<?xml version="1.0"?>
<feed xmlns="http://www.w3.org/2005/Atom" xml:lang="en">
		<id>https://wiki.openstack.org/w/api.php?action=feedcontributions&amp;feedformat=atom&amp;user=Vinod+kumar+boppanna</id>
		<title>OpenStack - User contributions [en]</title>
		<link rel="self" type="application/atom+xml" href="https://wiki.openstack.org/w/api.php?action=feedcontributions&amp;feedformat=atom&amp;user=Vinod+kumar+boppanna"/>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/wiki/Special:Contributions/Vinod_kumar_boppanna"/>
		<updated>2026-07-08T17:55:27Z</updated>
		<subtitle>User contributions</subtitle>
		<generator>MediaWiki 1.28.2</generator>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=APIs_for_Domain_Quota_Driver&amp;diff=48373</id>
		<title>APIs for Domain Quota Driver</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=APIs_for_Domain_Quota_Driver&amp;diff=48373"/>
				<updated>2014-04-11T08:58:50Z</updated>
		
		<summary type="html">&lt;p&gt;Vinod kumar boppanna: /* Implementation */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Introduction ==&lt;br /&gt;
&lt;br /&gt;
The existing DbQuotaDriver in Nova allows to set the Quotas at Project/Tenant and User Level. But there is a need to enforce the quotas at Domain Level as well. A new driver called &amp;quot;Domain Quota Driver&amp;quot; is available to enforce domain quotas in Nova. To use this driver, a new set of APIs are required for CRUD operations on quotas at domain, project and user level.&lt;br /&gt;
&lt;br /&gt;
== Quotas in Nova==&lt;br /&gt;
Currently, OpenStack services make usage of quotas to limit the resources for a project or for a user.&lt;br /&gt;
For example,  the “Instances” quota represents the number of instances that can be created in a project or by a user. Through Domain Quota Driver, the same options for Quotas are available in the context of domain. To read more about Domain Quota Driver and see the available options for quotas, check https://wiki.openstack.org/wiki/DomainQuotaDriver&lt;br /&gt;
&lt;br /&gt;
= Implementation =&lt;br /&gt;
&lt;br /&gt;
=== V2 APIs ===&lt;br /&gt;
Please check the following table for the APIs to manage Quotas for Domain, Project and User respectively. These APIs can be used by admin (i.e with role admin) to get the quota limits of any domain/project/user. A non-admin user can only use these APIs to see the quotas of a domain to which he/she belongs or of a project in which he/she is a member. In addition the non-admin user can see his/her own quota limits. To make this possible, Keystone V3 auth tokens needs to be used. The context provided by the token has domain_id, project_id and user_id respectively. &lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Method || URI || Description &lt;br /&gt;
|-&lt;br /&gt;
| GET || v2/{tenant_id}/os-domain-quota-sets/{domain_id} || Shows quotas for a Domain&lt;br /&gt;
|-&lt;br /&gt;
| GET || v2/{tenant_id}/os-domain-quota-sets/{domain_id}/defaults || Shows default quotas for a Domain&lt;br /&gt;
|-&lt;br /&gt;
| GET || v2/{tenant_id}/os-domain-quota-sets/{domain_id}?project_id={project_id} || Shows quotas for a Project&lt;br /&gt;
|-&lt;br /&gt;
| GET || v2/{tenant_id}/os-domain-quota-sets/{domain_id}?project_id={project_id}&amp;amp;user_id={user_id} || Shows quotas for a User in a Project&lt;br /&gt;
|-&lt;br /&gt;
| DELETE || v2/{tenant_id}/os-domain-quota-sets/{domain_id} || Deletes quotas for the domain and for all the projects in this domain (In addition deletes quota for all the users in the projects)&lt;br /&gt;
|-&lt;br /&gt;
| DELETE || v2/{tenant_id}/os-domain-quota-sets/{domain_id}?project_id={project_id} || Deletes quotas for a Project and for all the Users in that Project&lt;br /&gt;
|-&lt;br /&gt;
| DELETE || v2/{tenant_id}/os-domain-quota-sets/{domain_id}?project_id={project_id}&amp;amp;user_id={user_id} || Delete quotas for a User in a Project&lt;br /&gt;
|-&lt;br /&gt;
| PUT || v2/{tenant_id}/os-domain-quota-sets/{domain_id} || Creates or Updates quotas for the domain&lt;br /&gt;
|-&lt;br /&gt;
| PUT || v2/{tenant_id}/os-domain-quota-sets/{domain_id}?project_id={project_id} || Creates or Updates quotas for a Project&lt;br /&gt;
|-&lt;br /&gt;
| PUT || v2/{tenant_id}/os-domain-quota-sets/{domain_id}?project_id={project_id}&amp;amp;user_id={user_id} || Creates or Updates quotas for a User in a Project&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
=== V3 APIs ===&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Method || URI || Description &lt;br /&gt;
|-&lt;br /&gt;
| GET || v3/os-domain-quota-sets/{domain_id} || Shows quotas for a Domain&lt;br /&gt;
|-&lt;br /&gt;
| GET || v3/os-domain-quota-sets/{domain_id}/defaults || Shows default quotas for a Domain&lt;br /&gt;
|-&lt;br /&gt;
| GET || v3/os-domain-quota-sets/{domain_id}?project_id={project_id} || Shows quotas for a Project&lt;br /&gt;
|-&lt;br /&gt;
| GET || v3/os-domain-quota-sets/{domain_id}?project_id={project_id}&amp;amp;user_id={user_id} || Shows quotas for a User in a Project&lt;br /&gt;
|-&lt;br /&gt;
| DELETE || v3/os-domain-quota-sets/{domain_id} || Deletes quotas for the domain and for all the projects in this domain (In addition deletes quota for all the users in the projects)&lt;br /&gt;
|-&lt;br /&gt;
| DELETE || v3/os-domain-quota-sets/{domain_id}?project_id={project_id} || Deletes quotas for a Project and for all the Users in that Project&lt;br /&gt;
|-&lt;br /&gt;
| DELETE || v3/os-domain-quota-sets/{domain_id}?project_id={project_id}&amp;amp;user_id={user_id} || Delete quotas for a User in a Project&lt;br /&gt;
|-&lt;br /&gt;
| PUT || v3/os-domain-quota-sets/{domain_id} || Creates or Updates quotas for the domain&lt;br /&gt;
|-&lt;br /&gt;
| PUT || v3/os-domain-quota-sets/{domain_id}?project_id={project_id} || Creates or Updates quotas for a Project&lt;br /&gt;
|-&lt;br /&gt;
| PUT || v3/os-domain-quota-sets/{domain_id}?project_id={project_id}&amp;amp;user_id={user_id} || Creates or Updates quotas for a User in a Project&lt;br /&gt;
|}&lt;/div&gt;</summary>
		<author><name>Vinod kumar boppanna</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=POC_for_QuotaManagement&amp;diff=47849</id>
		<title>POC for QuotaManagement</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=POC_for_QuotaManagement&amp;diff=47849"/>
				<updated>2014-04-06T16:32:39Z</updated>
		
		<summary type="html">&lt;p&gt;Vinod kumar boppanna: /* POC Demo code */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Introduction ==&lt;br /&gt;
&lt;br /&gt;
This Page explains the Proof of Concept for Quota Management in the Openstack Hierarchical Multitenancy setup.&lt;br /&gt;
&lt;br /&gt;
== Setup ==&lt;br /&gt;
&lt;br /&gt;
Please see the following picture for an example Hierarchical Multitenancy setup.&lt;br /&gt;
&lt;br /&gt;
[[File:ProjectHierarchy.png|ProjectHierarchy]]&lt;br /&gt;
&lt;br /&gt;
== Authentication ==&lt;br /&gt;
&lt;br /&gt;
Every user has to authenticate with keystone using a project scope. For example, userA can authenticate using the project scope as &amp;quot;ProjH.ProjA&amp;quot;. The cloud admin can authenticate using any scope. When authenticated, the entire hierarchy is parsed starting from the scope project to the top i.e till the head node and construct the roles set using the roles the user has at each level. See the following examples. &lt;br /&gt;
&lt;br /&gt;
===== Example 1 =====&lt;br /&gt;
Cloud Admin authenticates at &amp;quot;ProjH&amp;quot;, keystone will send the following information (or token) for this session. &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the head node)&amp;lt;/ins&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
* admin&lt;br /&gt;
&lt;br /&gt;
===== Example 2 =====&lt;br /&gt;
Cloud Admin authenticates at &amp;quot;ProjH.ProjA.ProjA1&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA.ProjA1 &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;u&amp;gt;Roles (find role at each project level upto the head node)&amp;lt;/u&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
* admin&lt;br /&gt;
&lt;br /&gt;
===== Example 3 =====&lt;br /&gt;
User A authenticates at &amp;quot;ProjH.ProjA&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the head node)&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
* project-admin, member&lt;br /&gt;
&lt;br /&gt;
===== Example 4 =====&lt;br /&gt;
User A authenticates at &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA.ProjA1.ProjA3 &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the head node)&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
* project-admin, member&lt;br /&gt;
̽&amp;lt;u&amp;gt;Noteː&amp;lt;/u&amp;gt;&lt;br /&gt;
* It is important to limit the maximum depth of the Project Hierarchy. Otherwise, the paring may take a very long time.&lt;br /&gt;
&lt;br /&gt;
===== Example 5 =====&lt;br /&gt;
User C authenticates at &amp;quot;ProjH.ProjA.ProjA1.ProjA4&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA.ProjA1.ProjA4 &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the head node)&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
* member&lt;br /&gt;
&lt;br /&gt;
===== Example 6 =====&lt;br /&gt;
User B tries to authenticates at &amp;quot;ProjH.ProjA&amp;quot; but keystone will reject the authentication as User B does not have any role at &amp;quot;ProjH.ProjA&amp;quot;. That means User B is not part of Project &amp;quot;ProjH.ProjA&amp;quot;. User B can authenticate using the scope as &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot; or &amp;quot;ProjH.ProjB.ProjB2&amp;quot;.&lt;br /&gt;
&lt;br /&gt;
== Quota Tables ==&lt;br /&gt;
&lt;br /&gt;
There are four tables useful for Quota Management, namely &amp;quot;quotas&amp;quot;, &amp;quot;quota_usages&amp;quot;, &amp;quot;project_user_quotas&amp;quot; and &amp;quot;reservations&amp;quot; respectively. &lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Table || Description || Important Fields&lt;br /&gt;
|-&lt;br /&gt;
| quotas || Stores the quota values for resources (like instances, cores etc) of a Project || project_id&lt;br /&gt;
|-&lt;br /&gt;
| project_user_quotas || Stores the quota allotment to a User in a Project || project_id, user_id&lt;br /&gt;
|-&lt;br /&gt;
| quota_usages || Stores the quota already in use by a User in a Project || project_id, user_id&lt;br /&gt;
|-&lt;br /&gt;
| reservations || Stores the reservations made for a resource by a User in a Project || project_id, user_id&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
The project_id field in these tables stores the project complete hierarchy, like if quota values are defined for &amp;quot;ProjA1&amp;quot;, then the project_id is &amp;quot;ProjH.ProjA.ProjA1&amp;quot;.&lt;br /&gt;
&lt;br /&gt;
== API URLs ==&lt;br /&gt;
The URLs does not need to include any project names up to the authentication scope. The URLs only need to include the hierarchy after the scope for executing an operation. For example, if User A authenticates using scope as &amp;quot;ProjH.ProjA&amp;quot; and the User A want to update the quotas assigned to &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot;, then the URL can be like&lt;br /&gt;
&lt;br /&gt;
PUT Request  -&amp;gt;  http://&amp;lt;nova listening ip&amp;gt;:8774/v3/os-quota-sets?project_id=ProjA1.ProjA3&lt;br /&gt;
&lt;br /&gt;
When the above URL fired, the complete hierarchy will be formed by prepend the scope id to the project_id in the URL, that means here it will be &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot;. Now, the program can check the role possessed by the user (User A has memeber and project-admin roles). As the user possess the &amp;quot;project-admin&amp;quot; role, the update operation on quotas is allowed.&lt;br /&gt;
&lt;br /&gt;
The Keystone context will have a field which gives information about the roles in the hierarchy starting from the scope level and goes up to the head node(as explained in the examples listed under Authentication Section). We can call this field as &amp;quot;roles&amp;quot;. The &amp;quot;project_id&amp;quot; in the keystone context has the full hierarchy like &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot;&lt;br /&gt;
&lt;br /&gt;
  &amp;quot;context_is_admin&amp;quot;:  &amp;quot;role:admin&amp;quot;&lt;br /&gt;
  &amp;quot;project_admin&amp;quot;:  &amp;quot;role:project-admin and project_id:%(project_id)s&amp;quot;&lt;br /&gt;
  &amp;quot;admin_or_project_admin&amp;quot;: &amp;quot;rule: context_is_admin or rule:project_admin&amp;quot;&lt;br /&gt;
&lt;br /&gt;
This means that the user satisfies one of the following condition &amp;lt;br/&amp;gt;&lt;br /&gt;
*Cloud Admin&lt;br /&gt;
*check that user has a project-admin role using the the context field &amp;quot;roles&amp;quot; and has the selected project_id scope&lt;br /&gt;
&lt;br /&gt;
The policy rules for the quota extension can be &lt;br /&gt;
&lt;br /&gt;
 &amp;quot;member&amp;quot;: &amp;quot;role:member and project_id:%(project_id)s&amp;quot;   (means that user has role member in the project)&lt;br /&gt;
 &amp;quot;admin_or_project_admin_or_member&amp;quot;: &amp;quot;rule:admin_or_project_admin or rule:member&amp;quot;&lt;br /&gt;
  &lt;br /&gt;
 &amp;quot;compute_extension:quotas:show&amp;quot;: &amp;quot;rule:admin_or_project_admin_or_owner&amp;quot;,&lt;br /&gt;
 &amp;quot;compute_extension:quotas:update&amp;quot;: &amp;quot;rule:admin_or_project_admin&amp;quot;,&lt;br /&gt;
 &amp;quot;compute_extension:quotas:delete&amp;quot;: &amp;quot;rule:admin_or_project_admin&amp;quot;&lt;br /&gt;
&lt;br /&gt;
== POC Demo code ==&lt;br /&gt;
Please check the code snippets for this setup at  &amp;lt;br/&amp;gt;&lt;br /&gt;
https://github.com/vinodkumarboppanna/POC-For-Quotas/commit/4147173a415108e9496d6265522ea57bec5d1409&lt;br /&gt;
&lt;br /&gt;
== Concerns ==&lt;br /&gt;
* The project_id in the Nova Quota tables should include the complete hierarchy. Because of this, it is necessary to notify Nova about any changes in the hierarchy. For example, Nova stores Quotas of Project &amp;quot;ProjH.ProjA.ProjA1&amp;quot; in the table and if Admin removes or shifts (to another parent node) the project &amp;quot;ProjA1&amp;quot; from the keystone, then Nova should be notified about this.&lt;/div&gt;</summary>
		<author><name>Vinod kumar boppanna</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=APIs_for_Domain_Quota_Driver&amp;diff=46265</id>
		<title>APIs for Domain Quota Driver</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=APIs_for_Domain_Quota_Driver&amp;diff=46265"/>
				<updated>2014-03-21T12:30:43Z</updated>
		
		<summary type="html">&lt;p&gt;Vinod kumar boppanna: /* APIs */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Introduction ==&lt;br /&gt;
&lt;br /&gt;
The existing DbQuotaDriver in Nova allows to set the Quotas at Project/Tenant and User Level. But there is a need to enforce the quotas at Domain Level as well. A new driver called &amp;quot;Domain Quota Driver&amp;quot; is available to enforce domain quotas in Nova. To use this driver, a new set of APIs are required for CRUD operations on quotas at domain, project and user level.&lt;br /&gt;
&lt;br /&gt;
== Quotas in Nova==&lt;br /&gt;
Currently, OpenStack services make usage of quotas to limit the resources for a project or for a user.&lt;br /&gt;
For example,  the “Instances” quota represents the number of instances that can be created in a project or by a user. Through Domain Quota Driver, the same options for Quotas are available in the context of domain. To read more about Domain Quota Driver and see the available options for quotas, check https://wiki.openstack.org/wiki/DomainQuotaDriver&lt;br /&gt;
&lt;br /&gt;
= Implementation =&lt;br /&gt;
&lt;br /&gt;
=== APIs ===&lt;br /&gt;
Please check the following table for the APIs to manage Quotas for Domain, Project and User respectively. These APIs can be used by admin (i.e with role admin) to get the quota limits of any domain/project/user. A non-admin user can only use these APIs to see the quotas of a domain to which he/she belongs or of a project in which he/she is a member. In addition the non-admin user can see his/her own quota limits. To make this possible, Keystone V3 auth tokens needs to be used. The context provided by the token has domain_id, project_id and user_id respectively. &lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Method || URI || Description &lt;br /&gt;
|-&lt;br /&gt;
| GET || v2/{tenant_id}/os-domain-quota-sets/{domain_id} || Shows quotas for a Domain&lt;br /&gt;
|-&lt;br /&gt;
| GET || v2/{tenant_id}/os-domain-quota-sets/{domain_id}/defaults || Shows default quotas for a Domain&lt;br /&gt;
|-&lt;br /&gt;
| GET || v2/{tenant_id}/os-domain-quota-sets/{domain_id}?project_id={project_id} || Shows quotas for a Project&lt;br /&gt;
|-&lt;br /&gt;
| GET || v2/{tenant_id}/os-domain-quota-sets/{domain_id}?project_id={project_id}&amp;amp;user_id={user_id} || Shows quotas for a User in a Project&lt;br /&gt;
|-&lt;br /&gt;
| DELETE || v2/{tenant_id}/os-domain-quota-sets/{domain_id} || Deletes quotas for the domain and for all the projects in this domain (In addition deletes quota for all the users in the projects)&lt;br /&gt;
|-&lt;br /&gt;
| DELETE || v2/{tenant_id}/os-domain-quota-sets/{domain_id}?project_id={project_id} || Deletes quotas for a Project and for all the Users in that Project&lt;br /&gt;
|-&lt;br /&gt;
| DELETE || v2/{tenant_id}/os-domain-quota-sets/{domain_id}?project_id={project_id}&amp;amp;user_id={user_id} || Delete quotas for a User in a Project&lt;br /&gt;
|-&lt;br /&gt;
| PUT || v2/{tenant_id}/os-domain-quota-sets/{domain_id} || Creates or Updates quotas for the domain&lt;br /&gt;
|-&lt;br /&gt;
| PUT || v2/{tenant_id}/os-domain-quota-sets/{domain_id}?project_id={project_id} || Creates or Updates quotas for a Project&lt;br /&gt;
|-&lt;br /&gt;
| PUT || v2/{tenant_id}/os-domain-quota-sets/{domain_id}?project_id={project_id}&amp;amp;user_id={user_id} || Creates or Updates quotas for a User in a Project&lt;br /&gt;
|}&lt;/div&gt;</summary>
		<author><name>Vinod kumar boppanna</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=POC_for_QuotaManagement&amp;diff=46047</id>
		<title>POC for QuotaManagement</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=POC_for_QuotaManagement&amp;diff=46047"/>
				<updated>2014-03-20T12:31:42Z</updated>
		
		<summary type="html">&lt;p&gt;Vinod kumar boppanna: /* API URLs */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Introduction ==&lt;br /&gt;
&lt;br /&gt;
This Page explains the Proof of Concept for Quota Management in the Openstack Hierarchical Multitenancy setup.&lt;br /&gt;
&lt;br /&gt;
== Setup ==&lt;br /&gt;
&lt;br /&gt;
Please see the following picture for an example Hierarchical Multitenancy setup.&lt;br /&gt;
&lt;br /&gt;
[[File:ProjectHierarchy.png|ProjectHierarchy]]&lt;br /&gt;
&lt;br /&gt;
== Authentication ==&lt;br /&gt;
&lt;br /&gt;
Every user has to authenticate with keystone using a project scope. For example, userA can authenticate using the project scope as &amp;quot;ProjH.ProjA&amp;quot;. The cloud admin can authenticate using any scope. When authenticated, the entire hierarchy is parsed starting from the scope project to the top i.e till the head node and construct the roles set using the roles the user has at each level. See the following examples. &lt;br /&gt;
&lt;br /&gt;
===== Example 1 =====&lt;br /&gt;
Cloud Admin authenticates at &amp;quot;ProjH&amp;quot;, keystone will send the following information (or token) for this session. &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the head node)&amp;lt;/ins&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
* admin&lt;br /&gt;
&lt;br /&gt;
===== Example 2 =====&lt;br /&gt;
Cloud Admin authenticates at &amp;quot;ProjH.ProjA.ProjA1&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA.ProjA1 &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;u&amp;gt;Roles (find role at each project level upto the head node)&amp;lt;/u&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
* admin&lt;br /&gt;
&lt;br /&gt;
===== Example 3 =====&lt;br /&gt;
User A authenticates at &amp;quot;ProjH.ProjA&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the head node)&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
* project-admin, member&lt;br /&gt;
&lt;br /&gt;
===== Example 4 =====&lt;br /&gt;
User A authenticates at &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA.ProjA1.ProjA3 &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the head node)&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
* project-admin, member&lt;br /&gt;
̽&amp;lt;u&amp;gt;Noteː&amp;lt;/u&amp;gt;&lt;br /&gt;
* It is important to limit the maximum depth of the Project Hierarchy. Otherwise, the paring may take a very long time.&lt;br /&gt;
&lt;br /&gt;
===== Example 5 =====&lt;br /&gt;
User C authenticates at &amp;quot;ProjH.ProjA.ProjA1.ProjA4&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA.ProjA1.ProjA4 &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the head node)&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
* member&lt;br /&gt;
&lt;br /&gt;
===== Example 6 =====&lt;br /&gt;
User B tries to authenticates at &amp;quot;ProjH.ProjA&amp;quot; but keystone will reject the authentication as User B does not have any role at &amp;quot;ProjH.ProjA&amp;quot;. That means User B is not part of Project &amp;quot;ProjH.ProjA&amp;quot;. User B can authenticate using the scope as &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot; or &amp;quot;ProjH.ProjB.ProjB2&amp;quot;.&lt;br /&gt;
&lt;br /&gt;
== Quota Tables ==&lt;br /&gt;
&lt;br /&gt;
There are four tables useful for Quota Management, namely &amp;quot;quotas&amp;quot;, &amp;quot;quota_usages&amp;quot;, &amp;quot;project_user_quotas&amp;quot; and &amp;quot;reservations&amp;quot; respectively. &lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Table || Description || Important Fields&lt;br /&gt;
|-&lt;br /&gt;
| quotas || Stores the quota values for resources (like instances, cores etc) of a Project || project_id&lt;br /&gt;
|-&lt;br /&gt;
| project_user_quotas || Stores the quota allotment to a User in a Project || project_id, user_id&lt;br /&gt;
|-&lt;br /&gt;
| quota_usages || Stores the quota already in use by a User in a Project || project_id, user_id&lt;br /&gt;
|-&lt;br /&gt;
| reservations || Stores the reservations made for a resource by a User in a Project || project_id, user_id&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
The project_id field in these tables stores the project complete hierarchy, like if quota values are defined for &amp;quot;ProjA1&amp;quot;, then the project_id is &amp;quot;ProjH.ProjA.ProjA1&amp;quot;.&lt;br /&gt;
&lt;br /&gt;
== API URLs ==&lt;br /&gt;
The URLs does not need to include any project names up to the authentication scope. The URLs only need to include the hierarchy after the scope for executing an operation. For example, if User A authenticates using scope as &amp;quot;ProjH.ProjA&amp;quot; and the User A want to update the quotas assigned to &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot;, then the URL can be like&lt;br /&gt;
&lt;br /&gt;
PUT Request  -&amp;gt;  http://&amp;lt;nova listening ip&amp;gt;:8774/v3/os-quota-sets?project_id=ProjA1.ProjA3&lt;br /&gt;
&lt;br /&gt;
When the above URL fired, the complete hierarchy will be formed by prepend the scope id to the project_id in the URL, that means here it will be &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot;. Now, the program can check the role possessed by the user (User A has memeber and project-admin roles). As the user possess the &amp;quot;project-admin&amp;quot; role, the update operation on quotas is allowed.&lt;br /&gt;
&lt;br /&gt;
The Keystone context will have a field which gives information about the roles in the hierarchy starting from the scope level and goes up to the head node(as explained in the examples listed under Authentication Section). We can call this field as &amp;quot;roles&amp;quot;. The &amp;quot;project_id&amp;quot; in the keystone context has the full hierarchy like &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot;&lt;br /&gt;
&lt;br /&gt;
  &amp;quot;context_is_admin&amp;quot;:  &amp;quot;role:admin&amp;quot;&lt;br /&gt;
  &amp;quot;project_admin&amp;quot;:  &amp;quot;role:project-admin and project_id:%(project_id)s&amp;quot;&lt;br /&gt;
  &amp;quot;admin_or_project_admin&amp;quot;: &amp;quot;rule: context_is_admin or rule:project_admin&amp;quot;&lt;br /&gt;
&lt;br /&gt;
This means that the user satisfies one of the following condition &amp;lt;br/&amp;gt;&lt;br /&gt;
*Cloud Admin&lt;br /&gt;
*check that user has a project-admin role using the the context field &amp;quot;roles&amp;quot; and has the selected project_id scope&lt;br /&gt;
&lt;br /&gt;
The policy rules for the quota extension can be &lt;br /&gt;
&lt;br /&gt;
 &amp;quot;member&amp;quot;: &amp;quot;role:member and project_id:%(project_id)s&amp;quot;   (means that user has role member in the project)&lt;br /&gt;
 &amp;quot;admin_or_project_admin_or_member&amp;quot;: &amp;quot;rule:admin_or_project_admin or rule:member&amp;quot;&lt;br /&gt;
  &lt;br /&gt;
 &amp;quot;compute_extension:quotas:show&amp;quot;: &amp;quot;rule:admin_or_project_admin_or_owner&amp;quot;,&lt;br /&gt;
 &amp;quot;compute_extension:quotas:update&amp;quot;: &amp;quot;rule:admin_or_project_admin&amp;quot;,&lt;br /&gt;
 &amp;quot;compute_extension:quotas:delete&amp;quot;: &amp;quot;rule:admin_or_project_admin&amp;quot;&lt;br /&gt;
&lt;br /&gt;
== POC Demo code ==&lt;br /&gt;
Please check the code snippets for this setup at  &amp;lt;br/&amp;gt;&lt;br /&gt;
https://github.com/vinodkumarboppanna/POC-For-Quotas/commit/391e9108fa579d292880c8836cadfd7253586f37&lt;br /&gt;
&lt;br /&gt;
== Concerns ==&lt;br /&gt;
* The project_id in the Nova Quota tables should include the complete hierarchy. Because of this, it is necessary to notify Nova about any changes in the hierarchy. For example, Nova stores Quotas of Project &amp;quot;ProjH.ProjA.ProjA1&amp;quot; in the table and if Admin removes or shifts (to another parent node) the project &amp;quot;ProjA1&amp;quot; from the keystone, then Nova should be notified about this.&lt;/div&gt;</summary>
		<author><name>Vinod kumar boppanna</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=POC_for_QuotaManagement&amp;diff=46045</id>
		<title>POC for QuotaManagement</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=POC_for_QuotaManagement&amp;diff=46045"/>
				<updated>2014-03-20T12:16:53Z</updated>
		
