Re: [openstack-dev] Hierarchicical Multitenancy Discussion

2014-05-09 Thread Raildo Mascena
Hello Vish, The implementation was done that way because it would facilitating compatibility of hierarchical projects with Keystone, for example to get a token, I would have to change the whole implementation to get the inherited roles, or for example to list roles, among other features, for

Re: [openstack-dev] Hierarchicical Multitenancy Discussion

2014-05-06 Thread Vishvananda Ishaya
This is a bit different from how I would have expected it to work. It appears that you are adding the role assignment when the project is created. IMO the role should be added to the list when the roles are checked. In other words, when getting the list of roles for a user/project, it walks up

Re: [openstack-dev] Hierarchicical Multitenancy Discussion

2014-04-14 Thread Raildo Mascena
Hi all, As I had promised, here is the repository of Telles Nobrega ( https://github.com/tellesnobrega/keystone/tree/multitenancy) updated now with inherited roles working with hierarchical projects. How ​does ​it work​​? ​I​nherited roles operate in the following way: - It should be added​ a

[openstack-dev] Hierarchicical Multitenancy Discussion

2014-03-20 Thread Vinod Kumar Boppanna
Hi, As discussed in the last meeting, i had changed the POC for Quota Management in Hierarchical Multitenancy setup. Please check the following links Twiki Page - https://wiki.openstack.org/wiki/POC_for_QuotaManagement#API_URLs Code (diff) -

Re: [openstack-dev] Hierarchicical Multitenancy Discussion

2014-03-17 Thread Telles Nobrega
That is good news, I can have both information sent to nova really easy. I just need to add a field into the token, or more than one if needed. RIght now I send Ids, it could names just as easily and we can add a new field so we can have both information sent. I'm not sure which is the best option

Re: [openstack-dev] Hierarchicical Multitenancy Discussion

2014-03-16 Thread Jay Pipes
On Fri, 2014-03-14 at 13:43 -0700, Vishvananda Ishaya wrote: Awesome, this is exactly what I was thinking. I think this is really close to being usable on the nova side. First of all the dot.sperated.form looks better imo, and I think my code should still work that way as well. The other piece

Re: [openstack-dev] Hierarchicical Multitenancy Discussion

2014-02-20 Thread John Dennis
On 02/19/2014 08:58 PM, Adam Young wrote: Can you give more detail here? I can see arguments for both ways of doing this but continuing to use ids for ownership is an easier choice. Here is my thinking: 1. all of the projects use ids for ownership currently so it is a smaller change That

Re: [openstack-dev] Hierarchicical Multitenancy Discussion

2014-02-14 Thread Vishvananda Ishaya
Hi Vinod! I think you can simplify the roles in the hierarchical model by only passing the roles for the authenticated project and above. All roles are then inherited down. This means it isn’t necessary to pass a scope along with each role. The scope is just passed once with the token and the

Re: [openstack-dev] Hierarchicical Multitenancy Discussion

2014-02-13 Thread Vinod Kumar Boppanna
Dear All, At the meeting last week we (myself and Ulrich) have been assigned the task of doing POC for Quota Management in the Hierarchical Multitenancy setup. So, here it is: Wiki Page - https://wiki.openstack.org/wiki/POC_for_QuotaManagement (explained here an example setup and my

Re: [openstack-dev] Hierarchicical Multitenancy Discussion

2014-02-05 Thread Vishvananda Ishaya
On Feb 5, 2014, at 6:54 AM, Florent Flament florent.flament-...@cloudwatt.com wrote: Vish: I agree that having roles associated with projects may complicate policy rules (although we may find ways to simplify the syntax?). It may be a sound choice to stick to a single scope for a given

Re: [openstack-dev] Hierarchicical Multitenancy Discussion

2014-01-30 Thread Henry Nash
Vish, Excellent idea to discuss this more widely. To your point about domains not being well understood and that most policy files being just admin or not, the exception here is, of course, keystone itself - where we can use domains to support enable various levels of cloud/domain project

Re: [openstack-dev] Hierarchicical Multitenancy Discussion

2014-01-30 Thread Soren Hansen
@lists.openstack.org Sent: Tuesday, January 28, 2014 7:35:15 PM Subject: [openstack-dev] Hierarchicical Multitenancy Discussion Hi Everyone, I apologize for the obtuse title, but there isn't a better succinct term to describe what is needed. OpenStack has no support for multiple owners of objects

