[Openstack] Pondering multi-tenant needs in nova.
jaypipes at gmail.com
Mon Feb 7 15:42:10 UTC 2011
On Mon, Feb 7, 2011 at 10:33 AM, Greg <gholt at rackspace.com> wrote:
> On Feb 7, 2011, at 8:30 AM, Jay Pipes wrote:
>> What Swift APIs are available for a reseller to query which of its
>> customer accounts have consumed X resources? Or does Swift punt and
>> make the reseller calculate all those things?
> A bit of both. You can head an account to get get disk usage, object count type stats. But most stats are via log processing after the fact.
OK, but can you head all the accounts under another account? Or is
that done via log processing?
>> Does Swift enforce the uniqueness constraint you allude to above? If
>> not, why bother even having the uniqueness constraint?
> Yes, the reseller creates the Swift account, if it already exists they get a 409 conflict.
>> Again, this has nothing to do with authentication. Nova has a separate
>> users table that relates to the auth system. This, AFAIK, has nothing
>> to do with auth.
> Okay, okay, no need to get upset. :P
Hehe, I'm not upset, no worries :) Just trying to ensure that various
perspectives are explored before a final decision on this is made.
> They are related in Swift though. For instance, if someone wanted to set up a container that several users could all access they would do that with these opaque strings. They wouldn't create a new group in Swift or some such. Those kind of org structures are outside Swift. Swift just knows "allow x to have access" and "token t auths to groups g".
Gotcha. Yes, in Nova authentication is handled separately, with the
users table holding the identifier(s) that are used in authentication.
For authorization, the different APIs use different models IIRC. For
EC2, the security_groups and security_group_roles tables hold some of
this information. There is also the ability to use an external store
such as LDAP authorization too, IIRC. Vishy or Devin, feel free to
correct me here if I'm off base. Been a while since I looked at that
piece of Nova.
>> Depends how much they value the ability not to have to constantly
>> query information from the Swift API and then immediately re-structure
>> the data and construct aggregate reports from the raw data after
>> munging it into their own org structure.
> Sure. You make it sound so evil, but it's not that bad. Account x maps to something on their side and they're done.
> Someone has to do the aggregate reporting, etc. work. We're working towards an example system that does that, but we're trying to keep it out of the core of Swift if possible. A good reason for this is that we expect a lot of improvements to happen in this area, and likely they'll be applicable to more than just Swift.
> But, all that said, Nova's mileage may vary. :) Just stating what Swift's been doing if it's any help.
Understood, and appreciated. :) Like I said, just voicing a dissenting
opinion to ensure the discussion contains opposing viewpoints and that
all perspectives are explored. Very much appreciated your input from
the Swift perspective and experience. :)
More information about the Openstack