		<summary type="html">&lt;p&gt;Vinod kumar boppanna: /* API URLs */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Introduction ==&lt;br /&gt;
&lt;br /&gt;
This Page explains the Proof of Concept for Quota Management in the Openstack Hierarchical Multitenancy setup.&lt;br /&gt;
&lt;br /&gt;
== Setup ==&lt;br /&gt;
&lt;br /&gt;
Please see the following picture for an example Hierarchical Multitenancy setup.&lt;br /&gt;
&lt;br /&gt;
[[File:ProjectHierarchy.png|ProjectHierarchy]]&lt;br /&gt;
&lt;br /&gt;
== Authentication ==&lt;br /&gt;
&lt;br /&gt;
Every user has to authenticate with keystone using a project scope. For example, userA can authenticate using the project scope as &amp;quot;ProjH.ProjA&amp;quot;. The cloud admin can authenticate using any scope. When authenticated, the entire hierarchy is parsed starting from the scope project to the top i.e till the head node and construct the roles set using the roles the user has at each level. See the following examples. &lt;br /&gt;
&lt;br /&gt;
===== Example 1 =====&lt;br /&gt;
Cloud Admin authenticates at &amp;quot;ProjH&amp;quot;, keystone will send the following information (or token) for this session. &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the head node)&amp;lt;/ins&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
* admin&lt;br /&gt;
&lt;br /&gt;
===== Example 2 =====&lt;br /&gt;
Cloud Admin authenticates at &amp;quot;ProjH.ProjA.ProjA1&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA.ProjA1 &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;u&amp;gt;Roles (find role at each project level upto the head node)&amp;lt;/u&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
* admin&lt;br /&gt;
&lt;br /&gt;
===== Example 3 =====&lt;br /&gt;
User A authenticates at &amp;quot;ProjH.ProjA&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the head node)&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
* project-admin, member&lt;br /&gt;
&lt;br /&gt;
===== Example 4 =====&lt;br /&gt;
User A authenticates at &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA.ProjA1.ProjA3 &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the head node)&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
* project-admin, member&lt;br /&gt;
̽&amp;lt;u&amp;gt;Noteː&amp;lt;/u&amp;gt;&lt;br /&gt;
* It is important to limit the maximum depth of the Project Hierarchy. Otherwise, the paring may take a very long time.&lt;br /&gt;
&lt;br /&gt;
===== Example 5 =====&lt;br /&gt;
User C authenticates at &amp;quot;ProjH.ProjA.ProjA1.ProjA4&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA.ProjA1.ProjA4 &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the head node)&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
* member&lt;br /&gt;
&lt;br /&gt;
===== Example 6 =====&lt;br /&gt;
User B tries to authenticates at &amp;quot;ProjH.ProjA&amp;quot; but keystone will reject the authentication as User B does not have any role at &amp;quot;ProjH.ProjA&amp;quot;. That means User B is not part of Project &amp;quot;ProjH.ProjA&amp;quot;. User B can authenticate using the scope as &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot; or &amp;quot;ProjH.ProjB.ProjB2&amp;quot;.&lt;br /&gt;
&lt;br /&gt;
== Quota Tables ==&lt;br /&gt;
&lt;br /&gt;
There are four tables useful for Quota Management, namely &amp;quot;quotas&amp;quot;, &amp;quot;quota_usages&amp;quot;, &amp;quot;project_user_quotas&amp;quot; and &amp;quot;reservations&amp;quot; respectively. &lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Table || Description || Important Fields&lt;br /&gt;
|-&lt;br /&gt;
| quotas || Stores the quota values for resources (like instances, cores etc) of a Project || project_id&lt;br /&gt;
|-&lt;br /&gt;
| project_user_quotas || Stores the quota allotment to a User in a Project || project_id, user_id&lt;br /&gt;
|-&lt;br /&gt;
| quota_usages || Stores the quota already in use by a User in a Project || project_id, user_id&lt;br /&gt;
|-&lt;br /&gt;
| reservations || Stores the reservations made for a resource by a User in a Project || project_id, user_id&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
The project_id field in these tables stores the project complete hierarchy, like if quota values are defined for &amp;quot;ProjA1&amp;quot;, then the project_id is &amp;quot;ProjH.ProjA.ProjA1&amp;quot;.&lt;br /&gt;
&lt;br /&gt;
== API URLs ==&lt;br /&gt;
The URLs does not need to include any project names up to the authentication scope. The URLs only need to include the hierarchy after the scope for executing an operation. For example, if User A authenticates using scope as &amp;quot;ProjH.ProjA&amp;quot; and the User A want to update the quotas assigned to &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot;, then the URL can be like&lt;br /&gt;
&lt;br /&gt;
PUT Request  -&amp;gt;  http://&amp;lt;nova listening ip&amp;gt;:8774/v3/os-quota-sets?project_id=ProjA1.ProjA3&lt;br /&gt;
&lt;br /&gt;
When the above URL fired, the complete hierarchy will be formed by prepend the scope id to the project_id in the URL, that means here it will be &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot;. Now, the program can check the role possessed by the user (User A has memeber and project-admin roles). As the user possess the &amp;quot;project-admin&amp;quot; role, the update operation on quotas is allowed.&lt;br /&gt;
&lt;br /&gt;
The Keystone context will have a field which gives information about the roles in the hierarchy starting from the scope level and goes up to the head node(as explained in the examples listed under Authentication Section). We can call this field as &amp;quot;rolesList&amp;quot;. The &amp;quot;project_id&amp;quot; in the keystone context has the full hierarchy like &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot;&lt;br /&gt;
&lt;br /&gt;
 &amp;quot;admin_or_project_admin&amp;quot;:  &amp;quot;is_admin:True or  roleProjectAdmin:rolesList:%(project_id)s&amp;quot;&lt;br /&gt;
&lt;br /&gt;
This means that the user satisfies one of the following condition &amp;lt;br/&amp;gt;&lt;br /&gt;
*Cloud Admin&lt;br /&gt;
*function &amp;quot;roleProjectAdmin&amp;quot; will check that user has a project-admin role in the project_id using the the context field &amp;quot;rolesList&amp;quot;&lt;br /&gt;
&lt;br /&gt;
The policy rules for the quota extension can be &lt;br /&gt;
&lt;br /&gt;
 &amp;quot;owner&amp;quot;: &amp;quot;roleMember:rolesList:%(project_id)&amp;quot;   (means that user has any role except admin and project-admin in the project)&lt;br /&gt;
 &amp;quot;admin_or_project_admin_or_owner&amp;quot;: &amp;quot;rule:admin_or_project_admin or rule:owner&amp;quot;&lt;br /&gt;
  &lt;br /&gt;
 &amp;quot;compute_extension:quotas:show&amp;quot;: &amp;quot;rule:admin_or_project_admin_or_owner&amp;quot;,&lt;br /&gt;
 &amp;quot;compute_extension:quotas:update&amp;quot;: &amp;quot;rule:admin_or_project_admin&amp;quot;,&lt;br /&gt;
 &amp;quot;compute_extension:quotas:delete&amp;quot;: &amp;quot;rule:admin_or_project_admin&amp;quot;&lt;br /&gt;
&lt;br /&gt;
== POC Demo code ==&lt;br /&gt;
Please check the code snippets for this setup at  &amp;lt;br/&amp;gt;&lt;br /&gt;
https://github.com/vinodkumarboppanna/POC-For-Quotas/commit/391e9108fa579d292880c8836cadfd7253586f37&lt;br /&gt;
&lt;br /&gt;
== Concerns ==&lt;br /&gt;
* The project_id in the Nova Quota tables should include the complete hierarchy. Because of this, it is necessary to notify Nova about any changes in the hierarchy. For example, Nova stores Quotas of Project &amp;quot;ProjH.ProjA.ProjA1&amp;quot; in the table and if Admin removes or shifts (to another parent node) the project &amp;quot;ProjA1&amp;quot; from the keystone, then Nova should be notified about this.&lt;/div&gt;</summary>
		<author><name>Vinod kumar boppanna</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=POC_for_QuotaManagement&amp;diff=46042</id>
		<title>POC for QuotaManagement</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=POC_for_QuotaManagement&amp;diff=46042"/>
				<updated>2014-03-20T12:03:36Z</updated>
		
		<summary type="html">&lt;p&gt;Vinod kumar boppanna: /* Concerns */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Introduction ==&lt;br /&gt;
&lt;br /&gt;
This Page explains the Proof of Concept for Quota Management in the Openstack Hierarchical Multitenancy setup.&lt;br /&gt;
&lt;br /&gt;
== Setup ==&lt;br /&gt;
&lt;br /&gt;
Please see the following picture for an example Hierarchical Multitenancy setup.&lt;br /&gt;
&lt;br /&gt;
[[File:ProjectHierarchy.png|ProjectHierarchy]]&lt;br /&gt;
&lt;br /&gt;
== Authentication ==&lt;br /&gt;
&lt;br /&gt;
Every user has to authenticate with keystone using a project scope. For example, userA can authenticate using the project scope as &amp;quot;ProjH.ProjA&amp;quot;. The cloud admin can authenticate using any scope. When authenticated, the entire hierarchy is parsed starting from the scope project to the top i.e till the head node and construct the roles set using the roles the user has at each level. See the following examples. &lt;br /&gt;
&lt;br /&gt;
===== Example 1 =====&lt;br /&gt;
Cloud Admin authenticates at &amp;quot;ProjH&amp;quot;, keystone will send the following information (or token) for this session. &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the head node)&amp;lt;/ins&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
* admin&lt;br /&gt;
&lt;br /&gt;
===== Example 2 =====&lt;br /&gt;
Cloud Admin authenticates at &amp;quot;ProjH.ProjA.ProjA1&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA.ProjA1 &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;u&amp;gt;Roles (find role at each project level upto the head node)&amp;lt;/u&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
* admin&lt;br /&gt;
&lt;br /&gt;
===== Example 3 =====&lt;br /&gt;
User A authenticates at &amp;quot;ProjH.ProjA&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the head node)&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
* project-admin, member&lt;br /&gt;
&lt;br /&gt;
===== Example 4 =====&lt;br /&gt;
User A authenticates at &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA.ProjA1.ProjA3 &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the head node)&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
* project-admin, member&lt;br /&gt;
̽&amp;lt;u&amp;gt;Noteː&amp;lt;/u&amp;gt;&lt;br /&gt;
* It is important to limit the maximum depth of the Project Hierarchy. Otherwise, the paring may take a very long time.&lt;br /&gt;
&lt;br /&gt;
===== Example 5 =====&lt;br /&gt;
User C authenticates at &amp;quot;ProjH.ProjA.ProjA1.ProjA4&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA.ProjA1.ProjA4 &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the head node)&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
* member&lt;br /&gt;
&lt;br /&gt;
===== Example 6 =====&lt;br /&gt;
User B tries to authenticates at &amp;quot;ProjH.ProjA&amp;quot; but keystone will reject the authentication as User B does not have any role at &amp;quot;ProjH.ProjA&amp;quot;. That means User B is not part of Project &amp;quot;ProjH.ProjA&amp;quot;. User B can authenticate using the scope as &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot; or &amp;quot;ProjH.ProjB.ProjB2&amp;quot;.&lt;br /&gt;
&lt;br /&gt;
== Quota Tables ==&lt;br /&gt;
&lt;br /&gt;
There are four tables useful for Quota Management, namely &amp;quot;quotas&amp;quot;, &amp;quot;quota_usages&amp;quot;, &amp;quot;project_user_quotas&amp;quot; and &amp;quot;reservations&amp;quot; respectively. &lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Table || Description || Important Fields&lt;br /&gt;
|-&lt;br /&gt;
| quotas || Stores the quota values for resources (like instances, cores etc) of a Project || project_id&lt;br /&gt;
|-&lt;br /&gt;
| project_user_quotas || Stores the quota allotment to a User in a Project || project_id, user_id&lt;br /&gt;
|-&lt;br /&gt;
| quota_usages || Stores the quota already in use by a User in a Project || project_id, user_id&lt;br /&gt;
|-&lt;br /&gt;
| reservations || Stores the reservations made for a resource by a User in a Project || project_id, user_id&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
The project_id field in these tables stores the project complete hierarchy, like if quota values are defined for &amp;quot;ProjA1&amp;quot;, then the project_id is &amp;quot;ProjH.ProjA.ProjA1&amp;quot;.&lt;br /&gt;
&lt;br /&gt;
== API URLs ==&lt;br /&gt;
The URLs does not need to include any project names up to the authentication scope. The URLs only need to include the hierarchy after the scope for executing an operation. For example, if User A authenticates using scope as &amp;quot;ProjH.ProjA&amp;quot; and the User A want to update the quotas assigned to &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot;, then the URL can be like&lt;br /&gt;
&lt;br /&gt;
PUT Request  -&amp;gt;  http://&amp;lt;nova listening ip&amp;gt;:8774/v3/os-quota-sets?project_id=ProjA1.ProjA3&lt;br /&gt;
&lt;br /&gt;
When the above URL fired, the complete hierarchy will be formed by prepend the scope id to the project_id in the URL, that means here it will be &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot;. Now, the program can check the role possessed by the user (User A has memeber and project-admin roles). As the user possess the &amp;quot;project-admin&amp;quot; role, the update operation on quotas is allowed.&lt;br /&gt;
&lt;br /&gt;
The Keystone context will have a field which gives information about the roles in the hierarchy starting from the scope level and goes up to the head node(as explained in the examples listed under Authentication Section). We can call this field as &amp;quot;rolesList&amp;quot;. The &amp;quot;project_id&amp;quot; in the keystone context has the full hierarchy like &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot;&lt;br /&gt;
&lt;br /&gt;
 &amp;quot;admin_or_project_admin&amp;quot;:  &amp;quot;is_admin:True or  roleProjectAdmin:rolesList:%(project_id)&amp;quot;&lt;br /&gt;
&lt;br /&gt;
This means that the user satisfies one of the following condition &amp;lt;br/&amp;gt;&lt;br /&gt;
*Cloud Admin&lt;br /&gt;
*function &amp;quot;roleProjectAdmin&amp;quot; will check that user has a project-admin role in the project_id using the the context field &amp;quot;rolesList&amp;quot;&lt;br /&gt;
&lt;br /&gt;
The policy rules for the quota extension can be &lt;br /&gt;
&lt;br /&gt;
 &amp;quot;owner&amp;quot;: &amp;quot;roleMember:rolesList:%(project_id)&amp;quot;   (means that user has any role except admin and project-admin in the project)&lt;br /&gt;
 &amp;quot;admin_or_project_admin_or_owner&amp;quot;: &amp;quot;rule:admin_or_project_admin or rule:owner&amp;quot;&lt;br /&gt;
  &lt;br /&gt;
 &amp;quot;compute_extension:quotas:show&amp;quot;: &amp;quot;rule:admin_or_project_admin_or_owner&amp;quot;,&lt;br /&gt;
 &amp;quot;compute_extension:quotas:update&amp;quot;: &amp;quot;rule:admin_or_project_admin&amp;quot;,&lt;br /&gt;
 &amp;quot;compute_extension:quotas:delete&amp;quot;: &amp;quot;rule:admin_or_project_admin&amp;quot;&lt;br /&gt;
&lt;br /&gt;
== POC Demo code ==&lt;br /&gt;
Please check the code snippets for this setup at  &amp;lt;br/&amp;gt;&lt;br /&gt;
https://github.com/vinodkumarboppanna/POC-For-Quotas/commit/391e9108fa579d292880c8836cadfd7253586f37&lt;br /&gt;
&lt;br /&gt;
== Concerns ==&lt;br /&gt;
* The project_id in the Nova Quota tables should include the complete hierarchy. Because of this, it is necessary to notify Nova about any changes in the hierarchy. For example, Nova stores Quotas of Project &amp;quot;ProjH.ProjA.ProjA1&amp;quot; in the table and if Admin removes or shifts (to another parent node) the project &amp;quot;ProjA1&amp;quot; from the keystone, then Nova should be notified about this.&lt;/div&gt;</summary>
		<author><name>Vinod kumar boppanna</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=POC_for_QuotaManagement&amp;diff=46041</id>
		<title>POC for QuotaManagement</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=POC_for_QuotaManagement&amp;diff=46041"/>
				<updated>2014-03-20T12:00:50Z</updated>
		
		<summary type="html">&lt;p&gt;Vinod kumar boppanna: /* API URLs */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Introduction ==&lt;br /&gt;
&lt;br /&gt;
This Page explains the Proof of Concept for Quota Management in the Openstack Hierarchical Multitenancy setup.&lt;br /&gt;
&lt;br /&gt;
== Setup ==&lt;br /&gt;
&lt;br /&gt;
Please see the following picture for an example Hierarchical Multitenancy setup.&lt;br /&gt;
&lt;br /&gt;
[[File:ProjectHierarchy.png|ProjectHierarchy]]&lt;br /&gt;
&lt;br /&gt;
== Authentication ==&lt;br /&gt;
&lt;br /&gt;
Every user has to authenticate with keystone using a project scope. For example, userA can authenticate using the project scope as &amp;quot;ProjH.ProjA&amp;quot;. The cloud admin can authenticate using any scope. When authenticated, the entire hierarchy is parsed starting from the scope project to the top i.e till the head node and construct the roles set using the roles the user has at each level. See the following examples. &lt;br /&gt;
&lt;br /&gt;
===== Example 1 =====&lt;br /&gt;
Cloud Admin authenticates at &amp;quot;ProjH&amp;quot;, keystone will send the following information (or token) for this session. &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the head node)&amp;lt;/ins&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
* admin&lt;br /&gt;
&lt;br /&gt;
===== Example 2 =====&lt;br /&gt;
Cloud Admin authenticates at &amp;quot;ProjH.ProjA.ProjA1&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA.ProjA1 &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;u&amp;gt;Roles (find role at each project level upto the head node)&amp;lt;/u&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
* admin&lt;br /&gt;
&lt;br /&gt;
===== Example 3 =====&lt;br /&gt;
User A authenticates at &amp;quot;ProjH.ProjA&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the head node)&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
* project-admin, member&lt;br /&gt;
&lt;br /&gt;
===== Example 4 =====&lt;br /&gt;
User A authenticates at &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA.ProjA1.ProjA3 &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the head node)&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
* project-admin, member&lt;br /&gt;
̽&amp;lt;u&amp;gt;Noteː&amp;lt;/u&amp;gt;&lt;br /&gt;
* It is important to limit the maximum depth of the Project Hierarchy. Otherwise, the paring may take a very long time.&lt;br /&gt;
&lt;br /&gt;
===== Example 5 =====&lt;br /&gt;
User C authenticates at &amp;quot;ProjH.ProjA.ProjA1.ProjA4&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA.ProjA1.ProjA4 &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the head node)&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
* member&lt;br /&gt;
&lt;br /&gt;
===== Example 6 =====&lt;br /&gt;
User B tries to authenticates at &amp;quot;ProjH.ProjA&amp;quot; but keystone will reject the authentication as User B does not have any role at &amp;quot;ProjH.ProjA&amp;quot;. That means User B is not part of Project &amp;quot;ProjH.ProjA&amp;quot;. User B can authenticate using the scope as &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot; or &amp;quot;ProjH.ProjB.ProjB2&amp;quot;.&lt;br /&gt;
&lt;br /&gt;
== Quota Tables ==&lt;br /&gt;
&lt;br /&gt;
There are four tables useful for Quota Management, namely &amp;quot;quotas&amp;quot;, &amp;quot;quota_usages&amp;quot;, &amp;quot;project_user_quotas&amp;quot; and &amp;quot;reservations&amp;quot; respectively. &lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Table || Description || Important Fields&lt;br /&gt;
|-&lt;br /&gt;
| quotas || Stores the quota values for resources (like instances, cores etc) of a Project || project_id&lt;br /&gt;
|-&lt;br /&gt;
| project_user_quotas || Stores the quota allotment to a User in a Project || project_id, user_id&lt;br /&gt;
|-&lt;br /&gt;
| quota_usages || Stores the quota already in use by a User in a Project || project_id, user_id&lt;br /&gt;
|-&lt;br /&gt;
| reservations || Stores the reservations made for a resource by a User in a Project || project_id, user_id&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
The project_id field in these tables stores the project complete hierarchy, like if quota values are defined for &amp;quot;ProjA1&amp;quot;, then the project_id is &amp;quot;ProjH.ProjA.ProjA1&amp;quot;.&lt;br /&gt;
&lt;br /&gt;
== API URLs ==&lt;br /&gt;
The URLs does not need to include any project names up to the authentication scope. The URLs only need to include the hierarchy after the scope for executing an operation. For example, if User A authenticates using scope as &amp;quot;ProjH.ProjA&amp;quot; and the User A want to update the quotas assigned to &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot;, then the URL can be like&lt;br /&gt;
&lt;br /&gt;
PUT Request  -&amp;gt;  http://&amp;lt;nova listening ip&amp;gt;:8774/v3/os-quota-sets?project_id=ProjA1.ProjA3&lt;br /&gt;
&lt;br /&gt;
When the above URL fired, the complete hierarchy will be formed by prepend the scope id to the project_id in the URL, that means here it will be &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot;. Now, the program can check the role possessed by the user (User A has memeber and project-admin roles). As the user possess the &amp;quot;project-admin&amp;quot; role, the update operation on quotas is allowed.&lt;br /&gt;
&lt;br /&gt;
The Keystone context will have a field which gives information about the roles in the hierarchy starting from the scope level and goes up to the head node(as explained in the examples listed under Authentication Section). We can call this field as &amp;quot;rolesList&amp;quot;. The &amp;quot;project_id&amp;quot; in the keystone context has the full hierarchy like &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot;&lt;br /&gt;
&lt;br /&gt;
 &amp;quot;admin_or_project_admin&amp;quot;:  &amp;quot;is_admin:True or  roleProjectAdmin:rolesList:%(project_id)&amp;quot;&lt;br /&gt;
&lt;br /&gt;
This means that the user satisfies one of the following condition &amp;lt;br/&amp;gt;&lt;br /&gt;
*Cloud Admin&lt;br /&gt;
*function &amp;quot;roleProjectAdmin&amp;quot; will check that user has a project-admin role in the project_id using the the context field &amp;quot;rolesList&amp;quot;&lt;br /&gt;
&lt;br /&gt;
The policy rules for the quota extension can be &lt;br /&gt;
&lt;br /&gt;
 &amp;quot;owner&amp;quot;: &amp;quot;roleMember:rolesList:%(project_id)&amp;quot;   (means that user has any role except admin and project-admin in the project)&lt;br /&gt;
 &amp;quot;admin_or_project_admin_or_owner&amp;quot;: &amp;quot;rule:admin_or_project_admin or rule:owner&amp;quot;&lt;br /&gt;
  &lt;br /&gt;
 &amp;quot;compute_extension:quotas:show&amp;quot;: &amp;quot;rule:admin_or_project_admin_or_owner&amp;quot;,&lt;br /&gt;
 &amp;quot;compute_extension:quotas:update&amp;quot;: &amp;quot;rule:admin_or_project_admin&amp;quot;,&lt;br /&gt;
 &amp;quot;compute_extension:quotas:delete&amp;quot;: &amp;quot;rule:admin_or_project_admin&amp;quot;&lt;br /&gt;
&lt;br /&gt;
== POC Demo code ==&lt;br /&gt;
Please check the code snippets for this setup at  &amp;lt;br/&amp;gt;&lt;br /&gt;
https://github.com/vinodkumarboppanna/POC-For-Quotas/commit/391e9108fa579d292880c8836cadfd7253586f37&lt;br /&gt;
&lt;br /&gt;
== Concerns ==&lt;br /&gt;
* As nova keeps the complete project hierarchy in the Quotas table, it is necessary to notify nova about any changes in the hierarchy. For example, nova stores Quotas of Project &amp;quot;ProjH.ProjA.ProjA1&amp;quot; in the table and User removes the project &amp;quot;ProjA1&amp;quot; from the keystone, then nova should be notified about this.&lt;/div&gt;</summary>
		<author><name>Vinod kumar boppanna</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=POC_for_QuotaManagement&amp;diff=46040</id>
		<title>POC for QuotaManagement</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=POC_for_QuotaManagement&amp;diff=46040"/>
				<updated>2014-03-20T12:00:30Z</updated>
		
