Vish, See comments below.
JC On Feb 18, 2014, at 12:19 PM, Vishvananda Ishaya <[email protected]> wrote: > > On Feb 18, 2014, at 11:31 AM, Martin, JC <[email protected]> wrote: > >> >> I see a lot of good things happening on the hierarchical multi tenancy >> proposal that Vish made a while back. >> >> However, the focus so far is on roles and quota but could not find any >> discussion related to resource ownership. >> >> Is the plan to allow the creation of resources within any level of the >> hierarchy or is the plan to allow the visibility of the resources up to a >> level in the hierarchy ? or both ? >> >> For example, if I have : >> - orga.vpca.projecta >> - orga.vpca.projectb >> >> and I want to share a resource like a network between projecta and projectb, >> should the network be owned by vpca or should it be owned by projecta or >> projectb, or a vpca.admin project and then shared to all children of vpca ? >> >> I think either would work, and both maybe required. >> >> Opinions ? > > We haven’t discussed inheriting ownership of objects but at first glance it > seems confusing: how would one determine if an object in vcpa is “shared” and > visible to projects below, and if it is how far down the hierarchy would it > be visible? It is probably best to keep this explicit for the moment. > > I’ve been thinking of sharing as objects that appear at multiple places in > the hierarchy. This could be a list of “owners” or “shares”, but I think it > would support either of your options. My initial thoughts would be to just > put the network resource in orga.vcpa and then share it to the projects. This > of course gets a little tedious when other projects are added later, but it > avoids the complications i mentioned above. The way it would work is that when one is, for example, is creating a network with a 'shared' semantic (in a leaf project for example), the call would have to be extended with a scope (for backward compatibility, no scope would mean all/domain). e.g. neutron net-create --shared:orga.vpca vpca-shared-net instead of just neutron net-create --shared orga-shared-net another option is to implement the same policy mechanism that AWS has to allow the definition of scope based on rules. see http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_IAM.html JC _______________________________________________ OpenStack-dev mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
