Hi, all! I have been looking at the bug https://bugs.launchpad.net/neutron/+bug/1338885 and it turned out that it is relevant not only for firewall rules but for all resources that take tenant-is for create and update.
I need a piece of advice on a preferable way of solving the problem. First of all, there may be two situations: 1. Neutron using Keystone 2. Neutron working without it In the second case there is obviously nothing to be done. But when Neutron uses Keystone, tenant-id should be checked against existing keystone tenants. I can think of 2 ways of doing this. This may be done either by calling keystone client directly from neutron while preparing request body [1] or move the check to keystone middleware. In any case, such check will be performed during each create or update operation preventing admin from providing non-existent tenants. For now I think that calling the keystone client from Neutron code is not the best idea and prefer the second option. I would really appreciate recommendations about the best way of making the check. It still leaves the situation when an existing tenant is deleted from keystone and its resources are left orphaned, but it is being dealt with by [2]. Thanks, Elena [1] https://github.com/openstack/neutron/blob/master/neutron/api/v2/base.py#L545 [2] https://blueprints.launchpad.net/neutron/+spec/tenant-delete
_______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
