Make Magnum multi-tenant
At prsent, if a user creates a bay/pod/service/rc in magnum, it is globally usable, listable, and editable. Instead the bay/pod/service/rc should be locked to one tenant or user that provides their tenant credentials to keystone.
Blueprint information
- Status:
- Complete
- Approver:
- Adrian Otto
- Priority:
- Essential
- Drafter:
- Steven Dake
- Direction:
- Approved
- Assignee:
- Guangya Liu (Jay Lau)
- Definition:
- Approved
- Series goal:
- Accepted for milestone-2
- Implementation:
- Implemented
- Milestone target:
- None
- Started by
- Guangya Liu (Jay Lau)
- Completed by
- Guangya Liu (Jay Lau)
Related branches
Related bugs
Sprints
Whiteboard
Steve, just want to have a sync up with you for this project, I think most of the task is reside in magnum client part, as we want to make sure the ReST request include tenant ID to make sure get this tenant related bay/pod/service/rc etc, right? Thanks! --jay-lau-513
Jay I'm not entirely sure but I don't think this will be all that complicated. I think there is no client work needed, only conductor work. I think the tenant information is available from the security context attached to the ReST api context. The basic idea is to add a tenant_id field or user_id field (not sure which is best) to every object in the database. When an object is created, the tenant id or user id is recorded. When an object is accessed, the context should be checked with the object's user id or tenant id. If they match return the object - if not return None. It may be ideal this is introduced into the db layer - see how other projects tackle this. --sdake
Thanks Steven, my bad. I was checking nova client and thinking if need to add tenant id to ReST request but seems not. Thanks. --jay-lau-513
Gerrit topic: https:/
Addressed by: https:/
Add project_id and user_id to magnum objects
Addressed by: https:/
Rest back objects for test_objects
Addressed by: https:/
Persist project_id and user_id
Addressed by: https:/
Add project_id and user_id to filter
Gerrit topic: https:/
Addressed by: https:/
Enable bay delete support multi tenant
Addressed by: https:/
Add tests for Bay API
Addressed by: https:/
Persist project_id and user_id for baymodel object
Addressed by: https:/
WIP: Enable multi tenant for get_baymodel_
Addressed by: https:/
Enable multi tenant for get_node_by_uuid
Addressed by: https:/
Enable multi tenant for get_container_
Addressed by: https:/
Enable multi tenant for get_bay_list
Addressed by: https:/
Enable multi tenant for following APIs: 1) get_node_list 2) get_baymodel_list 3) get_container_list
Addressed by: https:/
Add project_id and user_id to pod
Addressed by: https:/
Enable multi tenant for get_xxx_by_id
Addressed by: https:/
Add project_id and user_id to service and rc
Addressed by: https:/
Persist project_id and user_id
Addressed by: https:/
Enable multi tenant for get_pod_by_uuid
Addressed by: https:/
Enable multi tenant for two APIs
Addressed by: https:/
Enable multi tenant for k8s resource get_xxx_list
Addressed by: https:/
Enable multi tenant for k8s resource get_xx_by_id
All of the patches related to multi tenant are now merged, you can have a try, good luck ;-) Thanks! jay-lau-513 2015-02-05