[Openstack] [Merge] lp:~mdragon/nova/multi-tenant-accounting into lp:nova

Eric Day eday at oddments.org
Sat Mar 5 01:33:16 UTC 2011

On Fri, Mar 04, 2011 at 01:35:48PM -0600, Monsyne Dragon wrote:
> I think, really, we are getting off on a tangent here. The purpose
> of multitenant is to have a label ('account' or 'project' or
> whatever.... ) that we tag resources (instances, etc) in nova with
> so that we can group together usage reports, etc, that go to some
> system outside of openstack for reporting/billing/etc purpose.
> The whole thing is pretty tangential to auth.  for multitenant, we
> really don't care how the user logs in, or where the account label
> comes from.  Just that it's there, so when someone takes a billable
> action, we can record it under the right label for billing, and if
> an entity, like an instance, exists we can count it under such a
> label for the same.

It's actually not, since the concept of 'project' (which you're mapping
account on top of) is going away. Resources will have an owner, and
these can be acted on by the owner or other accounts (or tenants)
the owner gives permission to. So the account you're talking about
is not just a label, it's going to be another tenant within the
system. A deployment can treat tenants differently of course (ie,
users, projects, billable accounts, ...).

I think the outstanding authn/authz branch needs to land (with some
further work) before going to much further.


More information about the Openstack mailing list