Re: [openstack-dev] Hierarchicical Multitenancy Discussion

2014-05-09 Thread Raildo Mascena
Hello Vish, The implementation was done that way because it would facilitating compatibility of hierarchical projects with Keystone, for example to get a token, I would have to change the whole implementation to get the inherited roles, or for example to list roles, among other features, for

Re: [openstack-dev] Hierarchicical Multitenancy Discussion

2014-05-06 Thread Vishvananda Ishaya
This is a bit different from how I would have expected it to work. It appears that you are adding the role assignment when the project is created. IMO the role should be added to the list when the roles are checked. In other words, when getting the list of roles for a user/project, it walks up

Re: [openstack-dev] Hierarchicical Multitenancy Discussion

2014-04-14 Thread Raildo Mascena
Hi all, As I had promised, here is the repository of Telles Nobrega ( https://github.com/tellesnobrega/keystone/tree/multitenancy) updated now with inherited roles working with hierarchical projects. How ​does ​it work​​? ​I​nherited roles operate in the following way: - It should be added​ a

Re: [openstack-dev] Hierarchicical Multitenancy Discussion

2014-03-17 Thread Telles Nobrega
That is good news, I can have both information sent to nova really easy. I just need to add a field into the token, or more than one if needed. RIght now I send Ids, it could names just as easily and we can add a new field so we can have both information sent. I'm not sure which is the best option

Re: [openstack-dev] Hierarchicical Multitenancy Discussion

2014-03-16 Thread Jay Pipes
On Fri, 2014-03-14 at 13:43 -0700, Vishvananda Ishaya wrote: Awesome, this is exactly what I was thinking. I think this is really close to being usable on the nova side. First of all the dot.sperated.form looks better imo, and I think my code should still work that way as well. The other piece

Re: [openstack-dev] Hierarchicical Multitenancy Discussion

2014-02-20 Thread John Dennis
On 02/19/2014 08:58 PM, Adam Young wrote: Can you give more detail here? I can see arguments for both ways of doing this but continuing to use ids for ownership is an easier choice. Here is my thinking: 1. all of the projects use ids for ownership currently so it is a smaller change That

Re: [openstack-dev] Hierarchicical Multitenancy Discussion

2014-02-14 Thread Vishvananda Ishaya
Hi Vinod! I think you can simplify the roles in the hierarchical model by only passing the roles for the authenticated project and above. All roles are then inherited down. This means it isn’t necessary to pass a scope along with each role. The scope is just passed once with the token and the

Re: [openstack-dev] Hierarchicical Multitenancy Discussion

2014-02-13 Thread Vinod Kumar Boppanna
Dear All, At the meeting last week we (myself and Ulrich) have been assigned the task of doing POC for Quota Management in the Hierarchical Multitenancy setup. So, here it is: Wiki Page - https://wiki.openstack.org/wiki/POC_for_QuotaManagement (explained here an example setup and my

Re: [openstack-dev] Hierarchicical Multitenancy Discussion

2014-02-05 Thread Vishvananda Ishaya
On Feb 5, 2014, at 6:54 AM, Florent Flament florent.flament-...@cloudwatt.com wrote: Vish: I agree that having roles associated with projects may complicate policy rules (although we may find ways to simplify the syntax?). It may be a sound choice to stick to a single scope for a given

Re: [openstack-dev] Hierarchicical Multitenancy Discussion

2014-01-30 Thread Henry Nash
Vish, Excellent idea to discuss this more widely. To your point about domains not being well understood and that most policy files being just admin or not, the exception here is, of course, keystone itself - where we can use domains to support enable various levels of cloud/domain project

Re: [openstack-dev] Hierarchicical Multitenancy Discussion

2014-01-30 Thread Soren Hansen
2100 UTC is 1 PM Pacific. :-) Den 29/01/2014 17.01 skrev Vishvananda Ishaya vishvana...@gmail.com: I apologize for the confusion. The Wiki time of 2100 UTC is the correct time (Noon Pacific time). We can move tne next meeting to a different day/time that is more convienient for Europe. Vish

