[Openstack] [Merge] lp:~mdragon/nova/multi-tenant-accounting into lp:nova
Monsyne Dragon
mdragon at rackspace.com
Fri Mar 4 19:35:48 UTC 2011
On 3/4/11 11:53 AM, Eric Day wrote:
> On Thu, Mar 03, 2011 at 06:36:14PM -0600, Monsyne Dragon wrote:
>> On 3/3/11 5:51 PM, Eric Day wrote:
>>> Getting into this a bit more, I'm not sure this is something that
>>> should be the default. For CloudServers v1.0 token auth compatibility,
>>> I'm not even sure this is the best path. It seems like this is
>>> something that should be handled at the service level with the
>>> API version, not by the token server. For v1.0, account=user from
>>> token. For v1.1, just look at the path element for account.
>> sorry, a bit confused... "I'm not even sure this is the best
>> path"... 'this' == ? (mental buffer overflow here...)
> This == putting the account in the service URL during token
> auth. Rather than return:
>
> https://nova.openstack.org/v1.1/<account_id>
>
> for old clients, it seems returning:
>
> https://nova.openstack.org/v1.0/
>
> makes more sense. The v1.0 handler would then not look for account_id
> in the path and simply set account=token user. In other words, there
> is more than one way to fix this, via base URLs or API versioning. It
> seems like a better fit for API versioning than service URLs.
>
I think, really, we are getting off on a tangent here. The purpose of
multitenant is to have a label ('account' or 'project' or whatever.... )
that we tag resources (instances, etc) in nova with so that we can group
together usage reports, etc, that go to some system outside of openstack
for reporting/billing/etc purpose.
The whole thing is pretty tangential to auth. for multitenant, we
really don't care how the user logs in, or where the account label comes
from. Just that it's there, so when someone takes a billable action, we
can record it under the right label for billing, and if an entity, like
an instance, exists we can count it under such a label for the same.
The only things i did with auth was make sure the existing builtin auth
in nova can pass through that label (knowing that most 'real' nova
installs will not use the builtin auth anyway. They will use an external
system. ) and make the api pick up that info. If that gets torn out to
provide a better builtin auth, that's fine. Also, the same for the
admin api's. If they get shuffled off to some better auth system's api,
that's fine. We are just using them to say 'this account-label exists.
attatch stuff to it' , we are not doing authorization .
As for the account_id in the urls... Hmm... Having it specc'ed in v1.1
is definitely good. For v1.0, we can just pull the account from the
token user, as long as the user is a member of only one account (the
code to do that is actually in there, where it generates the service
url). I suppose that is not a pressing use case (and eventualy could
be answered with "user the v1.1 api). This would prevent any kind of
proxy caching on the v1.0 api, but I'm not sure if that is important (is
broken in nova atm, since things like GET /v1.0/servers return differently)
--
--
-Monsyne Dragon
work: 210-312-4190
mobile 210-441-0965
google voice: 210-338-0336
Confidentiality Notice: This e-mail message (including any attached or
embedded documents) is intended for the exclusive and confidential use of the
individual or entity to which this message is addressed, and unless otherwise
expressly indicated, is confidential and privileged information of Rackspace.
Any dissemination, distribution or copying of the enclosed material is prohibited.
If you receive this transmission in error, please notify us immediately by e-mail
at abuse at rackspace.com, and delete the original message.
Your cooperation is appreciated.
More information about the Openstack
mailing list