Re: [openstack-dev] Hierarchical Multitenancy
Hi Deepak, I think that one of the next steps for HMT is expand the concept for other services, as Nova folks are doing with Quotas for nested projects. I think that we can do a brainstorm about the use cases for HMT in each service, but I think that if a resource can be shared inside the hierarchy, so this is a good evidence that we can implement HMT in the service, like a instance or a image and other things. I'm available for any discussion related to HMT in other services. :) On Wed Dec 24 2014 at 1:04:15 PM Deepak Shetty dpkshe...@gmail.com wrote: Raildo, Thanks for putting the blog, i really liked it as it helps to understand how hmt works. I am interested to know more about how hmt can be exploited for other OpenStack projects... Esp cinder, manila On Dec 23, 2014 5:55 AM, Morgan Fainberg morgan.fainb...@gmail.com wrote: Hi Raildo, Thanks for putting this post together. I really appreciate all the work you guys have done (and continue to do) to get the Hierarchical Mulittenancy code into Keystone. It’s great to have the base implementation merged into Keystone for the K1 milestone. I look forward to seeing the rest of the development land during the rest of this cycle and what the other OpenStack projects build around the HMT functionality. Cheers, Morgan On Dec 22, 2014, at 1:49 PM, Raildo Mascena rail...@gmail.com wrote: Hello folks, My team and I developed the Hierarchical Multitenancy concept for Keystone in Kilo-1 but What is Hierarchical Multitenancy? What have we implemented? What are the next steps for kilo? To answers these questions, I created a blog post *http://raildo.me/hierarchical-multitenancy-in-openstack/ http://raildo.me/hierarchical-multitenancy-in-openstack/* Any question, I'm available. -- Raildo Mascena Software Engineer. Bachelor of Computer Science. Distributed Systems Laboratory Federal University of Campina Grande Campina Grande, PB - Brazil ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Hierarchical Multitenancy
Raildo, Thanks for putting the blog, i really liked it as it helps to understand how hmt works. I am interested to know more about how hmt can be exploited for other OpenStack projects... Esp cinder, manila On Dec 23, 2014 5:55 AM, Morgan Fainberg morgan.fainb...@gmail.com wrote: Hi Raildo, Thanks for putting this post together. I really appreciate all the work you guys have done (and continue to do) to get the Hierarchical Mulittenancy code into Keystone. It’s great to have the base implementation merged into Keystone for the K1 milestone. I look forward to seeing the rest of the development land during the rest of this cycle and what the other OpenStack projects build around the HMT functionality. Cheers, Morgan On Dec 22, 2014, at 1:49 PM, Raildo Mascena rail...@gmail.com wrote: Hello folks, My team and I developed the Hierarchical Multitenancy concept for Keystone in Kilo-1 but What is Hierarchical Multitenancy? What have we implemented? What are the next steps for kilo? To answers these questions, I created a blog post *http://raildo.me/hierarchical-multitenancy-in-openstack/ http://raildo.me/hierarchical-multitenancy-in-openstack/* Any question, I'm available. -- Raildo Mascena Software Engineer. Bachelor of Computer Science. Distributed Systems Laboratory Federal University of Campina Grande Campina Grande, PB - Brazil ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Hierarchical Multitenancy
It would be great if we can get approval for the Hierachical Quota handling in Nova too (https://review.openstack.org/#/c/129420/). Tim From: Morgan Fainberg [mailto:morgan.fainb...@gmail.com] Sent: 23 December 2014 01:22 To: OpenStack Development Mailing List (not for usage questions) Subject: Re: [openstack-dev] Hierarchical Multitenancy Hi Raildo, Thanks for putting this post together. I really appreciate all the work you guys have done (and continue to do) to get the Hierarchical Mulittenancy code into Keystone. It’s great to have the base implementation merged into Keystone for the K1 milestone. I look forward to seeing the rest of the development land during the rest of this cycle and what the other OpenStack projects build around the HMT functionality. Cheers, Morgan On Dec 22, 2014, at 1:49 PM, Raildo Mascena rail...@gmail.commailto:rail...@gmail.com wrote: Hello folks, My team and I developed the Hierarchical Multitenancy concept for Keystone in Kilo-1 but What is Hierarchical Multitenancy? What have we implemented? What are the next steps for kilo? To answers these questions, I created a blog post http://raildo.me/hierarchical-multitenancy-in-openstack/ Any question, I'm available. -- Raildo Mascena Software Engineer. Bachelor of Computer Science. Distributed Systems Laboratory Federal University of Campina Grande Campina Grande, PB - Brazil ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.orgmailto:OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Hierarchical Multitenancy
