[openstack-dev] Hierarchical Multitenancy and resource ownership
I see a lot of good things happening on the hierarchical multi tenancy proposal that Vish made a while back. However, the focus so far is on roles and quota but could not find any discussion related to resource ownership. Is the plan to allow the creation of resources within any level of the hierarchy or is the plan to allow the visibility of the resources up to a level in the hierarchy ? or both ? For example, if I have : - orga.vpca.projecta - orga.vpca.projectb and I want to share a resource like a network between projecta and projectb, should the network be owned by vpca or should it be owned by projecta or projectb, or a vpca.admin project and then shared to all children of vpca ? I think either would work, and both maybe required. Opinions ? JC ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Hierarchical Multitenancy and resource ownership
On Feb 18, 2014, at 11:31 AM, Martin, JC jch.mar...@gmail.com wrote: I see a lot of good things happening on the hierarchical multi tenancy proposal that Vish made a while back. However, the focus so far is on roles and quota but could not find any discussion related to resource ownership. Is the plan to allow the creation of resources within any level of the hierarchy or is the plan to allow the visibility of the resources up to a level in the hierarchy ? or both ? For example, if I have : - orga.vpca.projecta - orga.vpca.projectb and I want to share a resource like a network between projecta and projectb, should the network be owned by vpca or should it be owned by projecta or projectb, or a vpca.admin project and then shared to all children of vpca ? I think either would work, and both maybe required. Opinions ? We haven’t discussed inheriting ownership of objects but at first glance it seems confusing: how would one determine if an object in vcpa is “shared” and visible to projects below, and if it is how far down the hierarchy would it be visible? It is probably best to keep this explicit for the moment. I’ve been thinking of sharing as objects that appear at multiple places in the hierarchy. This could be a list of “owners” or “shares”, but I think it would support either of your options. My initial thoughts would be to just put the network resource in orga.vcpa and then share it to the projects. This of course gets a little tedious when other projects are added later, but it avoids the complications i mentioned above. Vish JC ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev signature.asc Description: Message signed with OpenPGP using GPGMail ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Hierarchical Multitenancy and resource ownership
Vish, See comments below. JC On Feb 18, 2014, at 12:19 PM, Vishvananda Ishaya vishvana...@gmail.com wrote: On Feb 18, 2014, at 11:31 AM, Martin, JC jch.mar...@gmail.com wrote: I see a lot of good things happening on the hierarchical multi tenancy proposal that Vish made a while back. However, the focus so far is on roles and quota but could not find any discussion related to resource ownership. Is the plan to allow the creation of resources within any level of the hierarchy or is the plan to allow the visibility of the resources up to a level in the hierarchy ? or both ? For example, if I have : - orga.vpca.projecta - orga.vpca.projectb and I want to share a resource like a network between projecta and projectb, should the network be owned by vpca or should it be owned by projecta or projectb, or a vpca.admin project and then shared to all children of vpca ? I think either would work, and both maybe required. Opinions ? We haven’t discussed inheriting ownership of objects but at first glance it seems confusing: how would one determine if an object in vcpa is “shared” and visible to projects below, and if it is how far down the hierarchy would it be visible? It is probably best to keep this explicit for the moment. I’ve been thinking of sharing as objects that appear at multiple places in the hierarchy. This could be a list of “owners” or “shares”, but I think it would support either of your options. My initial thoughts would be to just put the network resource in orga.vcpa and then share it to the projects. This of course gets a little tedious when other projects are added later, but it avoids the complications i mentioned above. The way it would work is that when one is, for example, is creating a network with a 'shared' semantic (in a leaf project for example), the call would have to be extended with a scope (for backward compatibility, no scope would mean all/domain). e.g. neutron net-create --shared:orga.vpca vpca-shared-net instead of just neutron net-create --shared orga-shared-net another option is to implement the same policy mechanism that AWS has to allow the definition of scope based on rules. see http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_IAM.html JC ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
