[openstack-dev] [neutron][api] - attaching arbitrary key/value pairs to resources
Russell Bryant
rbryant at redhat.com
Mon Aug 24 14:33:22 UTC 2015
On 08/24/2015 09:35 AM, Russell Bryant wrote:
> On 08/24/2015 09:25 AM, Kevin Benton wrote:
>> Hi everybody!
>>
>> In Neutron the idea of adding tags to resources has come up several
>> times this cycle alone.[1][2][3]
>>
>> The general concern that has led to them being rejected is that backends
>> will leverage these tags to leak implementation details or
>> backend-specific features (e.g. tags that control QoS features, security
>> isolation, or other network behaviors).
>>
>> However, there are many use cases that make these nice for the users of
>> the API to help organize resources (e.g. external DNS names on floating
>> IPs, PCI compliance status of security groups, an emoticon describing
>> the seriousness of the things on that network, etc).
>>
>> I'm beginning to think that it might be worth it for the usefulness it
>> brings to the end users. But with all of the third-party plugins
>> out-of-tree, we essentially have no way to stop them from using the tags
>> to control the networking backend as well.
>>
>> So I'm looking for feedback from the API working group as well as other
>> projects that have gone down this path. Should we just take the pythonic
>> "we're all adults" approach and try to encourage backends not to use
>> them for network behavior? Or does this carry too much risk of being
>> abused as a shortcut to avoid developing proper API enhancements by
>> backend devs?
>>
>> 1. https://bugs.launchpad.net/neutron/+bug/1460222
>> 2. https://bugs.launchpad.net/neutron/+bug/1483480
>> 3. https://review.openstack.org/#/c/216021/
>
> If this is clearly documented as being a API consumer thing only, then
> I'm OK with it. Obviously it'll still be possible to be used by a
> backend, but it's also possible to patch the code or provide arbitrary
> API extensions, too.
>
> The plugins may be out of tree, but the ones officially a part of
> Neutron still are under oversight of the Neutron PTL/team. Using this
> in a way it's explicitly documented as not to be used would be an
> example of a case where they should be asked to change.
>
> We can't control what backends not a part of Neutron do, but that's not new.
>
> One example of another project doing something similar is this:
>
> http://specs.openstack.org/openstack/nova-specs/specs/kilo/approved/tag-instances.html
>
> Note this important line:
>
> "The tag is an opaque string and is not intended to be interpreted or
> even read by the virt drivers."
>
There's an updated version of that nova spec here:
http://specs.openstack.org/openstack/nova-specs/specs/liberty/approved/tag-instances.html
--
Russell Bryant
More information about the OpenStack-dev
mailing list