		<summary type="html">&lt;p&gt;Vinod kumar boppanna: /* API URLs */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Introduction ==&lt;br /&gt;
&lt;br /&gt;
This Page explains the Proof of Concept for Quota Management in the Openstack Hierarchical Multitenancy setup.&lt;br /&gt;
&lt;br /&gt;
== Setup ==&lt;br /&gt;
&lt;br /&gt;
Please see the following picture for an example Hierarchical Multitenancy setup.&lt;br /&gt;
&lt;br /&gt;
[[File:ProjectHierarchy.png|ProjectHierarchy]]&lt;br /&gt;
&lt;br /&gt;
== Authentication ==&lt;br /&gt;
&lt;br /&gt;
Every user has to authenticate with keystone using a project scope. For example, userA can authenticate using the project scope as &amp;quot;ProjH.ProjA&amp;quot;. The cloud admin can authenticate using any scope. When authenticated, the entire hierarchy is parsed starting from the scope project to the top i.e till the head node and construct the roles set using the roles the user has at each level. See the following examples. &lt;br /&gt;
&lt;br /&gt;
===== Example 1 =====&lt;br /&gt;
Cloud Admin authenticates at &amp;quot;ProjH&amp;quot;, keystone will send the following information (or token) for this session. &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the head node)&amp;lt;/ins&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
* admin&lt;br /&gt;
&lt;br /&gt;
===== Example 2 =====&lt;br /&gt;
Cloud Admin authenticates at &amp;quot;ProjH.ProjA.ProjA1&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA.ProjA1 &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;u&amp;gt;Roles (find role at each project level upto the head node)&amp;lt;/u&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
* admin&lt;br /&gt;
&lt;br /&gt;
===== Example 3 =====&lt;br /&gt;
User A authenticates at &amp;quot;ProjH.ProjA&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the head node)&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
* project-admin, member&lt;br /&gt;
&lt;br /&gt;
===== Example 4 =====&lt;br /&gt;
User A authenticates at &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA.ProjA1.ProjA3 &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the head node)&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
* project-admin, member&lt;br /&gt;
̽&amp;lt;u&amp;gt;Noteː&amp;lt;/u&amp;gt;&lt;br /&gt;
* It is important to limit the maximum depth of the Project Hierarchy. Otherwise, the paring may take a very long time.&lt;br /&gt;
&lt;br /&gt;
===== Example 5 =====&lt;br /&gt;
User C authenticates at &amp;quot;ProjH.ProjA.ProjA1.ProjA4&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA.ProjA1.ProjA4 &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the head node)&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
* member&lt;br /&gt;
&lt;br /&gt;
===== Example 6 =====&lt;br /&gt;
User B tries to authenticates at &amp;quot;ProjH.ProjA&amp;quot; but keystone will reject the authentication as User B does not have any role at &amp;quot;ProjH.ProjA&amp;quot;. That means User B is not part of Project &amp;quot;ProjH.ProjA&amp;quot;. User B can authenticate using the scope as &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot; or &amp;quot;ProjH.ProjB.ProjB2&amp;quot;.&lt;br /&gt;
&lt;br /&gt;
== Quota Tables ==&lt;br /&gt;
&lt;br /&gt;
There are four tables useful for Quota Management, namely &amp;quot;quotas&amp;quot;, &amp;quot;quota_usages&amp;quot;, &amp;quot;project_user_quotas&amp;quot; and &amp;quot;reservations&amp;quot; respectively. &lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Table || Description || Important Fields&lt;br /&gt;
|-&lt;br /&gt;
| quotas || Stores the quota values for resources (like instances, cores etc) of a Project || project_id&lt;br /&gt;
|-&lt;br /&gt;
| project_user_quotas || Stores the quota allotment to a User in a Project || project_id, user_id&lt;br /&gt;
|-&lt;br /&gt;
| quota_usages || Stores the quota already in use by a User in a Project || project_id, user_id&lt;br /&gt;
|-&lt;br /&gt;
| reservations || Stores the reservations made for a resource by a User in a Project || project_id, user_id&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
The project_id field in these tables stores the project complete hierarchy, like if quota values are defined for &amp;quot;ProjA1&amp;quot;, then the project_id is &amp;quot;ProjH.ProjA.ProjA1&amp;quot;.&lt;br /&gt;
&lt;br /&gt;
== API URLs ==&lt;br /&gt;
The URLs does not need to include any project names up to the authentication scope. The URLs only need to include the hierarchy after the scope for executing an operation. For example, if User A authenticates using scope as &amp;quot;ProjH.ProjA&amp;quot; and the User A want to update the quotas assigned to &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot;, then the URL can be like&lt;br /&gt;
&lt;br /&gt;
PUT Request  -&amp;gt;  http://&amp;lt;nova listening ip&amp;gt;:8774/v3/os-quota-sets?project_id=ProjA1.ProjA3&lt;br /&gt;
&lt;br /&gt;
When the above URL fired, the complete hierarchy will be formed by prepend the scope id to the project_id in the URL, that means here it will be &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot;. Now, the program can check the role possessed by the user (User A has memeber and project-admin roles). As the user possess the &amp;quot;project-admin&amp;quot; role, the update operation on quotas is allowed.&lt;br /&gt;
&lt;br /&gt;
The Keystone context will have a field which gives information about the roles in the hierarchy starting from the scope level and goes up to the head node(as explained in the examples listed under Authentication Section). We can call this field as &amp;quot;rolesList&amp;quot;. The &amp;quot;project_id&amp;quot; in the keystone scope has the full hierarchy like &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot;&lt;br /&gt;
&lt;br /&gt;
 &amp;quot;admin_or_project_admin&amp;quot;:  &amp;quot;is_admin:True or  roleProjectAdmin:rolesList:%(project_id)&amp;quot;&lt;br /&gt;
&lt;br /&gt;
This means that the user satisfies one of the following condition &amp;lt;br/&amp;gt;&lt;br /&gt;
*Cloud Admin&lt;br /&gt;
*function &amp;quot;roleProjectAdmin&amp;quot; will check that user has a project-admin role in the project_id using the the context field &amp;quot;rolesList&amp;quot;&lt;br /&gt;
&lt;br /&gt;
The policy rules for the quota extension can be &lt;br /&gt;
&lt;br /&gt;
 &amp;quot;owner&amp;quot;: &amp;quot;roleMember:rolesList:%(project_id)&amp;quot;   (means that user has any role except admin and project-admin in the project)&lt;br /&gt;
 &amp;quot;admin_or_project_admin_or_owner&amp;quot;: &amp;quot;rule:admin_or_project_admin or rule:owner&amp;quot;&lt;br /&gt;
  &lt;br /&gt;
 &amp;quot;compute_extension:quotas:show&amp;quot;: &amp;quot;rule:admin_or_project_admin_or_owner&amp;quot;,&lt;br /&gt;
 &amp;quot;compute_extension:quotas:update&amp;quot;: &amp;quot;rule:admin_or_project_admin&amp;quot;,&lt;br /&gt;
 &amp;quot;compute_extension:quotas:delete&amp;quot;: &amp;quot;rule:admin_or_project_admin&amp;quot;&lt;br /&gt;
&lt;br /&gt;
== POC Demo code ==&lt;br /&gt;
Please check the code snippets for this setup at  &amp;lt;br/&amp;gt;&lt;br /&gt;
https://github.com/vinodkumarboppanna/POC-For-Quotas/commit/391e9108fa579d292880c8836cadfd7253586f37&lt;br /&gt;
&lt;br /&gt;
== Concerns ==&lt;br /&gt;
* As nova keeps the complete project hierarchy in the Quotas table, it is necessary to notify nova about any changes in the hierarchy. For example, nova stores Quotas of Project &amp;quot;ProjH.ProjA.ProjA1&amp;quot; in the table and User removes the project &amp;quot;ProjA1&amp;quot; from the keystone, then nova should be notified about this.&lt;/div&gt;</summary>
		<author><name>Vinod kumar boppanna</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=POC_for_QuotaManagement&amp;diff=46039</id>
		<title>POC for QuotaManagement</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=POC_for_QuotaManagement&amp;diff=46039"/>
				<updated>2014-03-20T11:56:50Z</updated>
		
		<summary type="html">&lt;p&gt;Vinod kumar boppanna: /* Authentication */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Introduction ==&lt;br /&gt;
&lt;br /&gt;
This Page explains the Proof of Concept for Quota Management in the Openstack Hierarchical Multitenancy setup.&lt;br /&gt;
&lt;br /&gt;
== Setup ==&lt;br /&gt;
&lt;br /&gt;
Please see the following picture for an example Hierarchical Multitenancy setup.&lt;br /&gt;
&lt;br /&gt;
[[File:ProjectHierarchy.png|ProjectHierarchy]]&lt;br /&gt;
&lt;br /&gt;
== Authentication ==&lt;br /&gt;
&lt;br /&gt;
Every user has to authenticate with keystone using a project scope. For example, userA can authenticate using the project scope as &amp;quot;ProjH.ProjA&amp;quot;. The cloud admin can authenticate using any scope. When authenticated, the entire hierarchy is parsed starting from the scope project to the top i.e till the head node and construct the roles set using the roles the user has at each level. See the following examples. &lt;br /&gt;
&lt;br /&gt;
===== Example 1 =====&lt;br /&gt;
Cloud Admin authenticates at &amp;quot;ProjH&amp;quot;, keystone will send the following information (or token) for this session. &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the head node)&amp;lt;/ins&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
* admin&lt;br /&gt;
&lt;br /&gt;
===== Example 2 =====&lt;br /&gt;
Cloud Admin authenticates at &amp;quot;ProjH.ProjA.ProjA1&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA.ProjA1 &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;u&amp;gt;Roles (find role at each project level upto the head node)&amp;lt;/u&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
* admin&lt;br /&gt;
&lt;br /&gt;
===== Example 3 =====&lt;br /&gt;
User A authenticates at &amp;quot;ProjH.ProjA&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the head node)&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
* project-admin, member&lt;br /&gt;
&lt;br /&gt;
===== Example 4 =====&lt;br /&gt;
User A authenticates at &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA.ProjA1.ProjA3 &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the head node)&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
* project-admin, member&lt;br /&gt;
̽&amp;lt;u&amp;gt;Noteː&amp;lt;/u&amp;gt;&lt;br /&gt;
* It is important to limit the maximum depth of the Project Hierarchy. Otherwise, the paring may take a very long time.&lt;br /&gt;
&lt;br /&gt;
===== Example 5 =====&lt;br /&gt;
User C authenticates at &amp;quot;ProjH.ProjA.ProjA1.ProjA4&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA.ProjA1.ProjA4 &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the head node)&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
* member&lt;br /&gt;
&lt;br /&gt;
===== Example 6 =====&lt;br /&gt;
User B tries to authenticates at &amp;quot;ProjH.ProjA&amp;quot; but keystone will reject the authentication as User B does not have any role at &amp;quot;ProjH.ProjA&amp;quot;. That means User B is not part of Project &amp;quot;ProjH.ProjA&amp;quot;. User B can authenticate using the scope as &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot; or &amp;quot;ProjH.ProjB.ProjB2&amp;quot;.&lt;br /&gt;
&lt;br /&gt;
== Quota Tables ==&lt;br /&gt;
&lt;br /&gt;
There are four tables useful for Quota Management, namely &amp;quot;quotas&amp;quot;, &amp;quot;quota_usages&amp;quot;, &amp;quot;project_user_quotas&amp;quot; and &amp;quot;reservations&amp;quot; respectively. &lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Table || Description || Important Fields&lt;br /&gt;
|-&lt;br /&gt;
| quotas || Stores the quota values for resources (like instances, cores etc) of a Project || project_id&lt;br /&gt;
|-&lt;br /&gt;
| project_user_quotas || Stores the quota allotment to a User in a Project || project_id, user_id&lt;br /&gt;
|-&lt;br /&gt;
| quota_usages || Stores the quota already in use by a User in a Project || project_id, user_id&lt;br /&gt;
|-&lt;br /&gt;
| reservations || Stores the reservations made for a resource by a User in a Project || project_id, user_id&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
The project_id field in these tables stores the project complete hierarchy, like if quota values are defined for &amp;quot;ProjA1&amp;quot;, then the project_id is &amp;quot;ProjH.ProjA.ProjA1&amp;quot;.&lt;br /&gt;
&lt;br /&gt;
== API URLs ==&lt;br /&gt;
The URLs does not need to include any project names up to the authentication scope. The URLs only need to include the hierarchy after the scope for executing an operation. For example, if User A authenticates using scope as &amp;quot;ProjH.ProjA&amp;quot; and the User A want to update the quotas assigned to &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot;, then the URL can be like&lt;br /&gt;
&lt;br /&gt;
PUT Request  -&amp;gt;  http://&amp;lt;nova listening ip&amp;gt;:8774/v3/os-quota-sets?project_id=ProjA1.ProjA3&lt;br /&gt;
&lt;br /&gt;
When the above URL fired, the complete hierarchy will be formed by prepend the scope id to the project_id in the URL, that means here it will be &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot;. Now, the program can check the role possessed by the user (User A has memeber and project-admin roles). As the user possess the &amp;quot;project-admin&amp;quot; role, the update operation on quotas is allowed.&lt;br /&gt;
&lt;br /&gt;
The Keystone context will have a field which gives information about the roles in the hierarchy starting from the scope level and goes up to the head node(as explained in the examples listed under Authentication Section). We can call this field as &amp;quot;rolesList&amp;quot;. The &amp;quot;project_id&amp;quot; has the full hierarchy like &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot;&lt;br /&gt;
&lt;br /&gt;
 &amp;quot;admin_or_project_admin&amp;quot;:  &amp;quot;is_admin:True or  roleProjectAdmin:rolesList:%(project_id)&amp;quot;&lt;br /&gt;
&lt;br /&gt;
This means that the user satisfies one of the following condition &amp;lt;br/&amp;gt;&lt;br /&gt;
*Cloud Admin&lt;br /&gt;
*function &amp;quot;roleProjectAdmin&amp;quot; will check that user has a project-admin role in the project_id using the the context field &amp;quot;rolesList&amp;quot;&lt;br /&gt;
&lt;br /&gt;
The policy rules for the quota extension can be &lt;br /&gt;
&lt;br /&gt;
 &amp;quot;owner&amp;quot;: &amp;quot;roleMember:rolesList:%(project_id)&amp;quot;   (means that user has any role except admin and project-admin in the project)&lt;br /&gt;
 &amp;quot;admin_or_project_admin_or_owner&amp;quot;: &amp;quot;rule:admin_or_project_admin or rule:owner&amp;quot;&lt;br /&gt;
  &lt;br /&gt;
 &amp;quot;compute_extension:quotas:show&amp;quot;: &amp;quot;rule:admin_or_project_admin_or_owner&amp;quot;,&lt;br /&gt;
 &amp;quot;compute_extension:quotas:update&amp;quot;: &amp;quot;rule:admin_or_project_admin&amp;quot;,&lt;br /&gt;
 &amp;quot;compute_extension:quotas:delete&amp;quot;: &amp;quot;rule:admin_or_project_admin&amp;quot;&lt;br /&gt;
&lt;br /&gt;
== POC Demo code ==&lt;br /&gt;
Please check the code snippets for this setup at  &amp;lt;br/&amp;gt;&lt;br /&gt;
https://github.com/vinodkumarboppanna/POC-For-Quotas/commit/391e9108fa579d292880c8836cadfd7253586f37&lt;br /&gt;
&lt;br /&gt;
== Concerns ==&lt;br /&gt;
* As nova keeps the complete project hierarchy in the Quotas table, it is necessary to notify nova about any changes in the hierarchy. For example, nova stores Quotas of Project &amp;quot;ProjH.ProjA.ProjA1&amp;quot; in the table and User removes the project &amp;quot;ProjA1&amp;quot; from the keystone, then nova should be notified about this.&lt;/div&gt;</summary>
		<author><name>Vinod kumar boppanna</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=POC_for_QuotaManagement&amp;diff=46038</id>
		<title>POC for QuotaManagement</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=POC_for_QuotaManagement&amp;diff=46038"/>
				<updated>2014-03-20T11:54:57Z</updated>
		
		<summary type="html">&lt;p&gt;Vinod kumar boppanna: /* Authentication */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Introduction ==&lt;br /&gt;
&lt;br /&gt;
This Page explains the Proof of Concept for Quota Management in the Openstack Hierarchical Multitenancy setup.&lt;br /&gt;
&lt;br /&gt;
== Setup ==&lt;br /&gt;
&lt;br /&gt;
Please see the following picture for an example Hierarchical Multitenancy setup.&lt;br /&gt;
&lt;br /&gt;
[[File:ProjectHierarchy.png|ProjectHierarchy]]&lt;br /&gt;
&lt;br /&gt;
== Authentication ==&lt;br /&gt;
&lt;br /&gt;
Every user has to authenticate with keystone using a project scope. For example, userA can authenticate using the project scope as &amp;quot;ProjH.ProjA&amp;quot;. The cloud admin can authenticate using any scope. When authenticated, the entire hierarchy is parsed starting from the scope project to the top i.e till the head node and construct the roles set using the roles the user has at each level. See the following examples. &lt;br /&gt;
&lt;br /&gt;
===== Example 1 =====&lt;br /&gt;
Cloud Admin authenticates at &amp;quot;ProjH&amp;quot;, keystone will send the following information (or token) for this session. &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the head node)&amp;lt;/ins&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
* admin&lt;br /&gt;
&lt;br /&gt;
===== Example 2 =====&lt;br /&gt;
Cloud Admin authenticates at &amp;quot;ProjH.ProjA.ProjA1&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA.ProjA1 &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;u&amp;gt;Roles (find role at each project level upto the head node)&amp;lt;/u&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
* admin&lt;br /&gt;
&lt;br /&gt;
===== Example 3 =====&lt;br /&gt;
User A authenticates at &amp;quot;ProjH.ProjA&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the head node)&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
* project-admin, member&lt;br /&gt;
&lt;br /&gt;
===== Example 4 =====&lt;br /&gt;
User A authenticates at &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA.ProjA1.ProjA3 &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the head node)&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
* project-admin, member&lt;br /&gt;
̽&amp;lt;u&amp;gt;Noteː&amp;lt;/u&amp;gt;&lt;br /&gt;
* It is important to limit the maximum depth of the Project Hierarchy. Otherwise, the paring may take a very long time.&lt;br /&gt;
&lt;br /&gt;
===== Example 5 =====&lt;br /&gt;
User B tries to authenticates at &amp;quot;ProjH.ProjA&amp;quot; but keystone will reject the authentication as User B does not have any role at &amp;quot;ProjH.ProjA&amp;quot;. That means User B is not part of Project &amp;quot;ProjH.ProjA&amp;quot;. User B can authenticate using the scope as &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot; or &amp;quot;ProjH.ProjB.ProjB2&amp;quot;.&lt;br /&gt;
&lt;br /&gt;
== Quota Tables ==&lt;br /&gt;
&lt;br /&gt;
There are four tables useful for Quota Management, namely &amp;quot;quotas&amp;quot;, &amp;quot;quota_usages&amp;quot;, &amp;quot;project_user_quotas&amp;quot; and &amp;quot;reservations&amp;quot; respectively. &lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Table || Description || Important Fields&lt;br /&gt;
|-&lt;br /&gt;
| quotas || Stores the quota values for resources (like instances, cores etc) of a Project || project_id&lt;br /&gt;
|-&lt;br /&gt;
| project_user_quotas || Stores the quota allotment to a User in a Project || project_id, user_id&lt;br /&gt;
|-&lt;br /&gt;
| quota_usages || Stores the quota already in use by a User in a Project || project_id, user_id&lt;br /&gt;
|-&lt;br /&gt;
| reservations || Stores the reservations made for a resource by a User in a Project || project_id, user_id&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
The project_id field in these tables stores the project complete hierarchy, like if quota values are defined for &amp;quot;ProjA1&amp;quot;, then the project_id is &amp;quot;ProjH.ProjA.ProjA1&amp;quot;.&lt;br /&gt;
&lt;br /&gt;
== API URLs ==&lt;br /&gt;
The URLs does not need to include any project names up to the authentication scope. The URLs only need to include the hierarchy after the scope for executing an operation. For example, if User A authenticates using scope as &amp;quot;ProjH.ProjA&amp;quot; and the User A want to update the quotas assigned to &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot;, then the URL can be like&lt;br /&gt;
&lt;br /&gt;
PUT Request  -&amp;gt;  http://&amp;lt;nova listening ip&amp;gt;:8774/v3/os-quota-sets?project_id=ProjA1.ProjA3&lt;br /&gt;
&lt;br /&gt;
When the above URL fired, the complete hierarchy will be formed by prepend the scope id to the project_id in the URL, that means here it will be &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot;. Now, the program can check the role possessed by the user (User A has memeber and project-admin roles). As the user possess the &amp;quot;project-admin&amp;quot; role, the update operation on quotas is allowed.&lt;br /&gt;
&lt;br /&gt;
The Keystone context will have a field which gives information about the roles in the hierarchy starting from the scope level and goes up to the head node(as explained in the examples listed under Authentication Section). We can call this field as &amp;quot;rolesList&amp;quot;. The &amp;quot;project_id&amp;quot; has the full hierarchy like &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot;&lt;br /&gt;
&lt;br /&gt;
 &amp;quot;admin_or_project_admin&amp;quot;:  &amp;quot;is_admin:True or  roleProjectAdmin:rolesList:%(project_id)&amp;quot;&lt;br /&gt;
&lt;br /&gt;
This means that the user satisfies one of the following condition &amp;lt;br/&amp;gt;&lt;br /&gt;
*Cloud Admin&lt;br /&gt;
*function &amp;quot;roleProjectAdmin&amp;quot; will check that user has a project-admin role in the project_id using the the context field &amp;quot;rolesList&amp;quot;&lt;br /&gt;
&lt;br /&gt;
The policy rules for the quota extension can be &lt;br /&gt;
&lt;br /&gt;
 &amp;quot;owner&amp;quot;: &amp;quot;roleMember:rolesList:%(project_id)&amp;quot;   (means that user has any role except admin and project-admin in the project)&lt;br /&gt;
 &amp;quot;admin_or_project_admin_or_owner&amp;quot;: &amp;quot;rule:admin_or_project_admin or rule:owner&amp;quot;&lt;br /&gt;
  &lt;br /&gt;
 &amp;quot;compute_extension:quotas:show&amp;quot;: &amp;quot;rule:admin_or_project_admin_or_owner&amp;quot;,&lt;br /&gt;
 &amp;quot;compute_extension:quotas:update&amp;quot;: &amp;quot;rule:admin_or_project_admin&amp;quot;,&lt;br /&gt;
 &amp;quot;compute_extension:quotas:delete&amp;quot;: &amp;quot;rule:admin_or_project_admin&amp;quot;&lt;br /&gt;
&lt;br /&gt;
== POC Demo code ==&lt;br /&gt;
Please check the code snippets for this setup at  &amp;lt;br/&amp;gt;&lt;br /&gt;
https://github.com/vinodkumarboppanna/POC-For-Quotas/commit/391e9108fa579d292880c8836cadfd7253586f37&lt;br /&gt;
&lt;br /&gt;
== Concerns ==&lt;br /&gt;
* As nova keeps the complete project hierarchy in the Quotas table, it is necessary to notify nova about any changes in the hierarchy. For example, nova stores Quotas of Project &amp;quot;ProjH.ProjA.ProjA1&amp;quot; in the table and User removes the project &amp;quot;ProjA1&amp;quot; from the keystone, then nova should be notified about this.&lt;/div&gt;</summary>
		<author><name>Vinod kumar boppanna</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=POC_for_QuotaManagement&amp;diff=46037</id>
		<title>POC for QuotaManagement</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=POC_for_QuotaManagement&amp;diff=46037"/>
				<updated>2014-03-20T11:51:27Z</updated>
		
