Standard for identifying tenants in a multi-tenant deployment
As a cloud computing platform, OpenStack must support the concept of multi-tenancy. A common approach to organizing resources by 'tenant' across services is needed to be able to correlate usage tracking, auditing, authorization, etc... And within each multi-tenant service, the ability to identify each tenant's resources (for various reasons such as security, accounting, isolation, etc…) is also key. However, the definition of a 'tenant' will vary by operator and by deployment. This blueprint therefore proposes creating a lightweight standard for service developers to implement tenancy and resource grouping without a-priori knowledge of billing and accounting processes specific to the operator of an OpenStack deployment.
Blueprint information
- Status:
- Complete
- Approver:
- Rick Clark
- Priority:
- Medium
- Drafter:
- Ziad Sawalha
- Direction:
- Approved
- Assignee:
- Monsyne Dragon
- Definition:
- Approved
- Series goal:
- Accepted for cactus
- Implementation:
- Implemented
- Milestone target:
- None
- Started by
- Monsyne Dragon
- Completed by
- Thierry Carrez
Whiteboard
A similar blueprint has been submitted to Swift as well.
Implementation tasks:
I will be implementing this using the existing project name as the account name.
Tasks:
1: Allow project (account) name to be passed in Openstack api requests (currrently it's hardcoded to the FLAGS.default_
2: Have builtin nova authc include appropriate account_name in X-Server-
3: Fix project/network relationship to work properly for flat network model (as well as others)
4: Add Account/User admin API methods. (CRUD + Add user to account)
Work Items
Dependency tree
* Blueprints in grey have been implemented.