On Dec 23, 2014 12:26 AM, Tim Bell tim.b...@cern.ch wrote: It would be great if we can get approval for the Hierachical Quota handling in Nova too (https://review.openstack.org/#/c/129420/). Nova's spec deadline has passed, but I think this is a good candidate for an exception. We will announce the process for asking for a formal spec exception shortly after new years. Tim From: Morgan Fainberg [mailto:morgan.fainb...@gmail.com] Sent: 23 December 2014 01:22 To: OpenStack Development Mailing List (not for usage questions) Subject: Re: [openstack-dev] Hierarchical Multitenancy Hi Raildo, Thanks for putting this post together. I really appreciate all the work you guys have done (and continue to do) to get the Hierarchical Mulittenancy code into Keystone. It’s great to have the base implementation merged into Keystone for the K1 milestone. I look forward to seeing the rest of the development land during the rest of this cycle and what the other OpenStack projects build around the HMT functionality. Cheers, Morgan On Dec 22, 2014, at 1:49 PM, Raildo Mascena rail...@gmail.com wrote: Hello folks, My team and I developed the Hierarchical Multitenancy concept for Keystone in Kilo-1 but What is Hierarchical Multitenancy? What have we implemented? What are the next steps for kilo? To answers these questions, I created a blog post http://raildo.me/hierarchical-multitenancy-in-openstack/ Any question, I'm available. -- Raildo Mascena Software Engineer. Bachelor of Computer Science. Distributed Systems Laboratory Federal University of Campina Grande Campina Grande, PB - Brazil ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Hierarchical Multitenancy
Joe, Thanks… there seems to be good agreement on the spec and the matching implementation is well advanced with BARC so the risk is not too high. Launching HMT with quota in Nova in the same release cycle would also provide a more complete end user experience. For CERN, this functionality is very interesting as it allows the central cloud providers to delegate the allocation of quotas to the LHC experiments. Thus, from a central perspective, we are able to allocate N thousand cores to an experiment and delegate their resource co-ordinator to prioritise the work within the experiment. Currently, we have many manual helpdesk tickets with significant latency to adjust the quotas. Tim From: Joe Gordon [mailto:joe.gord...@gmail.com] Sent: 23 December 2014 17:35 To: OpenStack Development Mailing List Subject: Re: [openstack-dev] Hierarchical Multitenancy On Dec 23, 2014 12:26 AM, Tim Bell tim.b...@cern.chmailto:tim.b...@cern.ch wrote: It would be great if we can get approval for the Hierachical Quota handling in Nova too (https://review.openstack.org/#/c/129420/). Nova's spec deadline has passed, but I think this is a good candidate for an exception. We will announce the process for asking for a formal spec exception shortly after new years. Tim From: Morgan Fainberg [mailto:morgan.fainb...@gmail.commailto:morgan.fainb...@gmail.com] Sent: 23 December 2014 01:22 To: OpenStack Development Mailing List (not for usage questions) Subject: Re: [openstack-dev] Hierarchical Multitenancy Hi Raildo, Thanks for putting this post together. I really appreciate all the work you guys have done (and continue to do) to get the Hierarchical Mulittenancy code into Keystone. It’s great to have the base implementation merged into Keystone for the K1 milestone. I look forward to seeing the rest of the development land during the rest of this cycle and what the other OpenStack projects build around the HMT functionality. Cheers, Morgan On Dec 22, 2014, at 1:49 PM, Raildo Mascena rail...@gmail.commailto:rail...@gmail.com wrote: Hello folks, My team and I developed the Hierarchical Multitenancy concept for Keystone in Kilo-1 but What is Hierarchical Multitenancy? What have we implemented? What are the next steps for kilo? To answers these questions, I created a blog post http://raildo.me/hierarchical-multitenancy-in-openstack/ Any question, I'm available. -- Raildo Mascena Software Engineer. Bachelor of Computer Science. Distributed Systems Laboratory Federal University of Campina Grande Campina Grande, PB - Brazil ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.orgmailto:OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.orgmailto:OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Hierarchical Multitenancy
+1 to Nova support for this getting in to Kilo. We have a similar use case. I’d really like to doll out quota on a department level, and let individual departments manage sub projects and quotas on their own. I agree that HMT has limited value without Nova support. Thanks! Mike From: Tim Bell tim.b...@cern.chmailto:tim.b...@cern.ch Reply-To: OpenStack Development Mailing List (not for usage questions) openstack-dev@lists.openstack.orgmailto:openstack-dev@lists.openstack.org Date: Tuesday, December 23, 2014 at 11:01 AM To: OpenStack Development Mailing List (not for usage questions) openstack-dev@lists.openstack.orgmailto:openstack-dev@lists.openstack.org Subject: Re: [openstack-dev] Hierarchical Multitenancy Joe, Thanks… there seems to be good agreement on the spec and the matching implementation is well advanced with BARC so the risk is not too high. Launching HMT with quota in Nova in the same release cycle would also provide a more complete end user experience. For CERN, this functionality is very interesting as it allows the central cloud providers to delegate the allocation of quotas to the LHC experiments. Thus, from a central perspective, we are able to allocate N thousand cores to an experiment and delegate their resource co-ordinator to prioritise the work within the experiment. Currently, we have many manual helpdesk tickets with significant latency to adjust the quotas. Tim From: Joe Gordon [mailto:joe.gord...@gmail.com] Sent: 23 December 2014 17:35 To: OpenStack Development Mailing List Subject: Re: [openstack-dev] Hierarchical Multitenancy On Dec 23, 2014 12:26 AM, Tim Bell tim.b...@cern.chmailto:tim.b...@cern.ch wrote: It would be great if we can get approval for the Hierachical Quota handling in Nova too (https://review.openstack.org/#/c/129420/). Nova's spec deadline has passed, but I think this is a good candidate for an exception. We will announce the process for asking for a formal spec exception shortly after new years. Tim From: Morgan Fainberg [mailto:morgan.fainb...@gmail.commailto:morgan.fainb...@gmail.com] Sent: 23 December 2014 01:22 To: OpenStack Development Mailing List (not for usage questions) Subject: Re: [openstack-dev] Hierarchical Multitenancy Hi Raildo, Thanks for putting this post together. I really appreciate all the work you guys have done (and continue to do) to get the Hierarchical Mulittenancy code into Keystone. It’s great to have the base implementation merged into Keystone for the K1 milestone. I look forward to seeing the rest of the development land during the rest of this cycle and what the other OpenStack projects build around the HMT functionality. Cheers, Morgan On Dec 22, 2014, at 1:49 PM, Raildo Mascena rail...@gmail.commailto:rail...@gmail.com wrote: Hello folks, My team and I developed the Hierarchical Multitenancy concept for Keystone in Kilo-1 but What is Hierarchical Multitenancy? What have we implemented? What are the next steps for kilo? To answers these questions, I created a blog post http://raildo.me/hierarchical-multitenancy-in-openstack/ Any question, I'm available. -- Raildo Mascena Software Engineer. Bachelor of Computer Science. Distributed Systems Laboratory Federal University of Campina Grande Campina Grande, PB - Brazil ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.orgmailto:OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.orgmailto:OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Hierarchical Multitenancy
On Dec 23, 2014, at 5:10 PM, Michael Dorman mdor...@godaddy.com wrote: +1 to Nova support for this getting in to Kilo. We have a similar use case. I’d really like to doll out quota on a department level, and let individual departments manage sub projects and quotas on their own. I agree that HMT has limited value without Nova support. +1, same for the use case. ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] Hierarchical Multitenancy
Hello folks, My team and I developed the Hierarchical Multitenancy concept for Keystone in Kilo-1 but What is Hierarchical Multitenancy? What have we implemented? What are the next steps for kilo? To answers these questions, I created a blog post *http://raildo.me/hierarchical-multitenancy-in-openstack/ http://raildo.me/hierarchical-multitenancy-in-openstack/* Any question, I'm available. -- Raildo Mascena Software Engineer. Bachelor of Computer Science. Distributed Systems Laboratory Federal University of Campina Grande Campina Grande, PB - Brazil ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Hierarchical Multitenancy
Hi Raildo, Thanks for putting this post together. I really appreciate all the work you guys have done (and continue to do) to get the Hierarchical Mulittenancy code into Keystone. It’s great to have the base implementation merged into Keystone for the K1 milestone. I look forward to seeing the rest of the development land during the rest of this cycle and what the other OpenStack projects build around the HMT functionality. Cheers, Morgan On Dec 22, 2014, at 1:49 PM, Raildo Mascena rail...@gmail.com wrote: Hello folks, My team and I developed the Hierarchical Multitenancy concept for Keystone in Kilo-1 but What is Hierarchical Multitenancy? What have we implemented? What are the next steps for kilo? To answers these questions, I created a blog post http://raildo.me/hierarchical-multitenancy-in-openstack/ http://raildo.me/hierarchical-multitenancy-in-openstack/ Any question, I'm available. -- Raildo Mascena Software Engineer. Bachelor of Computer Science. Distributed Systems Laboratory Federal University of Campina Grande Campina Grande, PB - Brazil ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] Hierarchical Multitenancy and resource ownership
