________________________
> >>>> OpenStack-dev mailing list
> >>>> OpenStack-dev at lists.openstack.org
> >>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >>>
> >>>
> >>> _______________________________________________
> >>> OpenStack-dev mailing list
> >>> OpenStack-dev at lists.openstack.org
> >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >>
> >> _______________________________________________
> >> OpenStack-dev mailing list
> >> OpenStack-dev at lists.openstack.org
> >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >>
> >
> >
> > _______________________________________________
> > OpenStack-dev mailing list
> > OpenStack-dev at lists.openstack.org
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130109/c7495adb/attachment.html>
More information about the OpenStack-dev
mailing list