[openstack-dev] Remove tenant/project ID from Nova v3 API URLs
Jorge Williams
jorge.williams at rackspace.com
Mon May 13 16:19:31 UTC 2013
On May 13, 2013, at 10:55 AM, Jay Pipes wrote:
> On 05/13/2013 11:25 AM, Jorge Williams wrote:
>> On May 13, 2013, at 9:43 AM, Jay Pipes wrote:
>>
>>> On 05/11/2013 01:48 PM, Jorge Williams wrote:
>>>> Hey Guys,
>>>>
>>>> Sorry to come into the conversation a bit late.
>>>>
>>>> One of the reasons for having the tenatId in the URI is that it allows us to easily introspect what tenant a particular resource belongs to. You can think of the tenant as literally a container for all of the resources that belong to that tenant. How resources are organized into tenants (or containers or projects whatever you want to call them) is up to the operator of the OpenStack service and for big deployments these organizations can be tied to rules and polices, so it becomes important that given a certain resource we can easily tell what tenant that resource belongs to.
>>>>
>>>> If we are going to lose the tenant from the URI, we would need an alternative way of doing this introspection in a manner that is consistent between OpenStack APIs. I'm not entirely married to keeping it in the tenant in the URI, but I certainly don't want to lose the ability to introspect it.
>>>>
>>>> Thanks,
>>>
>>> The X-Project-Id HTTP header would contain this information, no? Or are
>>> you just requesting that all the different OpenStack projects ensure
>>> this particular header is always included in responses?
>>
>> Hey Jay,
>>
>> As I understand it, the X-Project-Id tells you the project that the user has access to, not the project that the resource belongs to.
>
> The X-Tenant-Id/X-Project-Id header should be exactly the same as the
> tenant ID immediately after the version in the URIs of Nova and
> Keystone. Isn't that what you are talking about above?
>
Yea, they should be the same for the operation to be accepted, but that's not what I'm asking for.
Say I have a server and a request to delete that server. The request to delete the server has a token, that token may be scoped to Tenant X. But a server may belong to Tenant Y. When you receive a message you want to make sure that the tenants between the token and the resource match before you accept the request. That's all well and good, we do that today.
Here's what I'm asking for though: At the API level, I'd like to tell that that a server belongs to Tenant Y. How do I do that? The X-Tenant-Id simply tells me that the token is scoped to Tenant X, it tells me nothing about the server.
-jOrGe W.
More information about the OpenStack-dev
mailing list