Re: [openstack-dev] Hierarchicical Multitenancy Discussion

2014-01-30 Thread Vishvananda Ishaya
: Vishvananda Ishaya vishvana...@gmail.com To: OpenStack Development Mailing List (not for usage questions) openstack-dev@lists.openstack.org Sent: Tuesday, January 28, 2014 7:35:15 PM Subject: [openstack-dev] Hierarchicical Multitenancy Discussion Hi Everyone, I apologize for the obtuse

Re: [openstack-dev] Hierarchicical Multitenancy Discussion

2014-01-30 Thread David Stanek
@lists.openstack.org Sent: Tuesday, January 28, 2014 7:35:15 PM Subject: [openstack-dev] Hierarchicical Multitenancy Discussion Hi Everyone, I apologize for the obtuse title, but there isn't a better succinct term to describe what is needed. OpenStack has no support for multiple owners

Re: [openstack-dev] Hierarchicical Multitenancy Discussion

2014-01-29 Thread Florent Flament
. Florent Flament - Original Message - From: Vishvananda Ishaya vishvana...@gmail.com To: OpenStack Development Mailing List (not for usage questions) openstack-dev@lists.openstack.org Sent: Tuesday, January 28, 2014 7:35:15 PM Subject: [openstack-dev] Hierarchicical Multitenancy

Re: [openstack-dev] Hierarchicical Multitenancy Discussion

2014-01-29 Thread Ulrich Schwickerath
Mailing List (not for usage questions) openstack-dev@lists.openstack.org Sent: Tuesday, January 28, 2014 7:35:15 PM Subject: [openstack-dev] Hierarchicical Multitenancy Discussion Hi Everyone, I apologize for the obtuse title, but there isn't a better succinct term to describe what is needed

Re: [openstack-dev] Hierarchicical Multitenancy Discussion

2014-01-29 Thread Telles Nobrega
28, 2014 7:35:15 PM Subject: [openstack-dev] Hierarchicical Multitenancy Discussion Hi Everyone, I apologize for the obtuse title, but there isn't a better succinct term to describe what is needed. OpenStack has no support for multiple owners of objects. This means that a variety of private

Re: [openstack-dev] Hierarchicical Multitenancy Discussion

2014-01-29 Thread Vishvananda Ishaya
. Florent Flament - Original Message - From: Vishvananda Ishaya vishvana...@gmail.com To: OpenStack Development Mailing List (not for usage questions) openstack-dev@lists.openstack.org Sent: Tuesday, January 28, 2014 7:35:15 PM Subject: [openstack-dev] Hierarchicical Multitenancy

Re: [openstack-dev] Hierarchicical Multitenancy Discussion

2014-01-29 Thread Vishvananda Ishaya
@lists.openstack.org Sent: Tuesday, January 28, 2014 7:35:15 PM Subject: [openstack-dev] Hierarchicical Multitenancy Discussion Hi Everyone, I apologize for the obtuse title, but there isn't a better succinct term to describe what is needed. OpenStack has no support for multiple owners

Re: [openstack-dev] Hierarchicical Multitenancy Discussion

2014-01-29 Thread demontie
To: OpenStack Development Mailing List (not for usage questions) openstack-dev@lists.openstack.org Sent: Tuesday, January 28, 2014 7:35:15 PM Subject: [openstack-dev] Hierarchicical Multitenancy Discussion Hi Everyone, I apologize for the obtuse title, but there isn't a better succinct term to describe

Re: [openstack-dev] Hierarchicical Multitenancy Discussion

2014-01-29 Thread Dolph Mathews
CC'd Adam Young Several of us were very much in favor of this around the Folsom release, but we settled on domains as a solution to the most immediate use case (isolation between flat collections of tenants, without impacting the rest of openstack). I don't think it has been discussed much in the

[openstack-dev] Hierarchicical Multitenancy Discussion

2014-01-28 Thread Vishvananda Ishaya
Hi Everyone, I apologize for the obtuse title, but there isn't a better succinct term to describe what is needed. OpenStack has no support for multiple owners of objects. This means that a variety of private cloud use cases are simply not supported. Specifically, objects in the system can only

Re: [openstack-dev] Hierarchicical Multitenancy Discussion

2014-01-28 Thread Chmouel Boudjnah
On Tue, Jan 28, 2014 at 7:35 PM, Vishvananda Ishaya vishvana...@gmail.comwrote: The key use case here is to delegate administration rights for a group of tenants to a specific user/role. There is something in Keystone called a domain which supports part of this functionality, but without