OpenStack Compute (nova)

Remove Project/Tenant ID from v3 API URLs

Registered by Gabriel Hurley

As per http://lists.openstack.org/pipermail/openstack-dev/2013-May/008770.html there's strong support fro removing the project ID from the Nova API URL structure. This blueprint is to capture the work required to remove the project ID from the URL scheme, instead relying on the context to pass in the correct values (as it already does).

Blueprint information

Status:
Complete
Approver:
Russell Bryant
Priority:
High
Drafter:
Gabriel Hurley
Direction:
Approved
Assignee:
melanie witt
Definition:
Approved
Series goal:
Accepted for havana
Implementation:
Implemented
Milestone target:
milestone icon 2013.2
Started by
Thierry Carrez
Completed by
Russell Bryant

Related branches

Sprints

Whiteboard

This should be worked in a way that allows external policy enforcement points to validate what resources within a project a token should have access to.

For example, Repose sits in front of some Nova installs and has an authorization filter. If the user attempts to access a nova resource with a token not scoped to the project that holds that resource, Repose will return a 401 and Nova won't have to service the request at all.

Gerrit topic: https://review.openstack.org/#q,topic:bp/v3-api-remove-project-id,n,z

Addressed by: https://review.openstack.org/29469
    removes project_id/tenant_id from v3 api urls

What work is left after the above patch?
  - There doesn't seem to be much more needed. I tested using the new url paths against the v3 api part 2 patch
    using the --bypass-url option in nova client and the ported apis ('fixed ips' and 'servers') were able to handle
    the requests correctly (with keystone auth).
  - I found in https://github.com/openstack/nova/blob/master/nova/api/openstack/wsgi.py#L940 where project_id
    from the url is checked against project_id from the context but it still works properly with the new urls.
  - Code that creates RequestContext gets project_id from request headers.
  - This response header X-Server-Management-Url needs to not use project_id in this no auth case:
    https://github.com/openstack/nova/blob/master/nova/api/openstack/auth.py#L40
    Update: This isn't needed -- project_id here is a project *name*, not an id. It has nothing to do with project_id in urls.
  - Other than that, I think it's a matter of converting all the apis/extensions to v3 and making sure none make
    reference to or use project_id from the url.

Mauro found a change is needed to return the correct resource links in responses whether project_id is present in the url or not. His patch is below.

Addressed by: https://review.openstack.org/31632
    Change resource links when url has no project id

Addressed by: https://review.openstack.org/38452
    Adds NoAuthMiddleware for V3

(?)

Work Items

Work items:
Remove project_id/tenant_id prefix from all urls: DONE

Dependency tree

* Blueprints in grey have been implemented.

Nearby

This blueprint contains Public information 
Everyone can see this information.