Open Stack

On 7/15/2015 5:38 PM, melanie witt wrote:
> Hi Everyone,
>
> Recently I have started reviewing the patch series about nested quotas in nova [1] and I'm having trouble understanding where we currently are with identity v3 support in nova. From what I read in a semi recent proposal [2] I think things mostly "just work" if you configure to run with v3, but there are some gaps.
>
> Nested quotas use the concept of parent/child projects in keystone v3 to allow parent projects to delegate quota management to subprojects. This means we'd start getting requests with a token scoped to the parent project to modify quota of a child project.
>
> With keystone v3 we could get requests with tokens scoped to parent projects that act upon child project resources for all APIs in general.
>
> The first patch in the series [3] removes the top-level validation check for context.project_id != project_id in URL, since with v3 it's a supported thing for a parent project to act on child project resources. (I don't think it's completely correct in that I think it would allow unrelated projects to act on one another)
>
> Doing this fails the keypairs and security groups tempest tests [4] that verify that one project cannot create keypairs or security group rules in a different project.
>
> Question: How can we handle project_id mismatch in a way that supports both keystone v2 and v3? Do we augment the check to fall back on checking if "is parent of" using keystone API if there's a project_id mismatch?
>
> Question: Do we intend to, for example, allow creation of keypairs by a parent on behalf of child being that the private key is returned to the caller?
>
> Basically, I feel stuck on these reviews because it appears to me that nova doesn't fully support identity v3 yet. From what I checked, there aren't yet Tempest jobs running against identity v3 either.
>
> Can anyone shed some light on this as I'm trying to see a way forward with the nested quotas reviews?
>
> Thanks,
> -melanie (irc: melwitt)
>
>
> [1] https://review.openstack.org/#/q/status:open+project:openstack/nova+branch:master+topic:bp/nested-quota-driver-api,n,z
> [2] https://review.openstack.org/#/c/103617/
> [3] https://review.openstack.org/182140/
> [4] http://logs.openstack.org/40/182140/12/check/check-tempest-dsvm-full/8e51c94/logs/testr_results.html.gz
>
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>

I've added this to the meetup etherpad for next week:

https://etherpad.openstack.org/p/liberty-nova-midcycle

Since bknudson worked on the keystone v3 spec for nova and will be 
sitting in during the meetup next week at some point (since he's local).

-- 

Thanks,

Matt Riedemann