Re: [openstack-dev] Hierarchicical Multitenancy Discussion

2014-01-30 Thread Vishvananda Ishaya
Thanks Soren, you are correct! Yay Timezones Vish On Jan 30, 2014, at 10:39 AM, Soren Hansen so...@linux2go.dk wrote: 2100 UTC is 1 PM Pacific. :-) Den 29/01/2014 17.01 skrev Vishvananda Ishaya vishvana...@gmail.com: I apologize for the confusion. The Wiki time of 2100 UTC is the correct

Re: [openstack-dev] Hierarchicical Multitenancy Discussion

2014-01-30 Thread David Stanek
That's why I love this site: http://www.timeanddate.com/worldclock/fixedtime.html?iso=20140130T2100 On Thu, Jan 30, 2014 at 1:46 PM, Vishvananda Ishaya vishvana...@gmail.comwrote: Thanks Soren, you are correct! Yay Timezones Vish On Jan 30, 2014, at 10:39 AM, Soren Hansen so...@linux2go.dk

Re: [openstack-dev] Hierarchicical Multitenancy Discussion

2014-01-29 Thread Florent Flament
Hi Vishvananda, I would be interested in such a working group. Can you please confirm the meeting hour for this Friday ? I've seen 1600 UTC in your email and 2100 UTC in the wiki ( https://wiki.openstack.org/wiki/Meetings#Hierarchical_Multitenancy_Meeting ). As I'm in Europe I'd prefer 1600

Re: [openstack-dev] Hierarchicical Multitenancy Discussion

2014-01-29 Thread Ulrich Schwickerath
Hi, I'm working with Vinod. We'd like to join as well. Same issue on our side: 16:00 UTC is better for us. Ulrich and Vinod On 29.01.2014 10:56, Florent Flament wrote: Hi Vishvananda, I would be interested in such a working group. Can you please confirm the meeting hour for this Friday ?

Re: [openstack-dev] Hierarchicical Multitenancy Discussion

2014-01-29 Thread Telles Nobrega
Hi, I'm also working with multitenancy and I would like to join this working group. Telles Nóbrega On Wed, Jan 29, 2014 at 9:14 AM, Ulrich Schwickerath ulrich.schwicker...@cern.ch wrote: Hi, I'm working with Vinod. We'd like to join as well. Same issue on our side: 16:00 UTC is better

Re: [openstack-dev] Hierarchicical Multitenancy Discussion

2014-01-29 Thread Vishvananda Ishaya
I apologize for the confusion. The Wiki time of 2100 UTC is the correct time (Noon Pacific time). We can move tne next meeting to a different day/time that is more convienient for Europe. Vish On Jan 29, 2014, at 1:56 AM, Florent Flament florent.flament-...@cloudwatt.com wrote: Hi

Re: [openstack-dev] Hierarchicical Multitenancy Discussion

2014-01-29 Thread Vishvananda Ishaya
For those of you in Europe, I would appreciate your attendance at 2100 UTC if you can make it. I know this is a bad time for you, so I will also jump in #openstack-meeting-alt on Friday at 1600 UTC. We can have an impromptu discussion there so I can incorporate your knowledge and feedback into

Re: [openstack-dev] Hierarchicical Multitenancy Discussion

2014-01-29 Thread demontie
Hi, I'm working with multitenancy and I also wanna join this working group, but I'm not sure whether I can attend the meeting this Friday. Demontiê Santos Em 2014-01-29 12:59, Vishvananda Ishaya escreveu: I apologize for the confusion. The Wiki time of 2100 UTC is the correct time (Noon

Re: [openstack-dev] Hierarchicical Multitenancy Discussion

2014-01-29 Thread Dolph Mathews
CC'd Adam Young Several of us were very much in favor of this around the Folsom release, but we settled on domains as a solution to the most immediate use case (isolation between flat collections of tenants, without impacting the rest of openstack). I don't think it has been discussed much in the

Re: [openstack-dev] Hierarchicical Multitenancy Discussion

2014-01-28 Thread Chmouel Boudjnah
On Tue, Jan 28, 2014 at 7:35 PM, Vishvananda Ishaya vishvana...@gmail.comwrote: The key use case here is to delegate administration rights for a group of tenants to a specific user/role. There is something in Keystone called a domain which supports part of this functionality, but without