Re: [openstack-dev] [keystone] role of Domain in VPC definition
It seems this work item is made of several blueprints, some of which are not yet approved. This is true at least for the Neutron blueprint regarding policy extensions. Since I first looked at this spec I've been wondering why nova has been selected as an endpoint for network operations rather than Neutron, but this probably a design/implementation details whereas JC here is looking at the general approach. Nevertheless, my only point here is that is seems that features like this need an all-or-none approval. For instance, could the VPC feature be considered functional if blueprint [1] is implemented, but not [2] and [3]? Salvatore [1] https://blueprints.launchpad.net/nova/+spec/aws-vpc-support [2] https://blueprints.launchpad.net/neutron/+spec/policy-extensions-for-neutron [3] https://blueprints.launchpad.net/keystone/+spec/hierarchical-multitenancy On 11 February 2014 21:45, Martin, JC jch.mar...@gmail.com wrote: Ravi, It seems that the following Blueprint https://wiki.openstack.org/wiki/Blueprint-aws-vpc-support has been approved. However, I cannot find a discussion with regard to the merit of using project vs. domain, or other mechanism for the implementation. I have an issue with this approach as it prevents tenants within the same domain sharing the same VPC to have projects. As an example, if you are a large organization on AWS, it is likely that you have a large VPC that will be shred by multiple projects. With this proposal, we loose that capability, unless I missed something. JC On Dec 19, 2013, at 6:10 PM, Ravi Chunduru ravi...@gmail.com wrote: Hi, We had some internal discussions on role of Domain and VPCs. I would like to expand and understand community thinking of Keystone domain and VPCs. Is VPC equivalent to Keystone Domain? If so, as a public cloud provider - I create a Keystone domain and give it to an organization which wants a virtual private cloud. Now the question is if that organization wants to have departments wise allocation of resources it is becoming difficult to visualize with existing v3 keystone constructs. Currently, it looks like each department of an organization cannot have their own resource management with in the organization VPC ( LDAP based user management, network management or dedicating computes etc.,) For us, Openstack Project does not match the requirements of a department of an organization. I hope you guessed what we wanted - Domain must have VPCs and VPC to have projects. I would like to know how community see the VPC model in Openstack. Thanks, -Ravi. ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [keystone] role of Domain in VPC definition
Yes, [1] can be done without [2] and [3]. As you are well aware [2] is now merged with group policy discussions. IMHO all or nothing approach will not get us anywhere. By the time we line up all our ducks in row. New features/ideas/blueprints will keep Emerging. Regards -Harshad On Feb 16, 2014, at 2:30 AM, Salvatore Orlando sorla...@nicira.com wrote: It seems this work item is made of several blueprints, some of which are not yet approved. This is true at least for the Neutron blueprint regarding policy extensions. Since I first looked at this spec I've been wondering why nova has been selected as an endpoint for network operations rather than Neutron, but this probably a design/implementation details whereas JC here is looking at the general approach. Nevertheless, my only point here is that is seems that features like this need an all-or-none approval. For instance, could the VPC feature be considered functional if blueprint [1] is implemented, but not [2] and [3]? Salvatore [1] https://blueprints.launchpad.net/nova/+spec/aws-vpc-support [2] https://blueprints.launchpad.net/neutron/+spec/policy-extensions-for-neutron [3] https://blueprints.launchpad.net/keystone/+spec/hierarchical-multitenancy On 11 February 2014 21:45, Martin, JC jch.mar...@gmail.com wrote: Ravi, It seems that the following Blueprint https://wiki.openstack.org/wiki/Blueprint-aws-vpc-support has been approved. However, I cannot find a discussion with regard to the merit of using project vs. domain, or other mechanism for the implementation. I have an issue with this approach as it prevents tenants within the same domain sharing the same VPC to have projects. As an example, if you are a large organization on AWS, it is likely that you have a large VPC that will be shred by multiple projects. With this proposal, we loose that capability, unless I missed something. JC On Dec 19, 2013, at 6:10 PM, Ravi Chunduru ravi...@gmail.com wrote: Hi, We had some internal discussions on role of Domain and VPCs. I would like to expand and understand community thinking of Keystone domain and VPCs. Is VPC equivalent to Keystone Domain? If so, as a public cloud provider - I create a Keystone domain and give it to an organization which wants a virtual private cloud. Now the question is if that organization wants to have departments wise allocation of resources it is becoming difficult to visualize with existing v3 keystone constructs. Currently, it looks like each department of an organization cannot have their own resource management with in the organization VPC ( LDAP based user management, network management or dedicating computes etc.,) For us, Openstack Project does not match the requirements of a department of an organization. I hope you guessed what we wanted - Domain must have VPCs and VPC to have projects. I would like to know how community see the VPC model in Openstack. Thanks, -Ravi. ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [keystone] role of Domain in VPC definition
Harshad, This is great. At least there is consensus on what it is and what it is not. I would leave it to others to discuss merits of a an AWS compat VPC API for Icehouse. Perhaps this is a good topic to discuss at the Juno design summit. Subbu On Feb 16, 2014, at 10:15 AM, Harshad Nakil hna...@contrailsystems.com wrote: As said I am not disagreeing with you or Ravi or JC. I also agree that Openstack VPC implementation will benefit from these proposals. What I am saying is it is not required AWS VPC API compatibility at this point. Which is what our blueprint is all about. We are not defining THE VPC. ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [keystone] role of Domain in VPC definition
