Hi, all!

I have been looking at the bug
https://bugs.launchpad.net/neutron/+bug/1338885 and it turned out that it
is relevant not only for firewall rules but for all resources that take
tenant-is for create and update.

I need a piece of advice on a preferable way of solving the problem.

First of all, there may be two situations:

1. Neutron using Keystone

2. Neutron working without it

In the second case there is obviously nothing to be done.

But when Neutron uses Keystone, tenant-id should be checked against
existing keystone tenants. I can think of 2 ways of doing this. This may be
done either by calling keystone client directly from neutron while
preparing request body [1] or move the check to keystone middleware. In any
case, such check will be performed during each create or update operation
preventing admin from providing non-existent tenants. For now I think that
calling the keystone client from Neutron code is not the best idea and
prefer the second option. I would really appreciate recommendations about
the best way of making the check.

It still leaves the situation when an existing tenant is deleted from
keystone and its resources are left orphaned, but it is being dealt with by




[2] https://blueprints.launchpad.net/neutron/+spec/tenant-delete
OpenStack-dev mailing list

Reply via email to