		<summary type="html">&lt;p&gt;Vinod kumar boppanna: /* API URLs */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Introduction ==&lt;br /&gt;
&lt;br /&gt;
This Page explains the Proof of Concept for Quota Management in the Openstack Hierarchical Multitenancy setup.&lt;br /&gt;
&lt;br /&gt;
== Setup ==&lt;br /&gt;
&lt;br /&gt;
Please see the following picture for an example Hierarchical Multitenancy setup.&lt;br /&gt;
&lt;br /&gt;
[[File:ProjectHierarchy.png|ProjectHierarchy]]&lt;br /&gt;
&lt;br /&gt;
== Authentication ==&lt;br /&gt;
&lt;br /&gt;
Every user has to authenticate with keystone using a project scope. For example, userA can authenticate using the project scope as &amp;quot;ProjH.ProjA&amp;quot;. The cloud admin can authenticate using any scope. When authenticated, the entire hierarchy is parsed starting from the scope project to the top i.e till the head node and construct the roles the user has at each level. See the following examples. &lt;br /&gt;
&lt;br /&gt;
===== Example 1 =====&lt;br /&gt;
Cloud Admin authenticates at &amp;quot;ProjH&amp;quot;, keystone will send the following information (or token) for this session. &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the head node)&amp;lt;/ins&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
* admin&lt;br /&gt;
&lt;br /&gt;
===== Example 2 =====&lt;br /&gt;
Cloud Admin authenticates at &amp;quot;ProjH.ProjA.ProjA1&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA.ProjA1 &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;u&amp;gt;Roles (find role at each project level upto the head node)&amp;lt;/u&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
* admin&lt;br /&gt;
&lt;br /&gt;
===== Example 3 =====&lt;br /&gt;
User A authenticates at &amp;quot;ProjH.ProjA&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the head node)&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
* project-admin, member&lt;br /&gt;
&lt;br /&gt;
===== Example 4 =====&lt;br /&gt;
User A authenticates at &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA.ProjA1.ProjA3 &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the head node)&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
* project-admin, member&lt;br /&gt;
̽&amp;lt;u&amp;gt;Noteː&amp;lt;/u&amp;gt;&lt;br /&gt;
* It is important to limit the maximum depth of the Project Hierarchy. Otherwise, the paring may take a very long time.&lt;br /&gt;
&lt;br /&gt;
===== Example 5 =====&lt;br /&gt;
User B tries to authenticates at &amp;quot;ProjH.ProjA&amp;quot; but keystone will reject the authentication as User B does not have any role at &amp;quot;ProjH.ProjA&amp;quot;. That means User B is not part of Project &amp;quot;ProjH.ProjA&amp;quot;. User B can authenticate using the scope as &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot; or &amp;quot;ProjH.ProjB.ProjB2&amp;quot;.&lt;br /&gt;
&lt;br /&gt;
== Quota Tables ==&lt;br /&gt;
&lt;br /&gt;
There are four tables useful for Quota Management, namely &amp;quot;quotas&amp;quot;, &amp;quot;quota_usages&amp;quot;, &amp;quot;project_user_quotas&amp;quot; and &amp;quot;reservations&amp;quot; respectively. &lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Table || Description || Important Fields&lt;br /&gt;
|-&lt;br /&gt;
| quotas || Stores the quota values for resources (like instances, cores etc) of a Project || project_id&lt;br /&gt;
|-&lt;br /&gt;
| project_user_quotas || Stores the quota allotment to a User in a Project || project_id, user_id&lt;br /&gt;
|-&lt;br /&gt;
| quota_usages || Stores the quota already in use by a User in a Project || project_id, user_id&lt;br /&gt;
|-&lt;br /&gt;
| reservations || Stores the reservations made for a resource by a User in a Project || project_id, user_id&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
The project_id field in these tables stores the project complete hierarchy, like if quota values are defined for &amp;quot;ProjA1&amp;quot;, then the project_id is &amp;quot;ProjH.ProjA.ProjA1&amp;quot;.&lt;br /&gt;
&lt;br /&gt;
== API URLs ==&lt;br /&gt;
The URLs does not need to include any project names up to the authentication scope. The URLs only need to include the hierarchy after the scope for executing an operation. For example, if User A authenticates using scope as &amp;quot;ProjH.ProjA&amp;quot; and the User A want to update the quotas assigned to &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot;, then the URL can be like&lt;br /&gt;
&lt;br /&gt;
PUT Request  -&amp;gt;  http://&amp;lt;nova listening ip&amp;gt;:8774/v3/os-quota-sets?project_id=ProjA1.ProjA3&lt;br /&gt;
&lt;br /&gt;
When the above URL fired, the complete hierarchy will be formed by prepend the scope id to the project_id in the URL, that means here it will be &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot;. Now, the program can check the role possessed by the user (User A has memeber and project-admin roles). As the user possess the &amp;quot;project-admin&amp;quot; role, the update operation on quotas is allowed.&lt;br /&gt;
&lt;br /&gt;
The Keystone context will have a field which gives information about the roles in the hierarchy starting from the scope level and goes up to the head node(as explained in the examples listed under Authentication Section). We can call this field as &amp;quot;rolesList&amp;quot;. The &amp;quot;project_id&amp;quot; has the full hierarchy like &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot;&lt;br /&gt;
&lt;br /&gt;
 &amp;quot;admin_or_project_admin&amp;quot;:  &amp;quot;is_admin:True or  roleProjectAdmin:rolesList:%(project_id)&amp;quot;&lt;br /&gt;
&lt;br /&gt;
This means that the user satisfies one of the following condition &amp;lt;br/&amp;gt;&lt;br /&gt;
*Cloud Admin&lt;br /&gt;
*function &amp;quot;roleProjectAdmin&amp;quot; will check that user has a project-admin role in the project_id using the the context field &amp;quot;rolesList&amp;quot;&lt;br /&gt;
&lt;br /&gt;
The policy rules for the quota extension can be &lt;br /&gt;
&lt;br /&gt;
 &amp;quot;owner&amp;quot;: &amp;quot;roleMember:rolesList:%(project_id)&amp;quot;   (means that user has any role except admin and project-admin in the project)&lt;br /&gt;
 &amp;quot;admin_or_project_admin_or_owner&amp;quot;: &amp;quot;rule:admin_or_project_admin or rule:owner&amp;quot;&lt;br /&gt;
  &lt;br /&gt;
 &amp;quot;compute_extension:quotas:show&amp;quot;: &amp;quot;rule:admin_or_project_admin_or_owner&amp;quot;,&lt;br /&gt;
 &amp;quot;compute_extension:quotas:update&amp;quot;: &amp;quot;rule:admin_or_project_admin&amp;quot;,&lt;br /&gt;
 &amp;quot;compute_extension:quotas:delete&amp;quot;: &amp;quot;rule:admin_or_project_admin&amp;quot;&lt;br /&gt;
&lt;br /&gt;
== POC Demo code ==&lt;br /&gt;
Please check the code snippets for this setup at  &amp;lt;br/&amp;gt;&lt;br /&gt;
https://github.com/vinodkumarboppanna/POC-For-Quotas/commit/391e9108fa579d292880c8836cadfd7253586f37&lt;br /&gt;
&lt;br /&gt;
== Concerns ==&lt;br /&gt;
* As nova keeps the complete project hierarchy in the Quotas table, it is necessary to notify nova about any changes in the hierarchy. For example, nova stores Quotas of Project &amp;quot;ProjH.ProjA.ProjA1&amp;quot; in the table and User removes the project &amp;quot;ProjA1&amp;quot; from the keystone, then nova should be notified about this.&lt;/div&gt;</summary>
		<author><name>Vinod kumar boppanna</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=POC_for_QuotaManagement&amp;diff=46036</id>
		<title>POC for QuotaManagement</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=POC_for_QuotaManagement&amp;diff=46036"/>
				<updated>2014-03-20T11:46:20Z</updated>
		
		<summary type="html">&lt;p&gt;Vinod kumar boppanna: /* Authentication */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Introduction ==&lt;br /&gt;
&lt;br /&gt;
This Page explains the Proof of Concept for Quota Management in the Openstack Hierarchical Multitenancy setup.&lt;br /&gt;
&lt;br /&gt;
== Setup ==&lt;br /&gt;
&lt;br /&gt;
Please see the following picture for an example Hierarchical Multitenancy setup.&lt;br /&gt;
&lt;br /&gt;
[[File:ProjectHierarchy.png|ProjectHierarchy]]&lt;br /&gt;
&lt;br /&gt;
== Authentication ==&lt;br /&gt;
&lt;br /&gt;
Every user has to authenticate with keystone using a project scope. For example, userA can authenticate using the project scope as &amp;quot;ProjH.ProjA&amp;quot;. The cloud admin can authenticate using any scope. When authenticated, the entire hierarchy is parsed starting from the scope project to the top i.e till the head node and construct the roles the user has at each level. See the following examples. &lt;br /&gt;
&lt;br /&gt;
===== Example 1 =====&lt;br /&gt;
Cloud Admin authenticates at &amp;quot;ProjH&amp;quot;, keystone will send the following information (or token) for this session. &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the head node)&amp;lt;/ins&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
* admin&lt;br /&gt;
&lt;br /&gt;
===== Example 2 =====&lt;br /&gt;
Cloud Admin authenticates at &amp;quot;ProjH.ProjA.ProjA1&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA.ProjA1 &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;u&amp;gt;Roles (find role at each project level upto the head node)&amp;lt;/u&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
* admin&lt;br /&gt;
&lt;br /&gt;
===== Example 3 =====&lt;br /&gt;
User A authenticates at &amp;quot;ProjH.ProjA&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the head node)&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
* project-admin, member&lt;br /&gt;
&lt;br /&gt;
===== Example 4 =====&lt;br /&gt;
User A authenticates at &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA.ProjA1.ProjA3 &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the head node)&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
* project-admin, member&lt;br /&gt;
̽&amp;lt;u&amp;gt;Noteː&amp;lt;/u&amp;gt;&lt;br /&gt;
* It is important to limit the maximum depth of the Project Hierarchy. Otherwise, the paring may take a very long time.&lt;br /&gt;
&lt;br /&gt;
===== Example 5 =====&lt;br /&gt;
User B tries to authenticates at &amp;quot;ProjH.ProjA&amp;quot; but keystone will reject the authentication as User B does not have any role at &amp;quot;ProjH.ProjA&amp;quot;. That means User B is not part of Project &amp;quot;ProjH.ProjA&amp;quot;. User B can authenticate using the scope as &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot; or &amp;quot;ProjH.ProjB.ProjB2&amp;quot;.&lt;br /&gt;
&lt;br /&gt;
== Quota Tables ==&lt;br /&gt;
&lt;br /&gt;
There are four tables useful for Quota Management, namely &amp;quot;quotas&amp;quot;, &amp;quot;quota_usages&amp;quot;, &amp;quot;project_user_quotas&amp;quot; and &amp;quot;reservations&amp;quot; respectively. &lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Table || Description || Important Fields&lt;br /&gt;
|-&lt;br /&gt;
| quotas || Stores the quota values for resources (like instances, cores etc) of a Project || project_id&lt;br /&gt;
|-&lt;br /&gt;
| project_user_quotas || Stores the quota allotment to a User in a Project || project_id, user_id&lt;br /&gt;
|-&lt;br /&gt;
| quota_usages || Stores the quota already in use by a User in a Project || project_id, user_id&lt;br /&gt;
|-&lt;br /&gt;
| reservations || Stores the reservations made for a resource by a User in a Project || project_id, user_id&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
The project_id field in these tables stores the project complete hierarchy, like if quota values are defined for &amp;quot;ProjA1&amp;quot;, then the project_id is &amp;quot;ProjH.ProjA.ProjA1&amp;quot;.&lt;br /&gt;
&lt;br /&gt;
== API URLs ==&lt;br /&gt;
The URLs does not need to include any project names up to the authentication scope. The URLs only need to include the hierarchy after the scope for executing an operation. For example, if User A authenticates using scope as &amp;quot;ProjH.ProjA&amp;quot; and the User A want to update the quotas assigned to &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot;, then the URL can be like&lt;br /&gt;
&lt;br /&gt;
PUT Request  -&amp;gt;  http://&amp;lt;nova listening ip&amp;gt;:8774/v3/os-quota-sets?project_id=ProjA1.ProjA3&lt;br /&gt;
&lt;br /&gt;
When the above URL fired, the complete hierarchy will be formed by prepend the scope id to the project_id in the URL, that means here it will be &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot;. Now, the program can check the role possessed by the user at this level (User A has memeber and project-admin roles at this level). As the user possess the &amp;quot;project-admin&amp;quot; role, the update operation on quotas is allowed.&lt;br /&gt;
&lt;br /&gt;
The Keystone context will have a field which gives information about the roles at each level of the hierarchy starting from the scope level (as explained in the examples listed under Authentication Section). We can call this field as &amp;quot;rolesList&amp;quot;. The &amp;quot;project_id&amp;quot; has the full hierarchy like &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot;&lt;br /&gt;
&lt;br /&gt;
 &amp;quot;admin_or_project_admin&amp;quot;:  &amp;quot;is_admin:True or  roleProjectAdmin:rolesList:%(project_id)&amp;quot;&lt;br /&gt;
&lt;br /&gt;
This means that the user satisfies one of the following condition &amp;lt;br/&amp;gt;&lt;br /&gt;
*Cloud Admin&lt;br /&gt;
*function &amp;quot;roleProjectAdmin&amp;quot; will check that user has a project-admin role in the project_id using the the context field &amp;quot;rolesList&amp;quot;&lt;br /&gt;
&lt;br /&gt;
The policy rules for the quota extension can be &lt;br /&gt;
&lt;br /&gt;
 &amp;quot;owner&amp;quot;: &amp;quot;roleMember:rolesList:%(project_id)&amp;quot;   (means that user has any role except project-admin in the project)&lt;br /&gt;
 &amp;quot;admin_or_project_admin_or_owner&amp;quot;: &amp;quot;rule:admin_or_project_admin or rule:owner&amp;quot;&lt;br /&gt;
  &lt;br /&gt;
 &amp;quot;compute_extension:quotas:show&amp;quot;: &amp;quot;rule:admin_or_project_admin_or_owner&amp;quot;,&lt;br /&gt;
 &amp;quot;compute_extension:quotas:update&amp;quot;: &amp;quot;rule:admin_or_project_admin&amp;quot;,&lt;br /&gt;
 &amp;quot;compute_extension:quotas:delete&amp;quot;: &amp;quot;rule:admin_or_project_admin&amp;quot;&lt;br /&gt;
&lt;br /&gt;
== POC Demo code ==&lt;br /&gt;
Please check the code snippets for this setup at  &amp;lt;br/&amp;gt;&lt;br /&gt;
https://github.com/vinodkumarboppanna/POC-For-Quotas/commit/391e9108fa579d292880c8836cadfd7253586f37&lt;br /&gt;
&lt;br /&gt;
== Concerns ==&lt;br /&gt;
* As nova keeps the complete project hierarchy in the Quotas table, it is necessary to notify nova about any changes in the hierarchy. For example, nova stores Quotas of Project &amp;quot;ProjH.ProjA.ProjA1&amp;quot; in the table and User removes the project &amp;quot;ProjA1&amp;quot; from the keystone, then nova should be notified about this.&lt;/div&gt;</summary>
		<author><name>Vinod kumar boppanna</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=POC_for_QuotaManagement&amp;diff=46035</id>
		<title>POC for QuotaManagement</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=POC_for_QuotaManagement&amp;diff=46035"/>
				<updated>2014-03-20T11:44:14Z</updated>
		
		<summary type="html">&lt;p&gt;Vinod kumar boppanna: /* Authentication */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Introduction ==&lt;br /&gt;
&lt;br /&gt;
This Page explains the Proof of Concept for Quota Management in the Openstack Hierarchical Multitenancy setup.&lt;br /&gt;
&lt;br /&gt;
== Setup ==&lt;br /&gt;
&lt;br /&gt;
Please see the following picture for an example Hierarchical Multitenancy setup.&lt;br /&gt;
&lt;br /&gt;
[[File:ProjectHierarchy.png|ProjectHierarchy]]&lt;br /&gt;
&lt;br /&gt;
== Authentication ==&lt;br /&gt;
&lt;br /&gt;
Every user has to authenticate with keystone using a project scope. For example, userA can authenticate using the project scope as &amp;quot;ProjH.ProjA&amp;quot;. The cloud admin can authenticate using any scope. When authenticated, the entire hierarchy is parsed starting from the scope project till the head node and construct the roles the user has at each level. See the following examples. &lt;br /&gt;
&lt;br /&gt;
===== Example 1 =====&lt;br /&gt;
Cloud Admin authenticates at &amp;quot;ProjH&amp;quot;, keystone will send the following information (or token) for this session. &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the head node)&amp;lt;/ins&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
* admin&lt;br /&gt;
&lt;br /&gt;
===== Example 2 =====&lt;br /&gt;
Cloud Admin authenticates at &amp;quot;ProjH.ProjA.ProjA1&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA.ProjA1 &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;u&amp;gt;Roles (find role at each project level upto the head node)&amp;lt;/u&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
* admin&lt;br /&gt;
&lt;br /&gt;
===== Example 3 =====&lt;br /&gt;
User A authenticates at &amp;quot;ProjH.ProjA&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the head node)&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
* project-admin, member&lt;br /&gt;
&lt;br /&gt;
===== Example 4 =====&lt;br /&gt;
User A authenticates at &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA.ProjA1.ProjA3 &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the head node)&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
* project-admin, member&lt;br /&gt;
̽&amp;lt;u&amp;gt;Noteː&amp;lt;/u&amp;gt;&lt;br /&gt;
* It is important to limit the maximum depth of the Project Hierarchy. Otherwise, the paring may take a very long time.&lt;br /&gt;
&lt;br /&gt;
===== Example 5 =====&lt;br /&gt;
User B tries to authenticates at &amp;quot;ProjH.ProjA&amp;quot; but keystone will reject the authentication as User B does not have any role at &amp;quot;ProjH.ProjA&amp;quot;. That means User B is not part of Project &amp;quot;ProjH.ProjA&amp;quot;. User B can authenticate using the scope as &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot; or &amp;quot;ProjH.ProjB.ProjB2&amp;quot;.&lt;br /&gt;
&lt;br /&gt;
== Quota Tables ==&lt;br /&gt;
&lt;br /&gt;
There are four tables useful for Quota Management, namely &amp;quot;quotas&amp;quot;, &amp;quot;quota_usages&amp;quot;, &amp;quot;project_user_quotas&amp;quot; and &amp;quot;reservations&amp;quot; respectively. &lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Table || Description || Important Fields&lt;br /&gt;
|-&lt;br /&gt;
| quotas || Stores the quota values for resources (like instances, cores etc) of a Project || project_id&lt;br /&gt;
|-&lt;br /&gt;
| project_user_quotas || Stores the quota allotment to a User in a Project || project_id, user_id&lt;br /&gt;
|-&lt;br /&gt;
| quota_usages || Stores the quota already in use by a User in a Project || project_id, user_id&lt;br /&gt;
|-&lt;br /&gt;
| reservations || Stores the reservations made for a resource by a User in a Project || project_id, user_id&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
The project_id field in these tables stores the project complete hierarchy, like if quota values are defined for &amp;quot;ProjA1&amp;quot;, then the project_id is &amp;quot;ProjH.ProjA.ProjA1&amp;quot;.&lt;br /&gt;
&lt;br /&gt;
== API URLs ==&lt;br /&gt;
The URLs does not need to include any project names up to the authentication scope. The URLs only need to include the hierarchy after the scope for executing an operation. For example, if User A authenticates using scope as &amp;quot;ProjH.ProjA&amp;quot; and the User A want to update the quotas assigned to &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot;, then the URL can be like&lt;br /&gt;
&lt;br /&gt;
PUT Request  -&amp;gt;  http://&amp;lt;nova listening ip&amp;gt;:8774/v3/os-quota-sets?project_id=ProjA1.ProjA3&lt;br /&gt;
&lt;br /&gt;
When the above URL fired, the complete hierarchy will be formed by prepend the scope id to the project_id in the URL, that means here it will be &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot;. Now, the program can check the role possessed by the user at this level (User A has memeber and project-admin roles at this level). As the user possess the &amp;quot;project-admin&amp;quot; role, the update operation on quotas is allowed.&lt;br /&gt;
&lt;br /&gt;
The Keystone context will have a field which gives information about the roles at each level of the hierarchy starting from the scope level (as explained in the examples listed under Authentication Section). We can call this field as &amp;quot;rolesList&amp;quot;. The &amp;quot;project_id&amp;quot; has the full hierarchy like &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot;&lt;br /&gt;
&lt;br /&gt;
 &amp;quot;admin_or_project_admin&amp;quot;:  &amp;quot;is_admin:True or  roleProjectAdmin:rolesList:%(project_id)&amp;quot;&lt;br /&gt;
&lt;br /&gt;
This means that the user satisfies one of the following condition &amp;lt;br/&amp;gt;&lt;br /&gt;
*Cloud Admin&lt;br /&gt;
*function &amp;quot;roleProjectAdmin&amp;quot; will check that user has a project-admin role in the project_id using the the context field &amp;quot;rolesList&amp;quot;&lt;br /&gt;
&lt;br /&gt;
The policy rules for the quota extension can be &lt;br /&gt;
&lt;br /&gt;
 &amp;quot;owner&amp;quot;: &amp;quot;roleMember:rolesList:%(project_id)&amp;quot;   (means that user has any role except project-admin in the project)&lt;br /&gt;
 &amp;quot;admin_or_project_admin_or_owner&amp;quot;: &amp;quot;rule:admin_or_project_admin or rule:owner&amp;quot;&lt;br /&gt;
  &lt;br /&gt;
 &amp;quot;compute_extension:quotas:show&amp;quot;: &amp;quot;rule:admin_or_project_admin_or_owner&amp;quot;,&lt;br /&gt;
 &amp;quot;compute_extension:quotas:update&amp;quot;: &amp;quot;rule:admin_or_project_admin&amp;quot;,&lt;br /&gt;
 &amp;quot;compute_extension:quotas:delete&amp;quot;: &amp;quot;rule:admin_or_project_admin&amp;quot;&lt;br /&gt;
&lt;br /&gt;
== POC Demo code ==&lt;br /&gt;
Please check the code snippets for this setup at  &amp;lt;br/&amp;gt;&lt;br /&gt;
https://github.com/vinodkumarboppanna/POC-For-Quotas/commit/391e9108fa579d292880c8836cadfd7253586f37&lt;br /&gt;
&lt;br /&gt;
== Concerns ==&lt;br /&gt;
* As nova keeps the complete project hierarchy in the Quotas table, it is necessary to notify nova about any changes in the hierarchy. For example, nova stores Quotas of Project &amp;quot;ProjH.ProjA.ProjA1&amp;quot; in the table and User removes the project &amp;quot;ProjA1&amp;quot; from the keystone, then nova should be notified about this.&lt;/div&gt;</summary>
		<author><name>Vinod kumar boppanna</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=APIs_for_Domain_Quota_Driver&amp;diff=42638</id>
		<title>APIs for Domain Quota Driver</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=APIs_for_Domain_Quota_Driver&amp;diff=42638"/>
				<updated>2014-02-18T18:04:23Z</updated>
		