I agree with JC that we need to pause and discuss VPC model with in openstack before considering AWS compatibility. As Subbu said, We need this discussion in Juno summit and get consensus. Thanks, -Ravi. On Sun, Feb 16, 2014 at 10:31 AM, Allamaraju, Subbu su...@subbu.org wrote: Harshad, This is great. At least there is consensus on what it is and what it is not. I would leave it to others to discuss merits of a an AWS compat VPC API for Icehouse. Perhaps this is a good topic to discuss at the Juno design summit. Subbu On Feb 16, 2014, at 10:15 AM, Harshad Nakil hna...@contrailsystems.com wrote: As said I am not disagreeing with you or Ravi or JC. I also agree that Openstack VPC implementation will benefit from these proposals. What I am saying is it is not required AWS VPC API compatibility at this point. Which is what our blueprint is all about. We are not defining THE VPC. ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev -- Ravi ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [keystone] role of Domain in VPC definition
On Sun, Feb 16, 2014 at 3:26 AM, Salvatore Orlando sorla...@nicira.com wrote: It seems this work item is made of several blueprints, some of which are not yet approved. This is true at least for the Neutron blueprint regarding policy extensions. Since I first looked at this spec I've been wondering why nova has been selected as an endpoint for network operations rather than Neutron, but this probably a design/implementation details whereas JC here is looking at the general approach. [1] is only about AWS VPC support, not OpenStack API based network operations. Nevertheless, my only point here is that is seems that features like this need an all-or-none approval. For instance, could the VPC feature be considered functional if blueprint [1] is implemented, but not [2] and [3]? Salvatore [1] https://blueprints.launchpad.net/nova/+spec/aws-vpc-support [2] https://blueprints.launchpad.net/neutron/+spec/policy-extensions-for-neutron [3] https://blueprints.launchpad.net/keystone/+spec/hierarchical-multitenancy On 11 February 2014 21:45, Martin, JC jch.mar...@gmail.com wrote: Ravi, It seems that the following Blueprint https://wiki.openstack.org/wiki/Blueprint-aws-vpc-support has been approved. However, I cannot find a discussion with regard to the merit of using project vs. domain, or other mechanism for the implementation. I have an issue with this approach as it prevents tenants within the same domain sharing the same VPC to have projects. As an example, if you are a large organization on AWS, it is likely that you have a large VPC that will be shred by multiple projects. With this proposal, we loose that capability, unless I missed something. JC On Dec 19, 2013, at 6:10 PM, Ravi Chunduru ravi...@gmail.com wrote: Hi, We had some internal discussions on role of Domain and VPCs. I would like to expand and understand community thinking of Keystone domain and VPCs. Is VPC equivalent to Keystone Domain? If so, as a public cloud provider - I create a Keystone domain and give it to an organization which wants a virtual private cloud. Now the question is if that organization wants to have departments wise allocation of resources it is becoming difficult to visualize with existing v3 keystone constructs. Currently, it looks like each department of an organization cannot have their own resource management with in the organization VPC ( LDAP based user management, network management or dedicating computes etc.,) For us, Openstack Project does not match the requirements of a department of an organization. I hope you guessed what we wanted - Domain must have VPCs and VPC to have projects. I would like to know how community see the VPC model in Openstack. Thanks, -Ravi. ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [keystone] role of Domain in VPC definition
Ravi, It seems that the following Blueprint https://wiki.openstack.org/wiki/Blueprint-aws-vpc-support has been approved. However, I cannot find a discussion with regard to the merit of using project vs. domain, or other mechanism for the implementation. I have an issue with this approach as it prevents tenants within the same domain sharing the same VPC to have projects. As an example, if you are a large organization on AWS, it is likely that you have a large VPC that will be shred by multiple projects. With this proposal, we loose that capability, unless I missed something. JC On Dec 19, 2013, at 6:10 PM, Ravi Chunduru ravi...@gmail.com wrote: Hi, We had some internal discussions on role of Domain and VPCs. I would like to expand and understand community thinking of Keystone domain and VPCs. Is VPC equivalent to Keystone Domain? If so, as a public cloud provider - I create a Keystone domain and give it to an organization which wants a virtual private cloud. Now the question is if that organization wants to have departments wise allocation of resources it is becoming difficult to visualize with existing v3 keystone constructs. Currently, it looks like each department of an organization cannot have their own resource management with in the organization VPC ( LDAP based user management, network management or dedicating computes etc.,) For us, Openstack Project does not match the requirements of a department of an organization. I hope you guessed what we wanted - Domain must have VPCs and VPC to have projects. I would like to know how community see the VPC model in Openstack. Thanks, -Ravi. ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [keystone] role of Domain in VPC definition
Hi, We had some internal discussions on role of Domain and VPCs. I would like to expand and understand community thinking of Keystone domain and VPCs. Is VPC equivalent to Keystone Domain? If so, as a public cloud provider - I create a Keystone domain and give it to an organization which wants a virtual private cloud. Now the question is if that organization wants to have departments wise allocation of resources it is becoming difficult to visualize with existing v3 keystone constructs. Currently, it looks like each department of an organization cannot have their own resource management with in the organization VPC ( LDAP based user management, network management or dedicating computes etc.,) For us, Openstack Project does not match the requirements of a department of an organization. I hope you guessed what we wanted - Domain must have VPCs and VPC to have projects. I would like to know how community see the VPC model in Openstack. Thanks, -Ravi. ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev