CC'd Adam Young Several of us were very much in favor of this around the Folsom release, but we settled on domains as a solution to the most immediate use case (isolation between flat collections of tenants, without impacting the rest of openstack). I don't think it has been discussed much in the keystone community since, but it's still a concept that I'm very much interested in, as it's much more powerful than domains when it comes to issues like granular delegation.
On Tue, Jan 28, 2014 at 12:35 PM, Vishvananda Ishaya <[email protected]>wrote: > Hi Everyone, > > I apologize for the obtuse title, but there isn't a better succinct term > to describe what is needed. OpenStack has no support for multiple owners of > objects. This means that a variety of private cloud use cases are simply > not supported. Specifically, objects in the system can only be managed on > the tenant level or globally. > > The key use case here is to delegate administration rights for a group of > tenants to a specific user/role. There is something in Keystone called a > “domain” which supports part of this functionality, but without support > from all of the projects, this concept is pretty useless. > > In IRC today I had a brief discussion about how we could address this. I > have put some details and a straw man up here: > > https://wiki.openstack.org/wiki/HierarchicalMultitenancy > > I would like to discuss this strawman and organize a group of people to > get actual work done by having an irc meeting this Friday at 1600UTC. I > know this time is probably a bit tough for Europe, so if we decide we need > a regular meeting to discuss progress then we can vote on a better time for > this meeting. > > https://wiki.openstack.org/wiki/Meetings#Hierarchical_Multitenancy_Meeting > > Please note that this is going to be an active team that produces code. We > will *NOT* spend a lot of time debating approaches, and instead focus on > making something that works and learning as we go. The output of this team > will be a MultiTenant devstack install that actually works, so that we can > ensure the features we are adding to each project work together. > > Vish > > _______________________________________________ > OpenStack-dev mailing list > [email protected] > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > >
_______________________________________________ OpenStack-dev mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