		<summary type="html">&lt;p&gt;Vinod kumar boppanna: /* Introduction */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Introduction ==&lt;br /&gt;
&lt;br /&gt;
The existing DbQuotaDriver in Nova allows to set the Quotas at Project/Tenant and User Level. But there is a need to enforce the quotas at Domain Level as well. A new driver called &amp;quot;Domain Quota Driver&amp;quot; is available to enforce domain quotas in Nova. To use this driver, a new set of APIs are required for CRUD operations on quotas at domain, project and user level.&lt;br /&gt;
&lt;br /&gt;
== Quotas in Nova==&lt;br /&gt;
Currently, OpenStack services make usage of quotas to limit the resources for a project or for a user.&lt;br /&gt;
For example,  the “Instances” quota represents the number of instances that can be created in a project or by a user. Through Domain Quota Driver, the same options for Quotas are available in the context of domain. To read more about Domain Quota Driver and see the available options for quotas, check https://wiki.openstack.org/wiki/DomainQuotaDriver&lt;br /&gt;
&lt;br /&gt;
= Implementation =&lt;br /&gt;
&lt;br /&gt;
=== APIs ===&lt;br /&gt;
Please check the following table for the APIs to manage Quotas for Domain, Project and User respectively. These APIs can be used by admin (i.e with role admin) to get the quota limits of any domain/project/user. A non-admin user can only use these APIs to see the quotas of a domain to which he/she belongs or of a project in which he/she is a member. In addition the non-admin user can see his/her own quota limits. To make this possible, Keystone V3 auth tokens needs to be used. The context provided by the token has domain_id, project_id and user_id respectively. &lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Method || URI || Description &lt;br /&gt;
|-&lt;br /&gt;
| GET || v2/{tenant_id}/domain-quota-sets/{domain_id} || Shows quotas for a Domain&lt;br /&gt;
|-&lt;br /&gt;
| GET || v2/{tenant_id}/domain-quota-sets/{domain_id}/defaults || Shows default quotas for a Domain&lt;br /&gt;
|-&lt;br /&gt;
| GET || v2/{tenant_id}/domain-quota-sets/{domain_id}?project_id={project_id} || Shows quotas for a Project&lt;br /&gt;
|-&lt;br /&gt;
| GET || v2/{tenant_id}/domain-quota-sets/{domain_id}?project_id={project_id}&amp;amp;user_id={user_id} || Shows quotas for a User in a Project&lt;br /&gt;
|-&lt;br /&gt;
| DELETE || v2/{tenant_id}/domain-quota-sets/{domain_id} || Deletes quotas for the domain and for all the projects in this domain (In addition deletes quota for all the users in the projects)&lt;br /&gt;
|-&lt;br /&gt;
| DELETE || v2/{tenant_id}/domain-quota-sets/{domain_id}?project_id={project_id} || Deletes quotas for a Project and for all the Users in that Project&lt;br /&gt;
|-&lt;br /&gt;
| DELETE || v2/{tenant_id}/domain-quota-sets/{domain_id}?project_id={project_id}&amp;amp;user_id={user_id} || Delete quotas for a User in a Project&lt;br /&gt;
|-&lt;br /&gt;
| PUT || v2/{tenant_id}/domain-quota-sets/{domain_id} || Creates or Updates quotas for the domain&lt;br /&gt;
|-&lt;br /&gt;
| PUT || v2/{tenant_id}/domain-quota-sets/{domain_id}?project_id={project_id} || Creates or Updates quotas for a Project&lt;br /&gt;
|-&lt;br /&gt;
| PUT || v2/{tenant_id}/domain-quota-sets/{domain_id}?project_id={project_id}&amp;amp;user_id={user_id} || Creates or Updates quotas for a User in a Project&lt;br /&gt;
|}&lt;/div&gt;</summary>
		<author><name>Vinod kumar boppanna</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=APIs_for_Domain_Quota_Driver&amp;diff=42636</id>
		<title>APIs for Domain Quota Driver</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=APIs_for_Domain_Quota_Driver&amp;diff=42636"/>
				<updated>2014-02-18T18:04:05Z</updated>
		
		<summary type="html">&lt;p&gt;Vinod kumar boppanna: /* Implementation */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Introduction ==&lt;br /&gt;
&lt;br /&gt;
The existing DbQuotaDriver in Nova allows to set the Quotas at Project/Tenant and User Level. But there is a need to enforce the quotas at Domain Level as well. A new driver called &amp;quot;Domain Quota Driver&amp;quot; is available to enforce domain quotas in Nova. To use this driver, a new set of APIs and Command Line tools are required for CRUD operations on quotas at domain, project and user level.&lt;br /&gt;
&lt;br /&gt;
== Quotas in Nova==&lt;br /&gt;
Currently, OpenStack services make usage of quotas to limit the resources for a project or for a user.&lt;br /&gt;
For example,  the “Instances” quota represents the number of instances that can be created in a project or by a user. Through Domain Quota Driver, the same options for Quotas are available in the context of domain. To read more about Domain Quota Driver and see the available options for quotas, check https://wiki.openstack.org/wiki/DomainQuotaDriver&lt;br /&gt;
&lt;br /&gt;
= Implementation =&lt;br /&gt;
&lt;br /&gt;
=== APIs ===&lt;br /&gt;
Please check the following table for the APIs to manage Quotas for Domain, Project and User respectively. These APIs can be used by admin (i.e with role admin) to get the quota limits of any domain/project/user. A non-admin user can only use these APIs to see the quotas of a domain to which he/she belongs or of a project in which he/she is a member. In addition the non-admin user can see his/her own quota limits. To make this possible, Keystone V3 auth tokens needs to be used. The context provided by the token has domain_id, project_id and user_id respectively. &lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Method || URI || Description &lt;br /&gt;
|-&lt;br /&gt;
| GET || v2/{tenant_id}/domain-quota-sets/{domain_id} || Shows quotas for a Domain&lt;br /&gt;
|-&lt;br /&gt;
| GET || v2/{tenant_id}/domain-quota-sets/{domain_id}/defaults || Shows default quotas for a Domain&lt;br /&gt;
|-&lt;br /&gt;
| GET || v2/{tenant_id}/domain-quota-sets/{domain_id}?project_id={project_id} || Shows quotas for a Project&lt;br /&gt;
|-&lt;br /&gt;
| GET || v2/{tenant_id}/domain-quota-sets/{domain_id}?project_id={project_id}&amp;amp;user_id={user_id} || Shows quotas for a User in a Project&lt;br /&gt;
|-&lt;br /&gt;
| DELETE || v2/{tenant_id}/domain-quota-sets/{domain_id} || Deletes quotas for the domain and for all the projects in this domain (In addition deletes quota for all the users in the projects)&lt;br /&gt;
|-&lt;br /&gt;
| DELETE || v2/{tenant_id}/domain-quota-sets/{domain_id}?project_id={project_id} || Deletes quotas for a Project and for all the Users in that Project&lt;br /&gt;
|-&lt;br /&gt;
| DELETE || v2/{tenant_id}/domain-quota-sets/{domain_id}?project_id={project_id}&amp;amp;user_id={user_id} || Delete quotas for a User in a Project&lt;br /&gt;
|-&lt;br /&gt;
| PUT || v2/{tenant_id}/domain-quota-sets/{domain_id} || Creates or Updates quotas for the domain&lt;br /&gt;
|-&lt;br /&gt;
| PUT || v2/{tenant_id}/domain-quota-sets/{domain_id}?project_id={project_id} || Creates or Updates quotas for a Project&lt;br /&gt;
|-&lt;br /&gt;
| PUT || v2/{tenant_id}/domain-quota-sets/{domain_id}?project_id={project_id}&amp;amp;user_id={user_id} || Creates or Updates quotas for a User in a Project&lt;br /&gt;
|}&lt;/div&gt;</summary>
		<author><name>Vinod kumar boppanna</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=APIs_for_Domain_Quota_Driver&amp;diff=42608</id>
		<title>APIs for Domain Quota Driver</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=APIs_for_Domain_Quota_Driver&amp;diff=42608"/>
				<updated>2014-02-18T12:45:12Z</updated>
		
		<summary type="html">&lt;p&gt;Vinod kumar boppanna: /* Nova Commands */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Introduction ==&lt;br /&gt;
&lt;br /&gt;
The existing DbQuotaDriver in Nova allows to set the Quotas at Project/Tenant and User Level. But there is a need to enforce the quotas at Domain Level as well. A new driver called &amp;quot;Domain Quota Driver&amp;quot; is available to enforce domain quotas in Nova. To use this driver, a new set of APIs and Command Line tools are required for CRUD operations on quotas at domain, project and user level.&lt;br /&gt;
&lt;br /&gt;
== Quotas in Nova==&lt;br /&gt;
Currently, OpenStack services make usage of quotas to limit the resources for a project or for a user.&lt;br /&gt;
For example,  the “Instances” quota represents the number of instances that can be created in a project or by a user. Through Domain Quota Driver, the same options for Quotas are available in the context of domain. To read more about Domain Quota Driver and see the available options for quotas, check https://wiki.openstack.org/wiki/DomainQuotaDriver&lt;br /&gt;
&lt;br /&gt;
= Implementation =&lt;br /&gt;
&lt;br /&gt;
=== APIs ===&lt;br /&gt;
Please check the following table for the APIs to manage Quotas for Domain, Project and User respectively. These APIs can be used by admin (i.e with role admin) to get the quota limits of any domain/project/user. A non-admin user can only use these APIs to see the quotas of a domain to which he/she belongs or of a project in which he/she is a member. In addition the non-admin user can see his/her own quota limits. To make this possible, Keystone V3 auth tokens needs to be used. The context provided by the token has domain_id, project_id and user_id respectively. &lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Method || URI || Description &lt;br /&gt;
|-&lt;br /&gt;
| GET || v2/{tenant_id}/domain-quota-sets/{domain_id} || Shows quotas for a Domain&lt;br /&gt;
|-&lt;br /&gt;
| GET || v2/{tenant_id}/domain-quota-sets/{domain_id}/defaults || Shows default quotas for a Domain&lt;br /&gt;
|-&lt;br /&gt;
| GET || v2/{tenant_id}/domain-quota-sets/{domain_id}?project_id={project_id} || Shows quotas for a Project&lt;br /&gt;
|-&lt;br /&gt;
| GET || v2/{tenant_id}/domain-quota-sets/{domain_id}?project_id={project_id}&amp;amp;user_id={user_id} || Shows quotas for a User in a Project&lt;br /&gt;
|-&lt;br /&gt;
| DELETE || v2/{tenant_id}/domain-quota-sets/{domain_id} || Deletes quotas for the domain and for all the projects in this domain (In addition deletes quota for all the users in the projects)&lt;br /&gt;
|-&lt;br /&gt;
| DELETE || v2/{tenant_id}/domain-quota-sets/{domain_id}?project_id={project_id} || Deletes quotas for a Project and for all the Users in that Project&lt;br /&gt;
|-&lt;br /&gt;
| DELETE || v2/{tenant_id}/domain-quota-sets/{domain_id}?project_id={project_id}&amp;amp;user_id={user_id} || Delete quotas for a User in a Project&lt;br /&gt;
|-&lt;br /&gt;
| PUT || v2/{tenant_id}/domain-quota-sets/{domain_id} || Creates or Updates quotas for the domain&lt;br /&gt;
|-&lt;br /&gt;
| PUT || v2/{tenant_id}/domain-quota-sets/{domain_id}?project_id={project_id} || Creates or Updates quotas for a Project&lt;br /&gt;
|-&lt;br /&gt;
| PUT || v2/{tenant_id}/domain-quota-sets/{domain_id}?project_id={project_id}&amp;amp;user_id={user_id} || Creates or Updates quotas for a User in a Project&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
=== Nova Commands ===&lt;br /&gt;
&lt;br /&gt;
Following commands have been added to nova for Domain Quota Management&lt;br /&gt;
&lt;br /&gt;
'''$&amp;gt; nova domain-quota-show'''&lt;br /&gt;
&lt;br /&gt;
List the quotas for a domain/tenant/user.&lt;br /&gt;
&lt;br /&gt;
Positional arguments:&lt;br /&gt;
  &amp;lt;domain-id&amp;gt;           ID of domain to list the quotas for.&lt;br /&gt;
&lt;br /&gt;
Optional arguments:&lt;br /&gt;
  --tenant &amp;lt;tenant-id&amp;gt;  ID of tenant to list the quotas for.&lt;br /&gt;
  --user &amp;lt;user-id&amp;gt;      ID of user to list the quotas for.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
'''$&amp;gt; nova domain-quota-defaults'''&lt;br /&gt;
&lt;br /&gt;
List the default quotas for a domain.&lt;br /&gt;
&lt;br /&gt;
Positional arguments:&lt;br /&gt;
  &amp;lt;domain-id&amp;gt;  ID of domain to list the default quotas for.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
'''$&amp;gt; nova domain-quota-delete'''&lt;br /&gt;
&lt;br /&gt;
Delete quota for a domain/tenant/user so their quota will Revert back to&lt;br /&gt;
default.&lt;br /&gt;
&lt;br /&gt;
Positional arguments:&lt;br /&gt;
  &amp;lt;domain-id&amp;gt;           ID of domain to delete quota for.&lt;br /&gt;
&lt;br /&gt;
Optional arguments:&lt;br /&gt;
  --tenant &amp;lt;tenant-id&amp;gt;  ID of tenant to delete quota for.&lt;br /&gt;
  --user &amp;lt;user-id&amp;gt;      ID of user to delete quota for.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
'''$&amp;gt; nova domain-quota-update'''&lt;br /&gt;
&lt;br /&gt;
Update the quotas for a domain/tenant/user.&lt;br /&gt;
&lt;br /&gt;
Positional arguments:&lt;br /&gt;
  &amp;lt;domain-id&amp;gt;           ID of domain to set the quotas for.&lt;br /&gt;
&lt;br /&gt;
Optional arguments:&lt;br /&gt;
  --tenant &amp;lt;tenant-id&amp;gt;  ID of tenant to set the quotas for.&lt;br /&gt;
  --user &amp;lt;user-id&amp;gt;      ID of user to set the quotas for.&lt;br /&gt;
  --instances &amp;lt;instances&amp;gt;&lt;br /&gt;
                        New value for the &amp;quot;instances&amp;quot; quota.&lt;br /&gt;
  --cores &amp;lt;cores&amp;gt;       New value for the &amp;quot;cores&amp;quot; quota.&lt;br /&gt;
  --ram &amp;lt;ram&amp;gt;           New value for the &amp;quot;ram&amp;quot; quota.&lt;br /&gt;
  --floating-ips &amp;lt;floating-ips&amp;gt;&lt;br /&gt;
                        New value for the &amp;quot;floating-ips&amp;quot; quota.&lt;br /&gt;
  --fixed-ips &amp;lt;fixed-ips&amp;gt;&lt;br /&gt;
                        New value for the &amp;quot;fixed-ips&amp;quot; quota.&lt;br /&gt;
  --metadata-items &amp;lt;metadata-items&amp;gt;&lt;br /&gt;
                        New value for the &amp;quot;metadata-items&amp;quot; quota.&lt;br /&gt;
  --injected-files &amp;lt;injected-files&amp;gt;&lt;br /&gt;
                        New value for the &amp;quot;injected-files&amp;quot; quota.&lt;br /&gt;
  --injected-file-content-bytes &amp;lt;injected-file-content-bytes&amp;gt;&lt;br /&gt;
                        New value for the &amp;quot;injected-file-content-bytes&amp;quot; quota.&lt;br /&gt;
  --injected-file-path-bytes &amp;lt;injected-file-path-bytes&amp;gt;&lt;br /&gt;
                        New value for the &amp;quot;injected-file-path-bytes&amp;quot; quota.&lt;br /&gt;
  --key-pairs &amp;lt;key-pairs&amp;gt;&lt;br /&gt;
                        New value for the &amp;quot;key-pairs&amp;quot; quota.&lt;br /&gt;
  --security-groups &amp;lt;security-groups&amp;gt;&lt;br /&gt;
                        New value for the &amp;quot;security-groups&amp;quot; quota.&lt;br /&gt;
  --security-group-rules &amp;lt;security-group-rules&amp;gt;&lt;br /&gt;
                        New value for the &amp;quot;security-group-rules&amp;quot; quota.&lt;/div&gt;</summary>
		<author><name>Vinod kumar boppanna</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=APIs_for_Domain_Quota_Driver&amp;diff=42607</id>
		<title>APIs for Domain Quota Driver</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=APIs_for_Domain_Quota_Driver&amp;diff=42607"/>
				<updated>2014-02-18T12:44:43Z</updated>
		
		<summary type="html">&lt;p&gt;Vinod kumar boppanna: /* Implementation */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Introduction ==&lt;br /&gt;
&lt;br /&gt;
The existing DbQuotaDriver in Nova allows to set the Quotas at Project/Tenant and User Level. But there is a need to enforce the quotas at Domain Level as well. A new driver called &amp;quot;Domain Quota Driver&amp;quot; is available to enforce domain quotas in Nova. To use this driver, a new set of APIs and Command Line tools are required for CRUD operations on quotas at domain, project and user level.&lt;br /&gt;
&lt;br /&gt;
== Quotas in Nova==&lt;br /&gt;
Currently, OpenStack services make usage of quotas to limit the resources for a project or for a user.&lt;br /&gt;
For example,  the “Instances” quota represents the number of instances that can be created in a project or by a user. Through Domain Quota Driver, the same options for Quotas are available in the context of domain. To read more about Domain Quota Driver and see the available options for quotas, check https://wiki.openstack.org/wiki/DomainQuotaDriver&lt;br /&gt;
&lt;br /&gt;
= Implementation =&lt;br /&gt;
&lt;br /&gt;
=== APIs ===&lt;br /&gt;
Please check the following table for the APIs to manage Quotas for Domain, Project and User respectively. These APIs can be used by admin (i.e with role admin) to get the quota limits of any domain/project/user. A non-admin user can only use these APIs to see the quotas of a domain to which he/she belongs or of a project in which he/she is a member. In addition the non-admin user can see his/her own quota limits. To make this possible, Keystone V3 auth tokens needs to be used. The context provided by the token has domain_id, project_id and user_id respectively. &lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Method || URI || Description &lt;br /&gt;
|-&lt;br /&gt;
| GET || v2/{tenant_id}/domain-quota-sets/{domain_id} || Shows quotas for a Domain&lt;br /&gt;
|-&lt;br /&gt;
| GET || v2/{tenant_id}/domain-quota-sets/{domain_id}/defaults || Shows default quotas for a Domain&lt;br /&gt;
|-&lt;br /&gt;
| GET || v2/{tenant_id}/domain-quota-sets/{domain_id}?project_id={project_id} || Shows quotas for a Project&lt;br /&gt;
|-&lt;br /&gt;
| GET || v2/{tenant_id}/domain-quota-sets/{domain_id}?project_id={project_id}&amp;amp;user_id={user_id} || Shows quotas for a User in a Project&lt;br /&gt;
|-&lt;br /&gt;
| DELETE || v2/{tenant_id}/domain-quota-sets/{domain_id} || Deletes quotas for the domain and for all the projects in this domain (In addition deletes quota for all the users in the projects)&lt;br /&gt;
|-&lt;br /&gt;
| DELETE || v2/{tenant_id}/domain-quota-sets/{domain_id}?project_id={project_id} || Deletes quotas for a Project and for all the Users in that Project&lt;br /&gt;
|-&lt;br /&gt;
| DELETE || v2/{tenant_id}/domain-quota-sets/{domain_id}?project_id={project_id}&amp;amp;user_id={user_id} || Delete quotas for a User in a Project&lt;br /&gt;
|-&lt;br /&gt;
| PUT || v2/{tenant_id}/domain-quota-sets/{domain_id} || Creates or Updates quotas for the domain&lt;br /&gt;
|-&lt;br /&gt;
| PUT || v2/{tenant_id}/domain-quota-sets/{domain_id}?project_id={project_id} || Creates or Updates quotas for a Project&lt;br /&gt;
|-&lt;br /&gt;
| PUT || v2/{tenant_id}/domain-quota-sets/{domain_id}?project_id={project_id}&amp;amp;user_id={user_id} || Creates or Updates quotas for a User in a Project&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
=== Nova Commands ===&lt;br /&gt;
&lt;br /&gt;
Following commands have been added to nova for Domain Quota Management&lt;br /&gt;
&lt;br /&gt;
'''$&amp;gt; nova domain-quota-show'''&lt;br /&gt;
&lt;br /&gt;
List the quotas for a domain/tenant/user.&lt;br /&gt;
&lt;br /&gt;
Positional arguments:&lt;br /&gt;
  &amp;lt;domain-id&amp;gt;           ID of domain to list the quotas for.&lt;br /&gt;
&lt;br /&gt;
Optional arguments:&lt;br /&gt;
  --tenant &amp;lt;tenant-id&amp;gt;  ID of tenant to list the quotas for.&lt;br /&gt;
  --user &amp;lt;user-id&amp;gt;      ID of user to list the quotas for.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
'''$&amp;gt; nova domain-quota-defaults'''&lt;br /&gt;
List the default quotas for a domain.&lt;br /&gt;
&lt;br /&gt;
Positional arguments:&lt;br /&gt;
  &amp;lt;domain-id&amp;gt;  ID of domain to list the default quotas for.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
'''$&amp;gt; nova domain-quota-delete'''&lt;br /&gt;
Delete quota for a domain/tenant/user so their quota will Revert back to&lt;br /&gt;
default.&lt;br /&gt;
&lt;br /&gt;
Positional arguments:&lt;br /&gt;
  &amp;lt;domain-id&amp;gt;           ID of domain to delete quota for.&lt;br /&gt;
&lt;br /&gt;
Optional arguments:&lt;br /&gt;
  --tenant &amp;lt;tenant-id&amp;gt;  ID of tenant to delete quota for.&lt;br /&gt;
  --user &amp;lt;user-id&amp;gt;      ID of user to delete quota for.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
'''$&amp;gt; nova domain-quota-update'''&lt;br /&gt;
Update the quotas for a domain/tenant/user.&lt;br /&gt;
&lt;br /&gt;
Positional arguments:&lt;br /&gt;
  &amp;lt;domain-id&amp;gt;           ID of domain to set the quotas for.&lt;br /&gt;
&lt;br /&gt;
Optional arguments:&lt;br /&gt;
  --tenant &amp;lt;tenant-id&amp;gt;  ID of tenant to set the quotas for.&lt;br /&gt;
  --user &amp;lt;user-id&amp;gt;      ID of user to set the quotas for.&lt;br /&gt;
  --instances &amp;lt;instances&amp;gt;&lt;br /&gt;
                        New value for the &amp;quot;instances&amp;quot; quota.&lt;br /&gt;
  --cores &amp;lt;cores&amp;gt;       New value for the &amp;quot;cores&amp;quot; quota.&lt;br /&gt;
  --ram &amp;lt;ram&amp;gt;           New value for the &amp;quot;ram&amp;quot; quota.&lt;br /&gt;
  --floating-ips &amp;lt;floating-ips&amp;gt;&lt;br /&gt;
                        New value for the &amp;quot;floating-ips&amp;quot; quota.&lt;br /&gt;
  --fixed-ips &amp;lt;fixed-ips&amp;gt;&lt;br /&gt;
                        New value for the &amp;quot;fixed-ips&amp;quot; quota.&lt;br /&gt;
  --metadata-items &amp;lt;metadata-items&amp;gt;&lt;br /&gt;
                        New value for the &amp;quot;metadata-items&amp;quot; quota.&lt;br /&gt;
  --injected-files &amp;lt;injected-files&amp;gt;&lt;br /&gt;
                        New value for the &amp;quot;injected-files&amp;quot; quota.&lt;br /&gt;
  --injected-file-content-bytes &amp;lt;injected-file-content-bytes&amp;gt;&lt;br /&gt;
                        New value for the &amp;quot;injected-file-content-bytes&amp;quot; quota.&lt;br /&gt;
  --injected-file-path-bytes &amp;lt;injected-file-path-bytes&amp;gt;&lt;br /&gt;
                        New value for the &amp;quot;injected-file-path-bytes&amp;quot; quota.&lt;br /&gt;
  --key-pairs &amp;lt;key-pairs&amp;gt;&lt;br /&gt;
                        New value for the &amp;quot;key-pairs&amp;quot; quota.&lt;br /&gt;
  --security-groups &amp;lt;security-groups&amp;gt;&lt;br /&gt;
                        New value for the &amp;quot;security-groups&amp;quot; quota.&lt;br /&gt;
  --security-group-rules &amp;lt;security-group-rules&amp;gt;&lt;br /&gt;
                        New value for the &amp;quot;security-group-rules&amp;quot; quota.&lt;/div&gt;</summary>
		<author><name>Vinod kumar boppanna</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=APIs_for_Domain_Quota_Driver&amp;diff=42606</id>
		<title>APIs for Domain Quota Driver</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=APIs_for_Domain_Quota_Driver&amp;diff=42606"/>
				<updated>2014-02-18T12:44:28Z</updated>
		
