Create multi-attribute based endpoint groups for projects and user assignments

Registered by Fabio Giannetti on 2013-11-12

The Multi-Attribute Endpoint Grouping proposal allows endpoints to be grouped accordingly to one or more characteristics. For instance endpoints can be located in different regions, and for this reason it could be beneficial group them using this attribute. At the same time there could be endpoints that are administrative in nature and should be used by admins only regardless of their geographical location. Using this proposal it would be possible to create a USAdmin, EuropeAdmin and AsiaAdmin groups to include all the endpoints that follow the above mentioned characteristics.

Blueprint information

Status:
Complete
Approver:
None
Priority:
Medium
Drafter:
Fabio Giannetti
Direction:
Needs approval
Assignee:
Bob Thyne
Definition:
New
Series goal:
Accepted for juno
Implementation:
Implemented
Milestone target:
milestone icon 2014.2
Started by
Steve Martinelli on 2014-08-26
Completed by
Dolph Mathews on 2014-09-03

Related branches

Sprints

Whiteboard

Addressed by: https://review.openstack.org/#/c/102023/ (spec, merged)

Addressed by: https://review.openstack.org/#/c/106292/ (api, merged)

Addressed by: https://review.openstack.org/#/c/111949/
    implements bp multi-attribute-endpoint-grouping

The introduction of a Multi-Attribute Grouping for Services' Endpoints brings several benefits:

1) Endpoints now have a semantic association that distinguishes them from other endpoints for the role they play (e.g. Administration, Computing, RegionA, etc...)

2) Endpoints can belong to several groups. This increases the level of granularity and visibility of Endpoints to different users reducing the amount of explicit relationships.In this case, for instance, certain endpoints should be visible to storage service users but only in the region they are located. It is now possible to create a Storage group and a RegionA, RegionB and RegionC groups and associate relevant endpoints to both. To enforce that a User1 in RegionB sees only the Storage endpoints the query will use the two attributes to find the relevant endpoints in the compound group.

3) Projects and Users within a project, can now be associated with Endpoints' Groups defining the users that are granted to use only the resources assigned to them.

*** CRUD for Endpoint-Groups

1. Create Endpoint-Group data

POST /endpoint-groups/

The payload of the request will have the following JSON structure:

{ endpoint-group: {
           name : <name>,
           description : <description>,
           filters : {
                 <attr_1> : <value_1>,
                 ...
                 <attr_N> : <value_N>
           }
          }
}

2. Read Endpoint-Group data

GET /endpoint-groups/<endpoints-group-id>

This will return the following JSON in the response body

{ endpoint-group: {
           id : <id>,
           name : <name>,
           description : <description>,
           filters : {
                 <attr_1> : <value_1>,
                 ...
                 <attr_N> : <value_N>
           }
          }
}

3. Update Endpoint-Group

PATCH /endpoint-groups/<endpoint-group-id>

The payload of the request will have the following JSON structure:

{ endpoint-group: {
           id : <id>,
           name : <name>,
           description : <description>,
           filters : {
                 <attr_1> : <value_1>,
                 ...
                 <attr_N> : <value_N>
           }
          }
}

4. Delete Endpoint-Group

DELETE /endpoint-groups/<endpoint-group-id>

*** List all the existing Endpoint-Groups

This API will return all the existing groups

GET /endpoint-groups

This will return the following JSON in the response body

{ endpoint-groups:
    { endpoint-group: {
           id : <id>,
           name : <name>,
           description : <description>,
           filters : {
                 <attr_1> : <value_1>,
                 ...
                 <attr_N> : <value_N>
                }
           }
    },
    ...
    { endpoint-group: {
           id : <id>,
           name : <name>,
           description : <description>,
           filters : {
                 <attr_1> : <value_1>,
                 ...
                 <attr_N> : <value_N>
                }
           }
    }
}

*** Projects to Endpoint-Group associations API

1. Create the association between project and Endpoint-Group
PUT /projects/<project_id>/endpoint-groups/<endpoint-group-id>

2. Check to see if the project is associated with the given Endpoint-Group
HEAD /projects/<project_id>/endpoint-groups/<endpoint-group-id>

3. List all the Endpoint-Groups associated with a project
GET /projects/<project_id>/endpoint-groups

4. Remove an association between Endpoint-Group and project.
DELETE /projects/<project_id>/endpoint-groups/<endpoint-group-id>

*** Create Endpoint-Group Grant to User on Project APIs

1. Create Endpoint-Group Grant to User on Project
PUT /projects/<project_id>/endpoint-groups/<endpoint-group-id>/users/<user-id>

2. Check Endpoint-Group Grant to User on Project
HEAD /projects/<project_id>/endpoint-groups/<endpoint-group-id>/users/<user-id>

3. List all the Endpoint-Groups associated with a project
GET /projects/<project_id>/endpoint-groups/users/<user-id>

4. Remove an association between Endpoint-Group and project.
DELETE /projects/<project_id>/endpoint-groups/<endpoint-group-id>/users/<user-id>

*** List all the Endpoints associated with a Endpoint-Group

This will return a list of endpoints that are associated with a particular Endpoint-Group. This means that the endpoints matches all the attribute values (and relationship) that are expressed in the Endpoint-Group's filters.

GET /endpoint-groups/<endpoint-group-id>/endpoints

*** List all the Projects associated with a Endpoint-Group

This will return a list of projects that are associated with a particular Endpoint-Group. This means that the projects have been specifically linked to this Endpoint-Group.
GET /endpoint-groups/<endpoint-groups-id>/projects

Gerrit topic: https://review.openstack.org/#q,topic:bp/endpoint-grouping,n,z

Addressed by: https://review.openstack.org/111949
    Implementation of Endpoint Grouping

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.