Remove the tenant-id from the URI

Registered by John Wood

OpenStack projects appear to be moving away from requiring a tenant-id in the URI, as this is redundant information when Keystone authentication is used. This blueprint calls for removing the tenant-id for all Barbican service calls.

In addition, all internal references to 'tenant-id' or 'keystone-id' should be removed at this time, in favor of 'project-id'.

Reconsider the current use of two Python REST verb handler classes per each REST URI/resource.

Blueprint information

Douglas Mendizábal
John Wood
Venkat Sundaram
Series goal:
Accepted for juno
Milestone target:
milestone icon juno-3
Started by
Douglas Mendizábal
Completed by
Douglas Mendizábal

Related branches



I think it is wider scope topic, we need to map our API with Keystone and we should consider Domain and projects etcs.
May be it is time to have new API version

atiwari - Working on API proposal for removing tenant_id from URI and adding support for secret owner. So that user level secret isolation can be defined

Current (v1) barbican APIs URIs has tight binding with tenant_id (context). This need to be removed so that context (mostly tenant) has to be removed from URI path.

Context (tenant_id and user_id) information can be mostly derived from the incoming token. In some cases we can not rely on context from token (e.g. admin is creating secrets on behalf of users), there should be provision for extra header in the API to establish a context in such cases. (X-Owner-Id and X-Project-Id)

Comment by jarret-raim on 2014-04-24 13:15 -0500:

I don't think there is any objection to removing the tenant id, so I don't see a need for a session on this topic? Any side discussions can probably happen at our table.

Let me know if you don't agree!

Gerrit topic:,topic:api-remove-uri-tenant-id,n,z

Addressed by:
    remove tenant-id from resource URIs


Work Items

This blueprint contains Public information 
Everyone can see this information.