[Openstack] Pondering multi-tenant needs in nova.

Diego Parrilla Santamaría diego.parrilla.santamaria at gmail.com
Thu Feb 3 20:42:13 UTC 2011

Sandy, Devin,

this is structure we had in my former cloud platform to fit easily in
a LDAP. It also helped in metering.


Diego Parrilla
nubeblog.com | nubeblog at nubeblog.com | twitter.com/nubeblog
+34 649 94 43 29

On Thu, Feb 3, 2011 at 9:29 PM, Sandy Walsh <sandy.walsh at rackspace.com> wrote:
> Sounds very LDAP.
> Would it make sense to have a plug-in so we could mimic a pre-existing corp
> LDAP structure?
> -S
> ________________________________
> From: openstack-bounces+sandy.walsh=rackspace.com at lists.launchpad.net
> [openstack-bounces+sandy.walsh=rackspace.com at lists.launchpad.net] on behalf
> of Devin Carlen [devin.carlen at gmail.com]
> Sent: Thursday, February 03, 2011 4:02 PM
> To: Monsyne Dragon
> Cc: openstack at lists.launchpad.net
> Subject: Re: [Openstack] Pondering multi-tenant needs in nova.
> We were just talking about this the other day.  We definitely need some kind
> of further hierarchy.  I think a typical kind of use case for multi-tenant
> could be something like:
> Enterprise contains Organizations
> Organizations contain Organizations and Projects
> Projects contain Instances, etc.
> In this structure enterprise is just a top level organization.  If we
> structure it this way it would make metering and billing pretty simple.
> On Feb 2, 2011, at 5:37 PM, Monsyne Dragon wrote:
> I am sorting out some possible implementations for the
> multi-tenant-accounting blueprint, and the related system-usage-records bp,
> and I just wanted to run this by anyone interested in such matters.
> Basically, for multitenant purposes we need to introduce the concept of an
> 'account' in nova, representing a customer,  that basically acts as a label
> for a group of resources (instances, etc), and for access control (i.e
> customer a cannot mess w/ customer b's stuff)
> There was some confusion on how best to implement this, in relation to
> nova's project concept.  Projects are kind of like what we want an account
> to be, but there are some associations (like one project per network) which
> are not valid for our flat networking setup.  I am kind of straw-polling on
> which is better here:
> The options are:
> 1) Create a new 'account' concept in nova,  with an account basically being
> a subgroup of a project (providers would use a single, default project, with
> additional projects added if needed for separate brands, or resellers, etc),
> add in access control per account as well as project, and make sure
> apis/auth specify account appropriately,  have some way for a default
> account to used (per project) so account doesn't get in the way for
> non-multitenant users.
> 2) having account == nova's "project", and changing the network
> associations, etc so projects can support our model (as well as current
> models).  Support for associating accounts (projects) together for
> resellers, etc would either be delegated outside of nova or added later
> (it's not a current requirement).
> In either case, accounts would be identified by name, which would  be an
> opaque string an outside system/person would assign, and could structure to
> their needs (ie. for associating accounts with common prefixes, etc)
> --
> --
>    -Monsyne Dragon
>    work:         210-312-4190
>    mobile        210-441-0965
>    google voice: 210-338-0336
> Confidentiality Notice: This e-mail message (including any attached or
> embedded documents) is intended for the exclusive and confidential use of
> the
> individual or entity to which this message is addressed, and unless
> otherwise
> expressly indicated, is confidential and privileged information of
> Rackspace.
> Any dissemination, distribution or copying of the enclosed material is
> prohibited.
> If you receive this transmission in error, please notify us immediately by
> e-mail
> at abuse at rackspace.com, and delete the original message.
> Your cooperation is appreciated.
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack at lists.launchpad.net
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack at lists.launchpad.net
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp

More information about the Openstack mailing list