Yeah, the part I wasn't sure about was visibility at the horizon / API level. Since host aggregates are largely invisible from the enduser it seemed to me to provide better UX to simply use aggregates without AZ affiliation. I guess the other question is if you are using volume types to route to different storage backends, can you set a default volume type for each tenant? I know you can set one globally in the cinder.conf but that wouldn't work if you wanted to different tenants to be isolated on their own storage appliances. ________________________________ From: Sean Mooney <smooney at redhat.com> Sent: 09 January 2023 11:11 To: Danny Webb <Danny.Webb at thehutgroup.com>; Nguyễn Hữu Khôi <nguyenhuukhoinw at gmail.com>; OpenStack Discuss <openstack-discuss at lists.openstack.org> Subject: Re: [Nova][Horizon] CAUTION: This email originates from outside THG On Mon, 2023-01-09 at 09:50 +0000, Danny Webb wrote: > If you want to do this you'd have to use host aggregates rather than AZs I think. Setup a host aggregate that is then mapped to specific flavors which are RBAC'd to specific projects. AZ are just host aggreates with AZ metadata added To do tenant affintiy at the schduler level on older clouds you can use the AggregateMultiTenancyIsolation filter to map tenant to hostaggreates. from rocky on the perfer approch is to use teant isolation via placement aggreates https://docs.openstack.org/nova/latest/admin/aggregates.html#tenant-isolation-with-placement<https://docs.openstack.org/nova/latest/admin/aggregates.html#tenant-isolation-with-placement> you do not need to modify falvors for that use case. host aggreates are not viabel to endusers at the api so you cannot adjust policy to limit them to specific tenants. if you really want to support this in horizon you would haveto apply the ```Openstack aggregate set --property filter_tenant_id=9691591f913949818a514f95286a6b90 myagg``` to the aggreate that has the AZ defintion and modify horizon to check if the tenant id in the aggreate matched the tenant that is logged in. basically horizon would have to implement the filtering of AZs in its ui. nova does not provide that because we do not require the ```Tenant Isolation with Placement``` feature to be configured on the host aggreate that defines the AZ. normally it is not done that way and you will have a seperate host aggreate that overlaps with multile for a given tenant that defiens which hosts they can run on. anyway case the answer is that you need to tag the AZ with some metadata to track the tenant info (or reuse the filed we support for schduling) and modify horizion to filter by it. the alternitive approch is to propsoe a new feature to nova to allow it to to fileter in some whay but i am not sure what that would look like and it woudl not be backporatbale as it would be an api change so it would be a change in the B/2023.2 release at the earlest. > ________________________________ > From: Nguyễn Hữu Khôi <nguyenhuukhoinw at gmail.com> > Sent: 09 January 2023 00:12 > To: OpenStack Discuss <openstack-discuss at lists.openstack.org> > Subject: [Nova][Horizon] > > > CAUTION: This email originates from outside THG > > ________________________________ > Hello guys. > Is there any way to assign AZ to a specified project? After searching, I cannot find any answer. > > Example. > > Sale project will only see Sale AZ to select. > Tech project will only see Tech AZ to select > > Thank you. Regards > Nguyen Huu Khoi > > Danny Webb > Principal OpenStack Engineer > Danny.Webb at thehutgroup.com > [THG Ingenuity Logo] > www.thg.com<http://www.thg.com><https://www.thg.com<https://www.thg.com>> > [https://i.imgur.com/wbpVRW6.png<https://i.imgur.com/wbpVRW6.png>]<https://www.linkedin.com/company/thg-ingenuity/?originalSubdomain=uk<https://www.linkedin.com/company/thg-ingenuity/?originalSubdomain=uk>> [https://i.imgur.com/c3040tr.png<https://i.imgur.com/c3040tr.png>] <https://twitter.com/thgingenuity?lang=en<https://twitter.com/thgingenuity?lang=en>> Danny Webb Principal OpenStack Engineer Danny.Webb at thehutgroup.com [THG Ingenuity Logo] www.thg.com<https://www.thg.com> [https://i.imgur.com/wbpVRW6.png]<https://www.linkedin.com/company/thg-ingenuity/?originalSubdomain=uk> [https://i.imgur.com/c3040tr.png] <https://twitter.com/thgingenuity?lang=en> -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.openstack.org/pipermail/openstack-discuss/attachments/20230109/31e8040b/attachment.htm>
