OpenStack Compute (nova)

Validate project with Keystone

Registered by Thang Pham

Today there is no functionality to validate the tenant that is consumed by nova. One reason for the lack of such functionality is performance, where validating to external services can cause poor performance. However, such functionality is needed in cases where the user passes in the project ID or name (e.g. quota management), so that the correct quota is set.

Blueprint information

Status:
Complete
Approver:
Matt Riedemann
Priority:
Low
Drafter:
Thang Pham
Direction:
Approved
Assignee:
Sean Dague
Definition:
Approved
Series goal:
Accepted for pike
Implementation:
Implemented
Milestone target:
milestone icon pike-2
Started by
Matt Riedemann
Completed by
Matt Riedemann

Related branches

Sprints

Whiteboard

Gerrit topic: https://review.openstack.org/#q,topic:bp/proposes,n,z

Addressed by: https://review.openstack.org/92507
    Validate tenant and user with Keystone

Spec not approved yet, un-targeting blueprint from juno-1 --johnthetubaguy (28th May 2014)

You should not set a milestone target unless the blueprint has been properly prioritized by the project drivers.

Gerrit topic: https://review.openstack.org/#q,topic:bp/validate-project-with-keystone,n,z

Addressed by: https://review.openstack.org/143934
    Validate project with Keystone

Sorry, we have now hit the non-priority feature freeze for kilo. Please resubmit your spec for the L release. --johnthetubaguy 5th Feb 2015

auggy March 9, 2016: Updates from mriedem via irc:
basically, our quota-update API allows you to pass garbage for a tenant. if the quotas don't exist for the tenant, it creates new defaults for it even if the tenant doesn't actually exist in keystone so it's just a change to add a validation of the tenant in keystone

auggy March 15, 2016: I spoke with the original author and was informed I could take over this spec.

Addressed by: https://review.openstack.org/294337
    Today there is no functionality to validate the tenant that is consumed by nova. One reason for the lack of such functionality is performance, where validating to external services can cause poor performance. However, such functionality is needed in cases

There is no code up for this yet and we're at non-priority feature freeze so this is going to be deferred for
the Newton release. You can re-propose a spec for Ocata if you plan to pursue this.
-- mriedem 20160629

Addressed by: https://review.openstack.org/350844
    Add Keystone project validation to quota and flavor management

Addressed by: https://review.openstack.org/381340
    Rename valid-project-with-keystone to match blueprint name

We're two weeks from the Ocata feature freeze and there is no code up for this yet so I'm going to defer it to Pike. The spec will need to be re-proposed for Pike if someone plans on working on it. -- mriedem 20170112

Re-approved for Pike. Sean Dague is taking this over. -- mriedem 20170214

Gerrit topic: https://review.openstack.org/#q,topic:verify_quota,n,z

Addressed by: https://review.openstack.org/435010
    WIP: verify project_id when quotas are checked

Addressed by: https://review.openstack.org/435432
    Verify project id for flavor access calls

Addressed by: https://review.openstack.org/463241
    Verify project_id when quotas are checked

(?)

Work Items

Nearby

This blueprint contains Public information 
Everyone can see this information.