[Openstack] Entities in OpenStack Auth

Justin Santa Barbara justin at fathomdb.com
Wed Mar 2 02:30:27 UTC 2011


Thanks Eric.  That actually makes a lot of sense to me, and seems to tally
with my understanding of the auth sequence for v1.0 and v1.1
and compatibility behavior for v1.0 as I described it.

I think my personal preference would be not to pass the project this way,
because it's another "special-case" way of passing parameters (I don't dare
mention the Metadata word), and it's also one we can't use consistently
(e.g. cross-project search).  But the horse has already bolted on this one,
so it's just a preference.

Do we know if CloudServers had a strong reason for doing things this way?
 (Caching? Session affinity?)

Justin




On Tue, Mar 1, 2011 at 6:14 PM, Eric Day <eday at oddments.org> wrote:

> For that query you would, but not all. If you want to create a new
> instance for project1 you would:
>
> nova.openstack.org/v1.1/project1/servers
>
> Or if you wanted to reboot instance X in project1:
>
> nova.openstack.org/v1.1/project1/servers/X
>
> Note that the following resource is not the same as the last, since
> justin wouldn't be the owner for instance X, project1 would be:
>
> nova.openstack.org/v1.1/justin/servers/X
>
> I think searches will always have special cases with filter options,
> but for identifying a canonical URL for a resource, having the entity
> name of the owner in there seems correct.
>
> The main thing I'm trying to figure out is whether to use an extra
> entity in the path for new service URLs. Swift does and Nova does not,
> and it would be nice to have some consistency. I see the benefits of
> both, and in Swift's case it needs to for simple public URLs (where
> there is no user context).
>
> -Eric
>
> On Tue, Mar 01, 2011 at 06:00:12PM -0800, Justin Santa Barbara wrote:
> >    If we're always going to pass the same user-id token (for a particular
> >    user), what's the value in passing it at all?  Why not get it from the
> >    authentication token?
> >    e.g. my X-Auth-Token could look like:  "justinsb
> >    project1,project2,project3 5OPr9UR2xk32K9ArAjO562e" (i.e. my username,
> >    projects and a crypto signature)
> >    Justin
> >
> >    On Tue, Mar 1, 2011 at 5:51 PM, Eric Day <eday at oddments.org> wrote:
> >
> >      Hi Justin,
> >      On Tue, Mar 01, 2011 at 05:14:42PM -0800, Justin Santa Barbara
> wrote:
> >      >    However, what I don't understand is how I can query my servers
> in
> >      project1
> >      >    and project2 (but not those in project3). *The only way I could
> see
> >      is
> >      >    doing something like this:
> >      >    *nova.openstack.org/v1.1/project1+project2/servers.
> >      >    I agree that REST paths aren't themselves hacky in the
> >      single-project
> >      >    case, but I don't yet grok the multi-project query. *Of the 3
> >      options I do
> >      >    grok, I see (c) as the least hacky.
> >
> >      I would probably say use nova.openstack.org/v1.1/justin/serverswith
> >      one or more filter parameters in the URL or body as you mention.
> This
> >      something to consider across all services, not just nova. AFAIK
> >      Swift doesn't support queries across multiple accounts right now,
> >      so I'd like to hear their thoughts on it as well.
> >      -Eric
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20110301/0d3cea15/attachment.html>


More information about the Openstack mailing list