[openstack-dev] Remove tenant/project ID from Nova v3 API URLs

Jason Kölker jason at koelker.net
Mon May 13 17:00:08 UTC 2013


On Mon, May 13, 2013 at 11:19 AM, Jorge Williams
<jorge.williams at rackspace.com> wrote:
> Here's what I'm asking for though:  At the API level, I'd like to tell that that a server belongs to Tenant Y.  How do I do that?  The X-Tenant-Id simply tells me that the token is scoped to Tenant X, it tells me nothing about the server.

The api looks up the server via conductor or direct db, the query is
scoped to the access permissions of the token. The api then has access
to the project_id field on the server object and can enforce further
restrictions should any extensions need to. Doing scoping via the URl
string is insecure. As an API consumer, you have the result of the
operation so you have the project_id in the return results to compare
at your leisure (except for delete, but I'm not sure what a use case
would be to add in the tenant_id in the url just for that, you already
have the server_id which was more than likely the result of a get
anyway).

Happy Hacking!

7-11



More information about the OpenStack-dev mailing list