		<summary type="html">&lt;p&gt;Vinod kumar boppanna: /* Implementation */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Introduction ==&lt;br /&gt;
&lt;br /&gt;
The existing DbQuotaDriver in Nova allows to set the Quotas at Project/Tenant and User Level. But there is a need to enforce the quotas at Domain Level as well. A new driver called &amp;quot;Domain Quota Driver&amp;quot; is available to enforce domain quotas in Nova. To use this driver, a new set of APIs and Command Line tools are required for CRUD operations on quotas at domain, project and user level.&lt;br /&gt;
&lt;br /&gt;
== Quotas in Nova==&lt;br /&gt;
Currently, OpenStack services make usage of quotas to limit the resources for a project or for a user.&lt;br /&gt;
For example,  the “Instances” quota represents the number of instances that can be created in a project or by a user. Through Domain Quota Driver, the same options for Quotas are available in the context of domain. To read more about Domain Quota Driver and see the available options for quotas, check https://wiki.openstack.org/wiki/DomainQuotaDriver&lt;br /&gt;
&lt;br /&gt;
= Implementation =&lt;br /&gt;
&lt;br /&gt;
=== APIs ====&lt;br /&gt;
Please check the following table for the APIs to manage Quotas for Domain, Project and User respectively. These APIs can be used by admin (i.e with role admin) to get the quota limits of any domain/project/user. A non-admin user can only use these APIs to see the quotas of a domain to which he/she belongs or of a project in which he/she is a member. In addition the non-admin user can see his/her own quota limits. To make this possible, Keystone V3 auth tokens needs to be used. The context provided by the token has domain_id, project_id and user_id respectively. &lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Method || URI || Description &lt;br /&gt;
|-&lt;br /&gt;
| GET || v2/{tenant_id}/domain-quota-sets/{domain_id} || Shows quotas for a Domain&lt;br /&gt;
|-&lt;br /&gt;
| GET || v2/{tenant_id}/domain-quota-sets/{domain_id}/defaults || Shows default quotas for a Domain&lt;br /&gt;
|-&lt;br /&gt;
| GET || v2/{tenant_id}/domain-quota-sets/{domain_id}?project_id={project_id} || Shows quotas for a Project&lt;br /&gt;
|-&lt;br /&gt;
| GET || v2/{tenant_id}/domain-quota-sets/{domain_id}?project_id={project_id}&amp;amp;user_id={user_id} || Shows quotas for a User in a Project&lt;br /&gt;
|-&lt;br /&gt;
| DELETE || v2/{tenant_id}/domain-quota-sets/{domain_id} || Deletes quotas for the domain and for all the projects in this domain (In addition deletes quota for all the users in the projects)&lt;br /&gt;
|-&lt;br /&gt;
| DELETE || v2/{tenant_id}/domain-quota-sets/{domain_id}?project_id={project_id} || Deletes quotas for a Project and for all the Users in that Project&lt;br /&gt;
|-&lt;br /&gt;
| DELETE || v2/{tenant_id}/domain-quota-sets/{domain_id}?project_id={project_id}&amp;amp;user_id={user_id} || Delete quotas for a User in a Project&lt;br /&gt;
|-&lt;br /&gt;
| PUT || v2/{tenant_id}/domain-quota-sets/{domain_id} || Creates or Updates quotas for the domain&lt;br /&gt;
|-&lt;br /&gt;
| PUT || v2/{tenant_id}/domain-quota-sets/{domain_id}?project_id={project_id} || Creates or Updates quotas for a Project&lt;br /&gt;
|-&lt;br /&gt;
| PUT || v2/{tenant_id}/domain-quota-sets/{domain_id}?project_id={project_id}&amp;amp;user_id={user_id} || Creates or Updates quotas for a User in a Project&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
=== Nova Commands ===&lt;br /&gt;
&lt;br /&gt;
Following commands have been added to nova for Domain Quota Management&lt;br /&gt;
&lt;br /&gt;
'''$&amp;gt; nova domain-quota-show'''&lt;br /&gt;
&lt;br /&gt;
List the quotas for a domain/tenant/user.&lt;br /&gt;
&lt;br /&gt;
Positional arguments:&lt;br /&gt;
  &amp;lt;domain-id&amp;gt;           ID of domain to list the quotas for.&lt;br /&gt;
&lt;br /&gt;
Optional arguments:&lt;br /&gt;
  --tenant &amp;lt;tenant-id&amp;gt;  ID of tenant to list the quotas for.&lt;br /&gt;
  --user &amp;lt;user-id&amp;gt;      ID of user to list the quotas for.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
'''$&amp;gt; nova domain-quota-defaults'''&lt;br /&gt;
List the default quotas for a domain.&lt;br /&gt;
&lt;br /&gt;
Positional arguments:&lt;br /&gt;
  &amp;lt;domain-id&amp;gt;  ID of domain to list the default quotas for.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
'''$&amp;gt; nova domain-quota-delete'''&lt;br /&gt;
Delete quota for a domain/tenant/user so their quota will Revert back to&lt;br /&gt;
default.&lt;br /&gt;
&lt;br /&gt;
Positional arguments:&lt;br /&gt;
  &amp;lt;domain-id&amp;gt;           ID of domain to delete quota for.&lt;br /&gt;
&lt;br /&gt;
Optional arguments:&lt;br /&gt;
  --tenant &amp;lt;tenant-id&amp;gt;  ID of tenant to delete quota for.&lt;br /&gt;
  --user &amp;lt;user-id&amp;gt;      ID of user to delete quota for.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
'''$&amp;gt; nova domain-quota-update'''&lt;br /&gt;
Update the quotas for a domain/tenant/user.&lt;br /&gt;
&lt;br /&gt;
Positional arguments:&lt;br /&gt;
  &amp;lt;domain-id&amp;gt;           ID of domain to set the quotas for.&lt;br /&gt;
&lt;br /&gt;
Optional arguments:&lt;br /&gt;
  --tenant &amp;lt;tenant-id&amp;gt;  ID of tenant to set the quotas for.&lt;br /&gt;
  --user &amp;lt;user-id&amp;gt;      ID of user to set the quotas for.&lt;br /&gt;
  --instances &amp;lt;instances&amp;gt;&lt;br /&gt;
                        New value for the &amp;quot;instances&amp;quot; quota.&lt;br /&gt;
  --cores &amp;lt;cores&amp;gt;       New value for the &amp;quot;cores&amp;quot; quota.&lt;br /&gt;
  --ram &amp;lt;ram&amp;gt;           New value for the &amp;quot;ram&amp;quot; quota.&lt;br /&gt;
  --floating-ips &amp;lt;floating-ips&amp;gt;&lt;br /&gt;
                        New value for the &amp;quot;floating-ips&amp;quot; quota.&lt;br /&gt;
  --fixed-ips &amp;lt;fixed-ips&amp;gt;&lt;br /&gt;
                        New value for the &amp;quot;fixed-ips&amp;quot; quota.&lt;br /&gt;
  --metadata-items &amp;lt;metadata-items&amp;gt;&lt;br /&gt;
                        New value for the &amp;quot;metadata-items&amp;quot; quota.&lt;br /&gt;
  --injected-files &amp;lt;injected-files&amp;gt;&lt;br /&gt;
                        New value for the &amp;quot;injected-files&amp;quot; quota.&lt;br /&gt;
  --injected-file-content-bytes &amp;lt;injected-file-content-bytes&amp;gt;&lt;br /&gt;
                        New value for the &amp;quot;injected-file-content-bytes&amp;quot; quota.&lt;br /&gt;
  --injected-file-path-bytes &amp;lt;injected-file-path-bytes&amp;gt;&lt;br /&gt;
                        New value for the &amp;quot;injected-file-path-bytes&amp;quot; quota.&lt;br /&gt;
  --key-pairs &amp;lt;key-pairs&amp;gt;&lt;br /&gt;
                        New value for the &amp;quot;key-pairs&amp;quot; quota.&lt;br /&gt;
  --security-groups &amp;lt;security-groups&amp;gt;&lt;br /&gt;
                        New value for the &amp;quot;security-groups&amp;quot; quota.&lt;br /&gt;
  --security-group-rules &amp;lt;security-group-rules&amp;gt;&lt;br /&gt;
                        New value for the &amp;quot;security-group-rules&amp;quot; quota.&lt;/div&gt;</summary>
		<author><name>Vinod kumar boppanna</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=APIs_for_Domain_Quota_Driver&amp;diff=42605</id>
		<title>APIs for Domain Quota Driver</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=APIs_for_Domain_Quota_Driver&amp;diff=42605"/>
				<updated>2014-02-18T12:42:41Z</updated>
		
		<summary type="html">&lt;p&gt;Vinod kumar boppanna: /* Introduction */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Introduction ==&lt;br /&gt;
&lt;br /&gt;
The existing DbQuotaDriver in Nova allows to set the Quotas at Project/Tenant and User Level. But there is a need to enforce the quotas at Domain Level as well. A new driver called &amp;quot;Domain Quota Driver&amp;quot; is available to enforce domain quotas in Nova. To use this driver, a new set of APIs and Command Line tools are required for CRUD operations on quotas at domain, project and user level.&lt;br /&gt;
&lt;br /&gt;
== Quotas in Nova==&lt;br /&gt;
Currently, OpenStack services make usage of quotas to limit the resources for a project or for a user.&lt;br /&gt;
For example,  the “Instances” quota represents the number of instances that can be created in a project or by a user. Through Domain Quota Driver, the same options for Quotas are available in the context of domain. To read more about Domain Quota Driver and see the available options for quotas, check https://wiki.openstack.org/wiki/DomainQuotaDriver&lt;br /&gt;
&lt;br /&gt;
= Implementation =&lt;br /&gt;
&lt;br /&gt;
Please check the following table for the APIs to manage Quotas for Domain, Project and User respectively. These APIs can be used by admin (i.e with role admin) to get the quota limits of any domain/project/user. A non-admin user can only use these APIs to see the quotas of a domain to which he/she belongs or of a project in which he/she is a member. In addition the non-admin user can see his/her own quota limits. To make this possible, Keystone V3 auth tokens needs to be used. The context provided by the token has domain_id, project_id and user_id respectively. &lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Method || URI || Description &lt;br /&gt;
|-&lt;br /&gt;
| GET || v2/{tenant_id}/domain-quota-sets/{domain_id} || Shows quotas for a Domain&lt;br /&gt;
|-&lt;br /&gt;
| GET || v2/{tenant_id}/domain-quota-sets/{domain_id}/defaults || Shows default quotas for a Domain&lt;br /&gt;
|-&lt;br /&gt;
| GET || v2/{tenant_id}/domain-quota-sets/{domain_id}?project_id={project_id} || Shows quotas for a Project&lt;br /&gt;
|-&lt;br /&gt;
| GET || v2/{tenant_id}/domain-quota-sets/{domain_id}?project_id={project_id}&amp;amp;user_id={user_id} || Shows quotas for a User in a Project&lt;br /&gt;
|-&lt;br /&gt;
| DELETE || v2/{tenant_id}/domain-quota-sets/{domain_id} || Deletes quotas for the domain and for all the projects in this domain (In addition deletes quota for all the users in the projects)&lt;br /&gt;
|-&lt;br /&gt;
| DELETE || v2/{tenant_id}/domain-quota-sets/{domain_id}?project_id={project_id} || Deletes quotas for a Project and for all the Users in that Project&lt;br /&gt;
|-&lt;br /&gt;
| DELETE || v2/{tenant_id}/domain-quota-sets/{domain_id}?project_id={project_id}&amp;amp;user_id={user_id} || Delete quotas for a User in a Project&lt;br /&gt;
|-&lt;br /&gt;
| PUT || v2/{tenant_id}/domain-quota-sets/{domain_id} || Creates or Updates quotas for the domain&lt;br /&gt;
|-&lt;br /&gt;
| PUT || v2/{tenant_id}/domain-quota-sets/{domain_id}?project_id={project_id} || Creates or Updates quotas for a Project&lt;br /&gt;
|-&lt;br /&gt;
| PUT || v2/{tenant_id}/domain-quota-sets/{domain_id}?project_id={project_id}&amp;amp;user_id={user_id} || Creates or Updates quotas for a User in a Project&lt;br /&gt;
|}&lt;/div&gt;</summary>
		<author><name>Vinod kumar boppanna</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=POC_for_QuotaManagement&amp;diff=41993</id>
		<title>POC for QuotaManagement</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=POC_for_QuotaManagement&amp;diff=41993"/>
				<updated>2014-02-12T12:11:08Z</updated>
		
		<summary type="html">&lt;p&gt;Vinod kumar boppanna: /* Example 4 */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Introduction ==&lt;br /&gt;
&lt;br /&gt;
This Page explains the Proof of Concept for Quota Management in the Openstack Hierarchical Multitenancy setup.&lt;br /&gt;
&lt;br /&gt;
== Setup ==&lt;br /&gt;
&lt;br /&gt;
Please see the following picture for an example Hierarchical Multitenancy setup.&lt;br /&gt;
&lt;br /&gt;
[[File:ProjectHierarchy.png|ProjectHierarchy]]&lt;br /&gt;
&lt;br /&gt;
== Authentication ==&lt;br /&gt;
&lt;br /&gt;
Every user has to authenticate with keystone using a project scope. For example, userA can authenticate using the project scope as &amp;quot;ProjH.ProjA&amp;quot;. The cloud admin can authenticate using any scope. When authenticated, the entire hierarchy is parsed starting from the scope project till the leaf node and construct the roles the user has at each level. See the following examples. &lt;br /&gt;
&lt;br /&gt;
===== Example 1 =====&lt;br /&gt;
Cloud Admin authenticates at &amp;quot;ProjH&amp;quot;, keystone will send the following information (or token) for this session. &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the leaf node)&amp;lt;/ins&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
* ProjH,  admin&lt;br /&gt;
* ProjH.ProjA, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1, admin&lt;br /&gt;
* ProjH.ProjA.ProjA2, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA3, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA4, admin&lt;br /&gt;
* ProjH.ProjB, admin&lt;br /&gt;
* ProjH.ProjB.ProjB1, admin&lt;br /&gt;
* ProjH.ProjB.ProjB2, admin&lt;br /&gt;
* ProjH.ProjB.ProjB1.ProjB3, admin&lt;br /&gt;
* ProjH.ProjB.ProjB1.ProjB4, admin&lt;br /&gt;
&amp;lt;u&amp;gt;Noteː&amp;lt;/u&amp;gt;&lt;br /&gt;
* For Cloud Admin, the entire Hierarchy of the Projects is not required (as he is the super admin and possess all the rights to do anything). But this can be useful to check the action requested by the admin with an hierarchy actually exists or not, without again contacting the Keystone again. For example, if admin wants to list the quotas for ProjH.ProjC, but by seeing the roles, he can be notified immediately that this hierarchy does not exist.&lt;br /&gt;
* It is important to limit the maximum depth of the Project Hierarchy. Otherwise, the roles list can become huge.&lt;br /&gt;
&lt;br /&gt;
===== Example 2 =====&lt;br /&gt;
Cloud Admin authenticates at &amp;quot;ProjH.ProjA.ProjA1&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA.ProjA1 &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;u&amp;gt;Roles (find role at each project level upto the leaf node)&amp;lt;/u&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
* ProjH.ProjA.ProjA1, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA3, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA4, admin&lt;br /&gt;
̽&lt;br /&gt;
&lt;br /&gt;
===== Example 3 =====&lt;br /&gt;
User A authenticates at &amp;quot;ProjH.ProjA&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the leaf node)&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
* ProjH.ProjA, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA1, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA2, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjectA3, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjectA3, member&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjectA4, project-admin&lt;br /&gt;
&lt;br /&gt;
===== Example 4 =====&lt;br /&gt;
User B tries to authenticates at &amp;quot;ProjH.ProjA&amp;quot; but keystone will reject the authentication as User B does not have any role at &amp;quot;ProjH.ProjA&amp;quot;. That means User B is not part of Project &amp;quot;ProjH.ProjA&amp;quot;. User B can authenticate using the scope as &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot; or &amp;quot;ProjH.ProjB.ProjB2&amp;quot;.&lt;br /&gt;
&lt;br /&gt;
== Quota Tables ==&lt;br /&gt;
&lt;br /&gt;
There are four tables useful for Quota Management, namely &amp;quot;quotas&amp;quot;, &amp;quot;quota_usages&amp;quot;, &amp;quot;project_user_quotas&amp;quot; and &amp;quot;reservations&amp;quot; respectively. &lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Table || Description || Important Fields&lt;br /&gt;
|-&lt;br /&gt;
| quotas || Stores the quota values for resources (like instances, cores etc) of a Project || project_id&lt;br /&gt;
|-&lt;br /&gt;
| project_user_quotas || Stores the quota allotment to a User in a Project || project_id, user_id&lt;br /&gt;
|-&lt;br /&gt;
| quota_usages || Stores the quota already in use by a User in a Project || project_id, user_id&lt;br /&gt;
|-&lt;br /&gt;
| reservations || Stores the reservations made for a resource by a User in a Project || project_id, user_id&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
The project_id field in these tables stores the project complete hierarchy, like if quota values are defined for &amp;quot;ProjA1&amp;quot;, then the project_id is &amp;quot;ProjH.ProjA.ProjA1&amp;quot;.&lt;br /&gt;
&lt;br /&gt;
== API URLs ==&lt;br /&gt;
The URLs does not need to include any project names up to the authentication scope. The URLs only need to include the hierarchy after the scope for executing an operation. For example, if User A authenticates using scope as &amp;quot;ProjH.ProjA&amp;quot; and the User A want to update the quotas assigned to &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot;, then the URL can be like&lt;br /&gt;
&lt;br /&gt;
PUT Request  -&amp;gt;  http://&amp;lt;nova listening ip&amp;gt;:8774/v3/os-quota-sets?project_id=ProjA1.ProjA3&lt;br /&gt;
&lt;br /&gt;
When the above URL fired, the complete hierarchy will be formed by prepend the scope id to the project_id in the URL, that means here it will be &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot;. Now, the program can check the role possessed by the user at this level (User A has memeber and project-admin roles at this level). As the user possess the &amp;quot;project-admin&amp;quot; role, the update operation on quotas is allowed.&lt;br /&gt;
&lt;br /&gt;
The Keystone context will have a field which gives information about the roles at each level of the hierarchy starting from the scope level (as explained in the examples listed under Authentication Section). We can call this field as &amp;quot;rolesList&amp;quot;. The &amp;quot;project_id&amp;quot; has the full hierarchy like &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot;&lt;br /&gt;
&lt;br /&gt;
 &amp;quot;admin_or_project_admin&amp;quot;:  &amp;quot;is_admin:True or  roleProjectAdmin:rolesList:%(project_id)&amp;quot;&lt;br /&gt;
&lt;br /&gt;
This means that the user satisfies one of the following condition &amp;lt;br/&amp;gt;&lt;br /&gt;
*Cloud Admin&lt;br /&gt;
*function &amp;quot;roleProjectAdmin&amp;quot; will check that user has a project-admin role in the project_id using the the context field &amp;quot;rolesList&amp;quot;&lt;br /&gt;
&lt;br /&gt;
The policy rules for the quota extension can be &lt;br /&gt;
&lt;br /&gt;
 &amp;quot;owner&amp;quot;: &amp;quot;roleMember:rolesList:%(project_id)&amp;quot;   (means that user has any role except project-admin in the project)&lt;br /&gt;
 &amp;quot;admin_or_project_admin_or_owner&amp;quot;: &amp;quot;rule:admin_or_project_admin or rule:owner&amp;quot;&lt;br /&gt;
  &lt;br /&gt;
 &amp;quot;compute_extension:quotas:show&amp;quot;: &amp;quot;rule:admin_or_project_admin_or_owner&amp;quot;,&lt;br /&gt;
 &amp;quot;compute_extension:quotas:update&amp;quot;: &amp;quot;rule:admin_or_project_admin&amp;quot;,&lt;br /&gt;
 &amp;quot;compute_extension:quotas:delete&amp;quot;: &amp;quot;rule:admin_or_project_admin&amp;quot;&lt;br /&gt;
&lt;br /&gt;
== POC Demo code ==&lt;br /&gt;
Please check the code snippets for this setup at  &amp;lt;br/&amp;gt;&lt;br /&gt;
https://github.com/vinodkumarboppanna/POC-For-Quotas/commit/391e9108fa579d292880c8836cadfd7253586f37&lt;br /&gt;
&lt;br /&gt;
== Concerns ==&lt;br /&gt;
* As nova keeps the complete project hierarchy in the Quotas table, it is necessary to notify nova about any changes in the hierarchy. For example, nova stores Quotas of Project &amp;quot;ProjH.ProjA.ProjA1&amp;quot; in the table and User removes the project &amp;quot;ProjA1&amp;quot; from the keystone, then nova should be notified about this.&lt;/div&gt;</summary>
		<author><name>Vinod kumar boppanna</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=POC_for_QuotaManagement&amp;diff=41988</id>
		<title>POC for QuotaManagement</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=POC_for_QuotaManagement&amp;diff=41988"/>
				<updated>2014-02-12T10:39:06Z</updated>
		