I see a lot of good things happening on the hierarchical multi tenancy proposal that Vish made a while back. However, the focus so far is on roles and quota but could not find any discussion related to resource ownership. Is the plan to allow the creation of resources within any level of the hierarchy or is the plan to allow the visibility of the resources up to a level in the hierarchy ? or both ? For example, if I have : - orga.vpca.projecta - orga.vpca.projectb and I want to share a resource like a network between projecta and projectb, should the network be owned by vpca or should it be owned by projecta or projectb, or a vpca.admin project and then shared to all children of vpca ? I think either would work, and both maybe required. Opinions ? JC ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Hierarchical Multitenancy and resource ownership
On Feb 18, 2014, at 11:31 AM, Martin, JC jch.mar...@gmail.com wrote: I see a lot of good things happening on the hierarchical multi tenancy proposal that Vish made a while back. However, the focus so far is on roles and quota but could not find any discussion related to resource ownership. Is the plan to allow the creation of resources within any level of the hierarchy or is the plan to allow the visibility of the resources up to a level in the hierarchy ? or both ? For example, if I have : - orga.vpca.projecta - orga.vpca.projectb and I want to share a resource like a network between projecta and projectb, should the network be owned by vpca or should it be owned by projecta or projectb, or a vpca.admin project and then shared to all children of vpca ? I think either would work, and both maybe required. Opinions ? We haven’t discussed inheriting ownership of objects but at first glance it seems confusing: how would one determine if an object in vcpa is “shared” and visible to projects below, and if it is how far down the hierarchy would it be visible? It is probably best to keep this explicit for the moment. I’ve been thinking of sharing as objects that appear at multiple places in the hierarchy. This could be a list of “owners” or “shares”, but I think it would support either of your options. My initial thoughts would be to just put the network resource in orga.vcpa and then share it to the projects. This of course gets a little tedious when other projects are added later, but it avoids the complications i mentioned above. Vish JC ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev signature.asc Description: Message signed with OpenPGP using GPGMail ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Hierarchical Multitenancy and resource ownership
Vish, See comments below. JC On Feb 18, 2014, at 12:19 PM, Vishvananda Ishaya vishvana...@gmail.com wrote: On Feb 18, 2014, at 11:31 AM, Martin, JC jch.mar...@gmail.com wrote: I see a lot of good things happening on the hierarchical multi tenancy proposal that Vish made a while back. However, the focus so far is on roles and quota but could not find any discussion related to resource ownership. Is the plan to allow the creation of resources within any level of the hierarchy or is the plan to allow the visibility of the resources up to a level in the hierarchy ? or both ? For example, if I have : - orga.vpca.projecta - orga.vpca.projectb and I want to share a resource like a network between projecta and projectb, should the network be owned by vpca or should it be owned by projecta or projectb, or a vpca.admin project and then shared to all children of vpca ? I think either would work, and both maybe required. Opinions ? We haven’t discussed inheriting ownership of objects but at first glance it seems confusing: how would one determine if an object in vcpa is “shared” and visible to projects below, and if it is how far down the hierarchy would it be visible? It is probably best to keep this explicit for the moment. I’ve been thinking of sharing as objects that appear at multiple places in the hierarchy. This could be a list of “owners” or “shares”, but I think it would support either of your options. My initial thoughts would be to just put the network resource in orga.vcpa and then share it to the projects. This of course gets a little tedious when other projects are added later, but it avoids the complications i mentioned above. The way it would work is that when one is, for example, is creating a network with a 'shared' semantic (in a leaf project for example), the call would have to be extended with a scope (for backward compatibility, no scope would mean all/domain). e.g. neutron net-create --shared:orga.vpca vpca-shared-net instead of just neutron net-create --shared orga-shared-net another option is to implement the same policy mechanism that AWS has to allow the definition of scope based on rules. see http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_IAM.html JC ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev