[Openstack-operators] AggregateMultiTenancyIsolation with multiple (many) projects
Matt Riedemann
mriedemos at gmail.com
Thu Mar 8 20:13:15 UTC 2018
On 2/5/2018 11:44 PM, Massimo Sgaravatto wrote:
> But if I try to specify the long list of projects, I get:a "Value ... is
> too long" error message [*].
>
> I can see two workarounds for this problem:
>
> 1) Create an host aggregate per project:
>
> HA1 including CA1, C2, ... Cx and with filter_tenant_id=p1
> HA2 including CA1, C2, ... Cx and with filter_tenant_id=p2
> etc
>
> 2) Use the AggregateInstanceExtraSpecsFilter, creating two aggregates
> and having each flavor visible only by a set of projects, and tagged
> with a specific string that should match the value specified in the
> correspondent host aggregate
>
> Is this correct ? Can you see better options ?
This problem came up in the public cloud WG meeting at the PTG last week.
The issue is that the host aggregate metadata value is limited to 255
characters so you're pretty severely restricted in the number of
projects you can isolate to that host aggregate.
There were two ideas that I remember getting discussed for possible
solutions:
1. The filter could grow support for domains (or some other fancy
keystone construct) such that you could nest projects and then just
isolate the root project/domain to that host aggregate. I'm not sharp on
keystone stuff so would need more input here, but this might not be a
great solution if nova has to ask keystone for this information per run
through the filters - that could get expensive. If the information is in
the user request context (token) then maybe that would work.
2. Dan Smith mentioned another idea such that we could index the
aggregate metadata keys like filter_tenant_id0, filter_tenant_id1, ...
filter_tenant_idN and then combine those so you have one host aggregate
filter_tenant_id* key per tenant.
--
Thanks,
Matt
More information about the OpenStack-operators
mailing list