		<summary type="html">&lt;p&gt;Vinod kumar boppanna: /* Example 4 */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Introduction ==&lt;br /&gt;
&lt;br /&gt;
This Page explains the Proof of Concept for Quota Management in the Openstack Hierarchical Multitenancy setup.&lt;br /&gt;
&lt;br /&gt;
== Setup ==&lt;br /&gt;
&lt;br /&gt;
Please see the following picture for an example Hierarchical Multitenancy setup.&lt;br /&gt;
&lt;br /&gt;
[[File:ProjectHierarchy.png|ProjectHierarchy]]&lt;br /&gt;
&lt;br /&gt;
== Authentication ==&lt;br /&gt;
&lt;br /&gt;
Every user has to authenticate with keystone using a project scope. For example, userA can authenticate using the project scope as &amp;quot;ProjH.ProjA&amp;quot;. The cloud admin can authenticate using any scope. When authenticated, the entire hierarchy is parsed starting from the scope project till the leaf node and construct the roles the user has at each level. See the following examples. &lt;br /&gt;
&lt;br /&gt;
===== Example 1 =====&lt;br /&gt;
Cloud Admin authenticates at &amp;quot;ProjH&amp;quot;, keystone will send the following information (or token) for this session. &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the leaf node)&amp;lt;/ins&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
* ProjH,  admin&lt;br /&gt;
* ProjH.ProjA, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1, admin&lt;br /&gt;
* ProjH.ProjA.ProjA2, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA3, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA4, admin&lt;br /&gt;
* ProjH.ProjB, admin&lt;br /&gt;
* ProjH.ProjB.ProjB1, admin&lt;br /&gt;
* ProjH.ProjB.ProjB2, admin&lt;br /&gt;
* ProjH.ProjB.ProjB1.ProjB3, admin&lt;br /&gt;
* ProjH.ProjB.ProjB1.ProjB4, admin&lt;br /&gt;
&amp;lt;u&amp;gt;Noteː&amp;lt;/u&amp;gt;&lt;br /&gt;
* For Cloud Admin, the entire Hierarchy of the Projects is not required (as he is the super admin and possess all the rights to do anything). But this can be useful to check the action requested by the admin with an hierarchy actually exists or not, without again contacting the Keystone again. For example, if admin wants to list the quotas for ProjH.ProjC, but by seeing the roles, he can be notified immediately that this hierarchy does not exist.&lt;br /&gt;
* It is important to limit the maximum depth of the Project Hierarchy. Otherwise, the roles list can become huge.&lt;br /&gt;
&lt;br /&gt;
===== Example 2 =====&lt;br /&gt;
Cloud Admin authenticates at &amp;quot;ProjH.ProjA.ProjA1&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA.ProjA1 &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;u&amp;gt;Roles (find role at each project level upto the leaf node)&amp;lt;/u&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
* ProjH.ProjA.ProjA1, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA3, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA4, admin&lt;br /&gt;
̽&lt;br /&gt;
&lt;br /&gt;
===== Example 3 =====&lt;br /&gt;
User A authenticates at &amp;quot;ProjH.ProjA&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the leaf node)&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
* ProjH.ProjA, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA1, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA2, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjectA3, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjectA3, member&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjectA4, project-admin&lt;br /&gt;
&lt;br /&gt;
===== Example 4 =====&lt;br /&gt;
User B tries to authenticates at &amp;quot;ProjH.ProjA&amp;quot; but keystone will reject the authentication as User B does not have any role at &amp;quot;ProjH.ProjA&amp;quot;. That means User B is not part of Project &amp;quot;ProjH.ProjA&amp;quot;. User B can authenticate using the scope as &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot; or &amp;quot;ProjH.ProjB&amp;quot; or &amp;quot;ProjH.ProjB.ProjB2&amp;quot;.&lt;br /&gt;
&lt;br /&gt;
== Quota Tables ==&lt;br /&gt;
&lt;br /&gt;
There are four tables useful for Quota Management, namely &amp;quot;quotas&amp;quot;, &amp;quot;quota_usages&amp;quot;, &amp;quot;project_user_quotas&amp;quot; and &amp;quot;reservations&amp;quot; respectively. &lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Table || Description || Important Fields&lt;br /&gt;
|-&lt;br /&gt;
| quotas || Stores the quota values for resources (like instances, cores etc) of a Project || project_id&lt;br /&gt;
|-&lt;br /&gt;
| project_user_quotas || Stores the quota allotment to a User in a Project || project_id, user_id&lt;br /&gt;
|-&lt;br /&gt;
| quota_usages || Stores the quota already in use by a User in a Project || project_id, user_id&lt;br /&gt;
|-&lt;br /&gt;
| reservations || Stores the reservations made for a resource by a User in a Project || project_id, user_id&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
The project_id field in these tables stores the project complete hierarchy, like if quota values are defined for &amp;quot;ProjA1&amp;quot;, then the project_id is &amp;quot;ProjH.ProjA.ProjA1&amp;quot;.&lt;br /&gt;
&lt;br /&gt;
== API URLs ==&lt;br /&gt;
The URLs does not need to include any project names up to the authentication scope. The URLs only need to include the hierarchy after the scope for executing an operation. For example, if User A authenticates using scope as &amp;quot;ProjH.ProjA&amp;quot; and the User A want to update the quotas assigned to &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot;, then the URL can be like&lt;br /&gt;
&lt;br /&gt;
PUT Request  -&amp;gt;  http://&amp;lt;nova listening ip&amp;gt;:8774/v3/os-quota-sets?project_id=ProjA1.ProjA3&lt;br /&gt;
&lt;br /&gt;
When the above URL fired, the complete hierarchy will be formed by prepend the scope id to the project_id in the URL, that means here it will be &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot;. Now, the program can check the role possessed by the user at this level (User A has memeber and project-admin roles at this level). As the user possess the &amp;quot;project-admin&amp;quot; role, the update operation on quotas is allowed.&lt;br /&gt;
&lt;br /&gt;
The Keystone context will have a field which gives information about the roles at each level of the hierarchy starting from the scope level (as explained in the examples listed under Authentication Section). We can call this field as &amp;quot;rolesList&amp;quot;. The &amp;quot;project_id&amp;quot; has the full hierarchy like &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot;&lt;br /&gt;
&lt;br /&gt;
 &amp;quot;admin_or_project_admin&amp;quot;:  &amp;quot;is_admin:True or  roleProjectAdmin:rolesList:%(project_id)&amp;quot;&lt;br /&gt;
&lt;br /&gt;
This means that the user satisfies one of the following condition &amp;lt;br/&amp;gt;&lt;br /&gt;
*Cloud Admin&lt;br /&gt;
*function &amp;quot;roleProjectAdmin&amp;quot; will check that user has a project-admin role in the project_id using the the context field &amp;quot;rolesList&amp;quot;&lt;br /&gt;
&lt;br /&gt;
The policy rules for the quota extension can be &lt;br /&gt;
&lt;br /&gt;
 &amp;quot;owner&amp;quot;: &amp;quot;roleMember:rolesList:%(project_id)&amp;quot;   (means that user has any role except project-admin in the project)&lt;br /&gt;
 &amp;quot;admin_or_project_admin_or_owner&amp;quot;: &amp;quot;rule:admin_or_project_admin or rule:owner&amp;quot;&lt;br /&gt;
  &lt;br /&gt;
 &amp;quot;compute_extension:quotas:show&amp;quot;: &amp;quot;rule:admin_or_project_admin_or_owner&amp;quot;,&lt;br /&gt;
 &amp;quot;compute_extension:quotas:update&amp;quot;: &amp;quot;rule:admin_or_project_admin&amp;quot;,&lt;br /&gt;
 &amp;quot;compute_extension:quotas:delete&amp;quot;: &amp;quot;rule:admin_or_project_admin&amp;quot;&lt;br /&gt;
&lt;br /&gt;
== POC Demo code ==&lt;br /&gt;
Please check the code snippets for this setup at  &amp;lt;br/&amp;gt;&lt;br /&gt;
https://github.com/vinodkumarboppanna/POC-For-Quotas/commit/391e9108fa579d292880c8836cadfd7253586f37&lt;br /&gt;
&lt;br /&gt;
== Concerns ==&lt;br /&gt;
* As nova keeps the complete project hierarchy in the Quotas table, it is necessary to notify nova about any changes in the hierarchy. For example, nova stores Quotas of Project &amp;quot;ProjH.ProjA.ProjA1&amp;quot; in the table and User removes the project &amp;quot;ProjA1&amp;quot; from the keystone, then nova should be notified about this.&lt;/div&gt;</summary>
		<author><name>Vinod kumar boppanna</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=POC_for_QuotaManagement&amp;diff=41906</id>
		<title>POC for QuotaManagement</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=POC_for_QuotaManagement&amp;diff=41906"/>
				<updated>2014-02-11T16:28:11Z</updated>
		
		<summary type="html">&lt;p&gt;Vinod kumar boppanna: /* POC Demo code */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Introduction ==&lt;br /&gt;
&lt;br /&gt;
This Page explains the Proof of Concept for Quota Management in the Openstack Hierarchical Multitenancy setup.&lt;br /&gt;
&lt;br /&gt;
== Setup ==&lt;br /&gt;
&lt;br /&gt;
Please see the following picture for an example Hierarchical Multitenancy setup.&lt;br /&gt;
&lt;br /&gt;
[[File:ProjectHierarchy.png|ProjectHierarchy]]&lt;br /&gt;
&lt;br /&gt;
== Authentication ==&lt;br /&gt;
&lt;br /&gt;
Every user has to authenticate with keystone using a project scope. For example, userA can authenticate using the project scope as &amp;quot;ProjH.ProjA&amp;quot;. The cloud admin can authenticate using any scope. When authenticated, the entire hierarchy is parsed starting from the scope project till the leaf node and construct the roles the user has at each level. See the following examples. &lt;br /&gt;
&lt;br /&gt;
===== Example 1 =====&lt;br /&gt;
Cloud Admin authenticates at &amp;quot;ProjH&amp;quot;, keystone will send the following information (or token) for this session. &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the leaf node)&amp;lt;/ins&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
* ProjH,  admin&lt;br /&gt;
* ProjH.ProjA, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1, admin&lt;br /&gt;
* ProjH.ProjA.ProjA2, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA3, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA4, admin&lt;br /&gt;
* ProjH.ProjB, admin&lt;br /&gt;
* ProjH.ProjB.ProjB1, admin&lt;br /&gt;
* ProjH.ProjB.ProjB2, admin&lt;br /&gt;
* ProjH.ProjB.ProjB1.ProjB3, admin&lt;br /&gt;
* ProjH.ProjB.ProjB1.ProjB4, admin&lt;br /&gt;
&amp;lt;u&amp;gt;Noteː&amp;lt;/u&amp;gt;&lt;br /&gt;
* For Cloud Admin, the entire Hierarchy of the Projects is not required (as he is the super admin and possess all the rights to do anything). But this can be useful to check the action requested by the admin with an hierarchy actually exists or not, without again contacting the Keystone again. For example, if admin wants to list the quotas for ProjH.ProjC, but by seeing the roles, he can be notified immediately that this hierarchy does not exist.&lt;br /&gt;
* It is important to limit the maximum depth of the Project Hierarchy. Otherwise, the roles list can become huge.&lt;br /&gt;
&lt;br /&gt;
===== Example 2 =====&lt;br /&gt;
Cloud Admin authenticates at &amp;quot;ProjH.ProjA.ProjA1&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA.ProjA1 &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;u&amp;gt;Roles (find role at each project level upto the leaf node)&amp;lt;/u&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
* ProjH.ProjA.ProjA1, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA3, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA4, admin&lt;br /&gt;
̽&lt;br /&gt;
&lt;br /&gt;
===== Example 3 =====&lt;br /&gt;
User A authenticates at &amp;quot;ProjH.ProjA&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the leaf node)&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
* ProjH.ProjA, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA1, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA2, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjectA3, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjectA3, member&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjectA4, project-admin&lt;br /&gt;
&lt;br /&gt;
===== Example 4 =====&lt;br /&gt;
User B authenticates at &amp;quot;ProjH.ProjA&amp;quot;, keystone will reject the authentication as User B does not have any role at &amp;quot;ProjH.ProjA&amp;quot;. User B can authenticate using the scope as &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot; or &amp;quot;ProjH.ProjB&amp;quot; or &amp;quot;ProjH.ProjB.ProjB2&amp;quot;.&lt;br /&gt;
&lt;br /&gt;
== Quota Tables ==&lt;br /&gt;
&lt;br /&gt;
There are four tables useful for Quota Management, namely &amp;quot;quotas&amp;quot;, &amp;quot;quota_usages&amp;quot;, &amp;quot;project_user_quotas&amp;quot; and &amp;quot;reservations&amp;quot; respectively. &lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Table || Description || Important Fields&lt;br /&gt;
|-&lt;br /&gt;
| quotas || Stores the quota values for resources (like instances, cores etc) of a Project || project_id&lt;br /&gt;
|-&lt;br /&gt;
| project_user_quotas || Stores the quota allotment to a User in a Project || project_id, user_id&lt;br /&gt;
|-&lt;br /&gt;
| quota_usages || Stores the quota already in use by a User in a Project || project_id, user_id&lt;br /&gt;
|-&lt;br /&gt;
| reservations || Stores the reservations made for a resource by a User in a Project || project_id, user_id&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
The project_id field in these tables stores the project complete hierarchy, like if quota values are defined for &amp;quot;ProjA1&amp;quot;, then the project_id is &amp;quot;ProjH.ProjA.ProjA1&amp;quot;.&lt;br /&gt;
&lt;br /&gt;
== API URLs ==&lt;br /&gt;
The URLs does not need to include any project names up to the authentication scope. The URLs only need to include the hierarchy after the scope for executing an operation. For example, if User A authenticates using scope as &amp;quot;ProjH.ProjA&amp;quot; and the User A want to update the quotas assigned to &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot;, then the URL can be like&lt;br /&gt;
&lt;br /&gt;
PUT Request  -&amp;gt;  http://&amp;lt;nova listening ip&amp;gt;:8774/v3/os-quota-sets?project_id=ProjA1.ProjA3&lt;br /&gt;
&lt;br /&gt;
When the above URL fired, the complete hierarchy will be formed by prepend the scope id to the project_id in the URL, that means here it will be &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot;. Now, the program can check the role possessed by the user at this level (User A has memeber and project-admin roles at this level). As the user possess the &amp;quot;project-admin&amp;quot; role, the update operation on quotas is allowed.&lt;br /&gt;
&lt;br /&gt;
The Keystone context will have a field which gives information about the roles at each level of the hierarchy starting from the scope level (as explained in the examples listed under Authentication Section). We can call this field as &amp;quot;rolesList&amp;quot;. The &amp;quot;project_id&amp;quot; has the full hierarchy like &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot;&lt;br /&gt;
&lt;br /&gt;
 &amp;quot;admin_or_project_admin&amp;quot;:  &amp;quot;is_admin:True or  roleProjectAdmin:rolesList:%(project_id)&amp;quot;&lt;br /&gt;
&lt;br /&gt;
This means that the user satisfies one of the following condition &amp;lt;br/&amp;gt;&lt;br /&gt;
*Cloud Admin&lt;br /&gt;
*function &amp;quot;roleProjectAdmin&amp;quot; will check that user has a project-admin role in the project_id using the the context field &amp;quot;rolesList&amp;quot;&lt;br /&gt;
&lt;br /&gt;
The policy rules for the quota extension can be &lt;br /&gt;
&lt;br /&gt;
 &amp;quot;owner&amp;quot;: &amp;quot;roleMember:rolesList:%(project_id)&amp;quot;   (means that user has any role except project-admin in the project)&lt;br /&gt;
 &amp;quot;admin_or_project_admin_or_owner&amp;quot;: &amp;quot;rule:admin_or_project_admin or rule:owner&amp;quot;&lt;br /&gt;
  &lt;br /&gt;
 &amp;quot;compute_extension:quotas:show&amp;quot;: &amp;quot;rule:admin_or_project_admin_or_owner&amp;quot;,&lt;br /&gt;
 &amp;quot;compute_extension:quotas:update&amp;quot;: &amp;quot;rule:admin_or_project_admin&amp;quot;,&lt;br /&gt;
 &amp;quot;compute_extension:quotas:delete&amp;quot;: &amp;quot;rule:admin_or_project_admin&amp;quot;&lt;br /&gt;
&lt;br /&gt;
== POC Demo code ==&lt;br /&gt;
Please check the code snippets for this setup at  &amp;lt;br/&amp;gt;&lt;br /&gt;
https://github.com/vinodkumarboppanna/POC-For-Quotas/commit/391e9108fa579d292880c8836cadfd7253586f37&lt;br /&gt;
&lt;br /&gt;
== Concerns ==&lt;br /&gt;
* As nova keeps the complete project hierarchy in the Quotas table, it is necessary to notify nova about any changes in the hierarchy. For example, nova stores Quotas of Project &amp;quot;ProjH.ProjA.ProjA1&amp;quot; in the table and User removes the project &amp;quot;ProjA1&amp;quot; from the keystone, then nova should be notified about this.&lt;/div&gt;</summary>
		<author><name>Vinod kumar boppanna</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=POC_for_QuotaManagement&amp;diff=41905</id>
		<title>POC for QuotaManagement</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=POC_for_QuotaManagement&amp;diff=41905"/>
				<updated>2014-02-11T16:27:56Z</updated>
		
		<summary type="html">&lt;p&gt;Vinod kumar boppanna: /* API URLs */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Introduction ==&lt;br /&gt;
&lt;br /&gt;
This Page explains the Proof of Concept for Quota Management in the Openstack Hierarchical Multitenancy setup.&lt;br /&gt;
&lt;br /&gt;
== Setup ==&lt;br /&gt;
&lt;br /&gt;
Please see the following picture for an example Hierarchical Multitenancy setup.&lt;br /&gt;
&lt;br /&gt;
[[File:ProjectHierarchy.png|ProjectHierarchy]]&lt;br /&gt;
&lt;br /&gt;
== Authentication ==&lt;br /&gt;
&lt;br /&gt;
Every user has to authenticate with keystone using a project scope. For example, userA can authenticate using the project scope as &amp;quot;ProjH.ProjA&amp;quot;. The cloud admin can authenticate using any scope. When authenticated, the entire hierarchy is parsed starting from the scope project till the leaf node and construct the roles the user has at each level. See the following examples. &lt;br /&gt;
&lt;br /&gt;
===== Example 1 =====&lt;br /&gt;
Cloud Admin authenticates at &amp;quot;ProjH&amp;quot;, keystone will send the following information (or token) for this session. &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the leaf node)&amp;lt;/ins&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
* ProjH,  admin&lt;br /&gt;
* ProjH.ProjA, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1, admin&lt;br /&gt;
* ProjH.ProjA.ProjA2, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA3, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA4, admin&lt;br /&gt;
* ProjH.ProjB, admin&lt;br /&gt;
* ProjH.ProjB.ProjB1, admin&lt;br /&gt;
* ProjH.ProjB.ProjB2, admin&lt;br /&gt;
* ProjH.ProjB.ProjB1.ProjB3, admin&lt;br /&gt;
* ProjH.ProjB.ProjB1.ProjB4, admin&lt;br /&gt;
&amp;lt;u&amp;gt;Noteː&amp;lt;/u&amp;gt;&lt;br /&gt;
* For Cloud Admin, the entire Hierarchy of the Projects is not required (as he is the super admin and possess all the rights to do anything). But this can be useful to check the action requested by the admin with an hierarchy actually exists or not, without again contacting the Keystone again. For example, if admin wants to list the quotas for ProjH.ProjC, but by seeing the roles, he can be notified immediately that this hierarchy does not exist.&lt;br /&gt;
* It is important to limit the maximum depth of the Project Hierarchy. Otherwise, the roles list can become huge.&lt;br /&gt;
&lt;br /&gt;
===== Example 2 =====&lt;br /&gt;
Cloud Admin authenticates at &amp;quot;ProjH.ProjA.ProjA1&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA.ProjA1 &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;u&amp;gt;Roles (find role at each project level upto the leaf node)&amp;lt;/u&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
* ProjH.ProjA.ProjA1, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA3, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA4, admin&lt;br /&gt;
̽&lt;br /&gt;
&lt;br /&gt;
===== Example 3 =====&lt;br /&gt;
User A authenticates at &amp;quot;ProjH.ProjA&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the leaf node)&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
* ProjH.ProjA, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA1, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA2, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjectA3, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjectA3, member&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjectA4, project-admin&lt;br /&gt;
&lt;br /&gt;
===== Example 4 =====&lt;br /&gt;
User B authenticates at &amp;quot;ProjH.ProjA&amp;quot;, keystone will reject the authentication as User B does not have any role at &amp;quot;ProjH.ProjA&amp;quot;. User B can authenticate using the scope as &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot; or &amp;quot;ProjH.ProjB&amp;quot; or &amp;quot;ProjH.ProjB.ProjB2&amp;quot;.&lt;br /&gt;
&lt;br /&gt;
== Quota Tables ==&lt;br /&gt;
&lt;br /&gt;
There are four tables useful for Quota Management, namely &amp;quot;quotas&amp;quot;, &amp;quot;quota_usages&amp;quot;, &amp;quot;project_user_quotas&amp;quot; and &amp;quot;reservations&amp;quot; respectively. &lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Table || Description || Important Fields&lt;br /&gt;
|-&lt;br /&gt;
| quotas || Stores the quota values for resources (like instances, cores etc) of a Project || project_id&lt;br /&gt;
|-&lt;br /&gt;
| project_user_quotas || Stores the quota allotment to a User in a Project || project_id, user_id&lt;br /&gt;
|-&lt;br /&gt;
| quota_usages || Stores the quota already in use by a User in a Project || project_id, user_id&lt;br /&gt;
|-&lt;br /&gt;
| reservations || Stores the reservations made for a resource by a User in a Project || project_id, user_id&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
The project_id field in these tables stores the project complete hierarchy, like if quota values are defined for &amp;quot;ProjA1&amp;quot;, then the project_id is &amp;quot;ProjH.ProjA.ProjA1&amp;quot;.&lt;br /&gt;
&lt;br /&gt;
== API URLs ==&lt;br /&gt;
The URLs does not need to include any project names up to the authentication scope. The URLs only need to include the hierarchy after the scope for executing an operation. For example, if User A authenticates using scope as &amp;quot;ProjH.ProjA&amp;quot; and the User A want to update the quotas assigned to &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot;, then the URL can be like&lt;br /&gt;
&lt;br /&gt;
PUT Request  -&amp;gt;  http://&amp;lt;nova listening ip&amp;gt;:8774/v3/os-quota-sets?project_id=ProjA1.ProjA3&lt;br /&gt;
&lt;br /&gt;
When the above URL fired, the complete hierarchy will be formed by prepend the scope id to the project_id in the URL, that means here it will be &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot;. Now, the program can check the role possessed by the user at this level (User A has memeber and project-admin roles at this level). As the user possess the &amp;quot;project-admin&amp;quot; role, the update operation on quotas is allowed.&lt;br /&gt;
&lt;br /&gt;
The Keystone context will have a field which gives information about the roles at each level of the hierarchy starting from the scope level (as explained in the examples listed under Authentication Section). We can call this field as &amp;quot;rolesList&amp;quot;. The &amp;quot;project_id&amp;quot; has the full hierarchy like &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot;&lt;br /&gt;
&lt;br /&gt;
 &amp;quot;admin_or_project_admin&amp;quot;:  &amp;quot;is_admin:True or  roleProjectAdmin:rolesList:%(project_id)&amp;quot;&lt;br /&gt;
&lt;br /&gt;
This means that the user satisfies one of the following condition &amp;lt;br/&amp;gt;&lt;br /&gt;
*Cloud Admin&lt;br /&gt;
*function &amp;quot;roleProjectAdmin&amp;quot; will check that user has a project-admin role in the project_id using the the context field &amp;quot;rolesList&amp;quot;&lt;br /&gt;
&lt;br /&gt;
The policy rules for the quota extension can be &lt;br /&gt;
&lt;br /&gt;
 &amp;quot;owner&amp;quot;: &amp;quot;roleMember:rolesList:%(project_id)&amp;quot;   (means that user has any role except project-admin in the project)&lt;br /&gt;
 &amp;quot;admin_or_project_admin_or_owner&amp;quot;: &amp;quot;rule:admin_or_project_admin or rule:owner&amp;quot;&lt;br /&gt;
  &lt;br /&gt;
 &amp;quot;compute_extension:quotas:show&amp;quot;: &amp;quot;rule:admin_or_project_admin_or_owner&amp;quot;,&lt;br /&gt;
 &amp;quot;compute_extension:quotas:update&amp;quot;: &amp;quot;rule:admin_or_project_admin&amp;quot;,&lt;br /&gt;
 &amp;quot;compute_extension:quotas:delete&amp;quot;: &amp;quot;rule:admin_or_project_admin&amp;quot;&lt;br /&gt;
&lt;br /&gt;
== POC Demo code ==&lt;br /&gt;
Please check the code snippets for this setup at &lt;br /&gt;
https://github.com/vinodkumarboppanna/POC-For-Quotas/commit/391e9108fa579d292880c8836cadfd7253586f37&lt;br /&gt;
&lt;br /&gt;
== Concerns ==&lt;br /&gt;
* As nova keeps the complete project hierarchy in the Quotas table, it is necessary to notify nova about any changes in the hierarchy. For example, nova stores Quotas of Project &amp;quot;ProjH.ProjA.ProjA1&amp;quot; in the table and User removes the project &amp;quot;ProjA1&amp;quot; from the keystone, then nova should be notified about this.&lt;/div&gt;</summary>
		<author><name>Vinod kumar boppanna</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=POC_for_QuotaManagement&amp;diff=41904</id>
		<title>POC for QuotaManagement</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=POC_for_QuotaManagement&amp;diff=41904"/>
				<updated>2014-02-11T16:25:12Z</updated>
		
		<summary type="html">&lt;p&gt;Vinod kumar boppanna: /* API URLs */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Introduction ==&lt;br /&gt;
&lt;br /&gt;
This Page explains the Proof of Concept for Quota Management in the Openstack Hierarchical Multitenancy setup.&lt;br /&gt;
&lt;br /&gt;
== Setup ==&lt;br /&gt;
&lt;br /&gt;
Please see the following picture for an example Hierarchical Multitenancy setup.&lt;br /&gt;
&lt;br /&gt;
[[File:ProjectHierarchy.png|ProjectHierarchy]]&lt;br /&gt;
&lt;br /&gt;
== Authentication ==&lt;br /&gt;
&lt;br /&gt;
Every user has to authenticate with keystone using a project scope. For example, userA can authenticate using the project scope as &amp;quot;ProjH.ProjA&amp;quot;. The cloud admin can authenticate using any scope. When authenticated, the entire hierarchy is parsed starting from the scope project till the leaf node and construct the roles the user has at each level. See the following examples. &lt;br /&gt;
&lt;br /&gt;
===== Example 1 =====&lt;br /&gt;
Cloud Admin authenticates at &amp;quot;ProjH&amp;quot;, keystone will send the following information (or token) for this session. &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the leaf node)&amp;lt;/ins&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
* ProjH,  admin&lt;br /&gt;
* ProjH.ProjA, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1, admin&lt;br /&gt;
* ProjH.ProjA.ProjA2, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA3, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA4, admin&lt;br /&gt;
* ProjH.ProjB, admin&lt;br /&gt;
* ProjH.ProjB.ProjB1, admin&lt;br /&gt;
* ProjH.ProjB.ProjB2, admin&lt;br /&gt;
* ProjH.ProjB.ProjB1.ProjB3, admin&lt;br /&gt;
* ProjH.ProjB.ProjB1.ProjB4, admin&lt;br /&gt;
&amp;lt;u&amp;gt;Noteː&amp;lt;/u&amp;gt;&lt;br /&gt;
* For Cloud Admin, the entire Hierarchy of the Projects is not required (as he is the super admin and possess all the rights to do anything). But this can be useful to check the action requested by the admin with an hierarchy actually exists or not, without again contacting the Keystone again. For example, if admin wants to list the quotas for ProjH.ProjC, but by seeing the roles, he can be notified immediately that this hierarchy does not exist.&lt;br /&gt;
* It is important to limit the maximum depth of the Project Hierarchy. Otherwise, the roles list can become huge.&lt;br /&gt;
&lt;br /&gt;
===== Example 2 =====&lt;br /&gt;
Cloud Admin authenticates at &amp;quot;ProjH.ProjA.ProjA1&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA.ProjA1 &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;u&amp;gt;Roles (find role at each project level upto the leaf node)&amp;lt;/u&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
* ProjH.ProjA.ProjA1, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA3, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA4, admin&lt;br /&gt;
̽&lt;br /&gt;
&lt;br /&gt;
===== Example 3 =====&lt;br /&gt;
User A authenticates at &amp;quot;ProjH.ProjA&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the leaf node)&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
* ProjH.ProjA, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA1, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA2, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjectA3, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjectA3, member&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjectA4, project-admin&lt;br /&gt;
&lt;br /&gt;
===== Example 4 =====&lt;br /&gt;
User B authenticates at &amp;quot;ProjH.ProjA&amp;quot;, keystone will reject the authentication as User B does not have any role at &amp;quot;ProjH.ProjA&amp;quot;. User B can authenticate using the scope as &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot; or &amp;quot;ProjH.ProjB&amp;quot; or &amp;quot;ProjH.ProjB.ProjB2&amp;quot;.&lt;br /&gt;
&lt;br /&gt;
== Quota Tables ==&lt;br /&gt;
&lt;br /&gt;
There are four tables useful for Quota Management, namely &amp;quot;quotas&amp;quot;, &amp;quot;quota_usages&amp;quot;, &amp;quot;project_user_quotas&amp;quot; and &amp;quot;reservations&amp;quot; respectively. &lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Table || Description || Important Fields&lt;br /&gt;
|-&lt;br /&gt;
| quotas || Stores the quota values for resources (like instances, cores etc) of a Project || project_id&lt;br /&gt;
|-&lt;br /&gt;
| project_user_quotas || Stores the quota allotment to a User in a Project || project_id, user_id&lt;br /&gt;
|-&lt;br /&gt;
| quota_usages || Stores the quota already in use by a User in a Project || project_id, user_id&lt;br /&gt;
|-&lt;br /&gt;
| reservations || Stores the reservations made for a resource by a User in a Project || project_id, user_id&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
The project_id field in these tables stores the project complete hierarchy, like if quota values are defined for &amp;quot;ProjA1&amp;quot;, then the project_id is &amp;quot;ProjH.ProjA.ProjA1&amp;quot;.&lt;br /&gt;
&lt;br /&gt;
== API URLs ==&lt;br /&gt;
The URLs does not need to include any project names up to the authentication scope. The URLs only need to include the hierarchy after the scope for executing an operation. For example, if User A authenticates using scope as &amp;quot;ProjH.ProjA&amp;quot; and the User A want to update the quotas assigned to &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot;, then the URL can be like&lt;br /&gt;
&lt;br /&gt;
PUT Request  -&amp;gt;  http://&amp;lt;nova listening ip&amp;gt;:8774/v3/os-quota-sets?project_id=ProjA1.ProjA3&lt;br /&gt;
&lt;br /&gt;
When the above URL fired, the complete hierarchy will be formed by prepend the scope id to the project_id in the URL, that means here it will be &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot;. Now, the program can check the role possessed by the user at this level (User A has memeber and project-admin roles at this level). As the user possess the &amp;quot;project-admin&amp;quot; role, the update operation on quotas is allowed.&lt;br /&gt;
&lt;br /&gt;
The Keystone context will have a field which gives information about the roles at each level of the hierarchy starting from the scope level (as explained in the examples listed under Authentication Section). We can call this field as &amp;quot;rolesList&amp;quot;. The &amp;quot;project_id&amp;quot; has the full hierarchy like &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot;&lt;br /&gt;
&lt;br /&gt;
 &amp;quot;admin_or_project_admin&amp;quot;:  &amp;quot;is_admin:True or  roleProjectAdmin:rolesList:%(project_id)&amp;quot;&lt;br /&gt;
&lt;br /&gt;
This means that the user satisfies one of the following condition &amp;lt;br/&amp;gt;&lt;br /&gt;
*Cloud Admin&lt;br /&gt;
*function &amp;quot;roleProjectAdmin&amp;quot; will check that user has a project-admin role in the project_id using the the context field &amp;quot;rolesList&amp;quot;&lt;br /&gt;
&lt;br /&gt;
The policy rules for the quota extension can be &lt;br /&gt;
&lt;br /&gt;
 &amp;quot;owner&amp;quot;: &amp;quot;roleMember:rolesList:%(project_id)&amp;quot;   (means that user has any role except project-admin in the project)&lt;br /&gt;
 &amp;quot;admin_or_project_admin_or_owner&amp;quot;: &amp;quot;rule:admin_or_project_admin or rule:owner&amp;quot;&lt;br /&gt;
  &lt;br /&gt;
 &amp;quot;compute_extension:quotas:show&amp;quot;: &amp;quot;rule:admin_or_project_admin_or_owner&amp;quot;,&lt;br /&gt;
 &amp;quot;compute_extension:quotas:update&amp;quot;: &amp;quot;rule:admin_or_project_admin&amp;quot;,&lt;br /&gt;
 &amp;quot;compute_extension:quotas:delete&amp;quot;: &amp;quot;rule:admin_or_project_admin&amp;quot;&lt;br /&gt;
&lt;br /&gt;
== Concerns ==&lt;br /&gt;
* As nova keeps the complete project hierarchy in the Quotas table, it is necessary to notify nova about any changes in the hierarchy. For example, nova stores Quotas of Project &amp;quot;ProjH.ProjA.ProjA1&amp;quot; in the table and User removes the project &amp;quot;ProjA1&amp;quot; from the keystone, then nova should be notified about this.&lt;/div&gt;</summary>
		<author><name>Vinod kumar boppanna</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=POC_for_QuotaManagement&amp;diff=41899</id>
		<title>POC for QuotaManagement</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=POC_for_QuotaManagement&amp;diff=41899"/>
				<updated>2014-02-11T15:35:01Z</updated>
		
		<summary type="html">&lt;p&gt;Vinod kumar boppanna: /* API URLs */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Introduction ==&lt;br /&gt;
&lt;br /&gt;
This Page explains the Proof of Concept for Quota Management in the Openstack Hierarchical Multitenancy setup.&lt;br /&gt;
&lt;br /&gt;
== Setup ==&lt;br /&gt;
&lt;br /&gt;
Please see the following picture for an example Hierarchical Multitenancy setup.&lt;br /&gt;
&lt;br /&gt;
[[File:ProjectHierarchy.png|ProjectHierarchy]]&lt;br /&gt;
&lt;br /&gt;
== Authentication ==&lt;br /&gt;
&lt;br /&gt;
Every user has to authenticate with keystone using a project scope. For example, userA can authenticate using the project scope as &amp;quot;ProjH.ProjA&amp;quot;. The cloud admin can authenticate using any scope. When authenticated, the entire hierarchy is parsed starting from the scope project till the leaf node and construct the roles the user has at each level. See the following examples. &lt;br /&gt;
&lt;br /&gt;
===== Example 1 =====&lt;br /&gt;
Cloud Admin authenticates at &amp;quot;ProjH&amp;quot;, keystone will send the following information (or token) for this session. &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the leaf node)&amp;lt;/ins&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
* ProjH,  admin&lt;br /&gt;
* ProjH.ProjA, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1, admin&lt;br /&gt;
* ProjH.ProjA.ProjA2, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA3, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA4, admin&lt;br /&gt;
* ProjH.ProjB, admin&lt;br /&gt;
* ProjH.ProjB.ProjB1, admin&lt;br /&gt;
* ProjH.ProjB.ProjB2, admin&lt;br /&gt;
* ProjH.ProjB.ProjB1.ProjB3, admin&lt;br /&gt;
* ProjH.ProjB.ProjB1.ProjB4, admin&lt;br /&gt;
&amp;lt;u&amp;gt;Noteː&amp;lt;/u&amp;gt;&lt;br /&gt;
* For Cloud Admin, the entire Hierarchy of the Projects is not required (as he is the super admin and possess all the rights to do anything). But this can be useful to check the action requested by the admin with an hierarchy actually exists or not, without again contacting the Keystone again. For example, if admin wants to list the quotas for ProjH.ProjC, but by seeing the roles, he can be notified immediately that this hierarchy does not exist.&lt;br /&gt;
* It is important to limit the maximum depth of the Project Hierarchy. Otherwise, the roles list can become huge.&lt;br /&gt;
&lt;br /&gt;
===== Example 2 =====&lt;br /&gt;
Cloud Admin authenticates at &amp;quot;ProjH.ProjA.ProjA1&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA.ProjA1 &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;u&amp;gt;Roles (find role at each project level upto the leaf node)&amp;lt;/u&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
* ProjH.ProjA.ProjA1, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA3, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA4, admin&lt;br /&gt;
̽&lt;br /&gt;
&lt;br /&gt;
===== Example 3 =====&lt;br /&gt;
User A authenticates at &amp;quot;ProjH.ProjA&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the leaf node)&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
* ProjH.ProjA, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA1, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA2, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjectA3, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjectA3, member&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjectA4, project-admin&lt;br /&gt;
&lt;br /&gt;
===== Example 4 =====&lt;br /&gt;
User B authenticates at &amp;quot;ProjH.ProjA&amp;quot;, keystone will reject the authentication as User B does not have any role at &amp;quot;ProjH.ProjA&amp;quot;. User B can authenticate using the scope as &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot; or &amp;quot;ProjH.ProjB&amp;quot; or &amp;quot;ProjH.ProjB.ProjB2&amp;quot;.&lt;br /&gt;
&lt;br /&gt;
== Quota Tables ==&lt;br /&gt;
&lt;br /&gt;
There are four tables useful for Quota Management, namely &amp;quot;quotas&amp;quot;, &amp;quot;quota_usages&amp;quot;, &amp;quot;project_user_quotas&amp;quot; and &amp;quot;reservations&amp;quot; respectively. &lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Table || Description || Important Fields&lt;br /&gt;
|-&lt;br /&gt;
| quotas || Stores the quota values for resources (like instances, cores etc) of a Project || project_id&lt;br /&gt;
|-&lt;br /&gt;
| project_user_quotas || Stores the quota allotment to a User in a Project || project_id, user_id&lt;br /&gt;
|-&lt;br /&gt;
| quota_usages || Stores the quota already in use by a User in a Project || project_id, user_id&lt;br /&gt;
|-&lt;br /&gt;
| reservations || Stores the reservations made for a resource by a User in a Project || project_id, user_id&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
The project_id field in these tables stores the project complete hierarchy, like if quota values are defined for &amp;quot;ProjA1&amp;quot;, then the project_id is &amp;quot;ProjH.ProjA.ProjA1&amp;quot;.&lt;br /&gt;
&lt;br /&gt;
== API URLs ==&lt;br /&gt;
The URLs does not need to include any project names up to the authentication scope. The URLs only need to include the hierarchy after the scope for executing an operation. For example, if User A authenticates using scope as &amp;quot;ProjH.ProjA&amp;quot; and the User A want to update the quotas assigned to &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot;, then the URL can be like&lt;br /&gt;
&lt;br /&gt;
PUT Request  -&amp;gt;  http://&amp;lt;nova listening ip&amp;gt;:8774/v3/os-quota-sets?project_id=ProjA1.ProjA3&lt;br /&gt;
&lt;br /&gt;
When the above URL fired, the complete hierarchy will be formed by prepend the scope id to the project_id in the URL, that means here it will be &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot;. Now, the program can check the role possessed by the user at this level (User A has memeber and project-admin roles at this level). As the user possess the &amp;quot;project-admin&amp;quot; role, the update operation on quotas is allowed.&lt;br /&gt;
&lt;br /&gt;
The Keystone context will have a field which gives information about the roles at each level of the hierarchy starting from the scope level (as explained in the examples listed under Authentication Section). We can call this field as &amp;quot;rolesList&amp;quot;. The &amp;quot;project_id&amp;quot; has the full hierarchy like &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot;&lt;br /&gt;
&lt;br /&gt;
 &amp;quot;admin_or_project_admin&amp;quot;:  &amp;quot;is_admin:True or  roleProjectAdmin:rolesList:%(project_id)&amp;quot;&lt;br /&gt;
&lt;br /&gt;
This means that the user satisfies one of the following condition &amp;lt;br/&amp;gt;&lt;br /&gt;
*Cloud Admin&lt;br /&gt;
*function &amp;quot;roleProjectAdmin&amp;quot; will check that user has a project-admin role in the project_id using the the context field &amp;quot;rolesList&amp;quot;&lt;br /&gt;
&lt;br /&gt;
The policy rules for the quota extension can be &lt;br /&gt;
&lt;br /&gt;
 &amp;quot;owner&amp;quot;: &amp;quot;roleMember:rolesList:%(project_id)&amp;quot;   (means that user has any role except project-admin in the project)&lt;br /&gt;
 &amp;quot;admin_or_project_admin_or_owner&amp;quot;: &amp;quot;rule:admin_or_project_admin or rule:owner&amp;quot;&lt;br /&gt;
  &lt;br /&gt;
 &amp;quot;compute_extension:quotas:show&amp;quot;: &amp;quot;rule:admin_or_project_admin_or_owner&amp;quot;,&lt;br /&gt;
 &amp;quot;compute_extension:quotas:update&amp;quot;: &amp;quot;rule:admin_or_project_admin&amp;quot;,&lt;br /&gt;
 &amp;quot;compute_extension:quotas:delete&amp;quot;: &amp;quot;rule:admin_or_project_admin&amp;quot;&lt;/div&gt;</summary>
		<author><name>Vinod kumar boppanna</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=POC_for_QuotaManagement&amp;diff=41898</id>
		<title>POC for QuotaManagement</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=POC_for_QuotaManagement&amp;diff=41898"/>
				<updated>2014-02-11T15:30:44Z</updated>
		
		<summary type="html">&lt;p&gt;Vinod kumar boppanna: /* API URLs */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Introduction ==&lt;br /&gt;
&lt;br /&gt;
This Page explains the Proof of Concept for Quota Management in the Openstack Hierarchical Multitenancy setup.&lt;br /&gt;
&lt;br /&gt;
== Setup ==&lt;br /&gt;
&lt;br /&gt;
Please see the following picture for an example Hierarchical Multitenancy setup.&lt;br /&gt;
&lt;br /&gt;
[[File:ProjectHierarchy.png|ProjectHierarchy]]&lt;br /&gt;
&lt;br /&gt;
== Authentication ==&lt;br /&gt;
&lt;br /&gt;
Every user has to authenticate with keystone using a project scope. For example, userA can authenticate using the project scope as &amp;quot;ProjH.ProjA&amp;quot;. The cloud admin can authenticate using any scope. When authenticated, the entire hierarchy is parsed starting from the scope project till the leaf node and construct the roles the user has at each level. See the following examples. &lt;br /&gt;
&lt;br /&gt;
===== Example 1 =====&lt;br /&gt;
Cloud Admin authenticates at &amp;quot;ProjH&amp;quot;, keystone will send the following information (or token) for this session. &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the leaf node)&amp;lt;/ins&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
* ProjH,  admin&lt;br /&gt;
* ProjH.ProjA, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1, admin&lt;br /&gt;
* ProjH.ProjA.ProjA2, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA3, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA4, admin&lt;br /&gt;
* ProjH.ProjB, admin&lt;br /&gt;
* ProjH.ProjB.ProjB1, admin&lt;br /&gt;
* ProjH.ProjB.ProjB2, admin&lt;br /&gt;
* ProjH.ProjB.ProjB1.ProjB3, admin&lt;br /&gt;
* ProjH.ProjB.ProjB1.ProjB4, admin&lt;br /&gt;
&amp;lt;u&amp;gt;Noteː&amp;lt;/u&amp;gt;&lt;br /&gt;
* For Cloud Admin, the entire Hierarchy of the Projects is not required (as he is the super admin and possess all the rights to do anything). But this can be useful to check the action requested by the admin with an hierarchy actually exists or not, without again contacting the Keystone again. For example, if admin wants to list the quotas for ProjH.ProjC, but by seeing the roles, he can be notified immediately that this hierarchy does not exist.&lt;br /&gt;
* It is important to limit the maximum depth of the Project Hierarchy. Otherwise, the roles list can become huge.&lt;br /&gt;
&lt;br /&gt;
===== Example 2 =====&lt;br /&gt;
Cloud Admin authenticates at &amp;quot;ProjH.ProjA.ProjA1&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA.ProjA1 &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;u&amp;gt;Roles (find role at each project level upto the leaf node)&amp;lt;/u&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
* ProjH.ProjA.ProjA1, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA3, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA4, admin&lt;br /&gt;
̽&lt;br /&gt;
&lt;br /&gt;
===== Example 3 =====&lt;br /&gt;
User A authenticates at &amp;quot;ProjH.ProjA&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the leaf node)&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
* ProjH.ProjA, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA1, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA2, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjectA3, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjectA3, member&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjectA4, project-admin&lt;br /&gt;
&lt;br /&gt;
===== Example 4 =====&lt;br /&gt;
User B authenticates at &amp;quot;ProjH.ProjA&amp;quot;, keystone will reject the authentication as User B does not have any role at &amp;quot;ProjH.ProjA&amp;quot;. User B can authenticate using the scope as &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot; or &amp;quot;ProjH.ProjB&amp;quot; or &amp;quot;ProjH.ProjB.ProjB2&amp;quot;.&lt;br /&gt;
&lt;br /&gt;
== Quota Tables ==&lt;br /&gt;
&lt;br /&gt;
There are four tables useful for Quota Management, namely &amp;quot;quotas&amp;quot;, &amp;quot;quota_usages&amp;quot;, &amp;quot;project_user_quotas&amp;quot; and &amp;quot;reservations&amp;quot; respectively. &lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Table || Description || Important Fields&lt;br /&gt;
|-&lt;br /&gt;
| quotas || Stores the quota values for resources (like instances, cores etc) of a Project || project_id&lt;br /&gt;
|-&lt;br /&gt;
| project_user_quotas || Stores the quota allotment to a User in a Project || project_id, user_id&lt;br /&gt;
|-&lt;br /&gt;
| quota_usages || Stores the quota already in use by a User in a Project || project_id, user_id&lt;br /&gt;
|-&lt;br /&gt;
| reservations || Stores the reservations made for a resource by a User in a Project || project_id, user_id&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
The project_id field in these tables stores the project complete hierarchy, like if quota values are defined for &amp;quot;ProjA1&amp;quot;, then the project_id is &amp;quot;ProjH.ProjA.ProjA1&amp;quot;.&lt;br /&gt;
&lt;br /&gt;
== API URLs ==&lt;br /&gt;
The URLs does not need to include any project names up to the authentication scope. The URLs only need to include the hierarchy after the scope for executing an operation. For example, if User A authenticates using scope as &amp;quot;ProjH.ProjA&amp;quot; and the User A want to update the quotas assigned to &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot;, then the URL can be like&lt;br /&gt;
&lt;br /&gt;
PUT Request  -&amp;gt;  http://&amp;lt;nova listening ip&amp;gt;:8774/v3/os-quota-sets?project_id=ProjA1.ProjA3&lt;br /&gt;
&lt;br /&gt;
When the above URL fired, the complete hierarchy will be formed by prepend the scope id to the project_id in the URL, that means here it will be &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot;. Now, the program can check the role possessed by the user at this level (User A has memeber and project-admin roles at this level). As the user possess the &amp;quot;project-admin&amp;quot; role, the update operation on quotas is allowed.&lt;br /&gt;
&lt;br /&gt;
The Keystone context will have a field which gives information about the roles at each level of the hierarchy starting from the scope level (as explained in the examples listed under Authentication Section). We can call this field as &amp;quot;rolesList&amp;quot;. The &amp;quot;project_id&amp;quot; has the full hierarchy like &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot;&lt;br /&gt;
&lt;br /&gt;
 &amp;quot;admin_or_project_admin&amp;quot;:  &amp;quot;is_admin:True or  roleProjectAdmin:rolesList:%(project_id)&amp;quot;&lt;br /&gt;
&lt;br /&gt;
This means that the user satisfies one of the following condition &amp;lt;br/&amp;gt;&lt;br /&gt;
*Cloud Admin&lt;br /&gt;
*function &amp;quot;roleProjectAdmin&amp;quot; will check that user has a project-admin role in the project_id using the the context field &amp;quot;rolesList&amp;quot;&lt;/div&gt;</summary>
		<author><name>Vinod kumar boppanna</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=POC_for_QuotaManagement&amp;diff=41892</id>
		<title>POC for QuotaManagement</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=POC_for_QuotaManagement&amp;diff=41892"/>
				<updated>2014-02-11T15:03:26Z</updated>
		
		<summary type="html">&lt;p&gt;Vinod kumar boppanna: /* Quota Tables */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Introduction ==&lt;br /&gt;
&lt;br /&gt;
This Page explains the Proof of Concept for Quota Management in the Openstack Hierarchical Multitenancy setup.&lt;br /&gt;
&lt;br /&gt;
== Setup ==&lt;br /&gt;
&lt;br /&gt;
Please see the following picture for an example Hierarchical Multitenancy setup.&lt;br /&gt;
&lt;br /&gt;
[[File:ProjectHierarchy.png|ProjectHierarchy]]&lt;br /&gt;
&lt;br /&gt;
== Authentication ==&lt;br /&gt;
&lt;br /&gt;
Every user has to authenticate with keystone using a project scope. For example, userA can authenticate using the project scope as &amp;quot;ProjH.ProjA&amp;quot;. The cloud admin can authenticate using any scope. When authenticated, the entire hierarchy is parsed starting from the scope project till the leaf node and construct the roles the user has at each level. See the following examples. &lt;br /&gt;
&lt;br /&gt;
===== Example 1 =====&lt;br /&gt;
Cloud Admin authenticates at &amp;quot;ProjH&amp;quot;, keystone will send the following information (or token) for this session. &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the leaf node)&amp;lt;/ins&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
* ProjH,  admin&lt;br /&gt;
* ProjH.ProjA, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1, admin&lt;br /&gt;
* ProjH.ProjA.ProjA2, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA3, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA4, admin&lt;br /&gt;
* ProjH.ProjB, admin&lt;br /&gt;
* ProjH.ProjB.ProjB1, admin&lt;br /&gt;
* ProjH.ProjB.ProjB2, admin&lt;br /&gt;
* ProjH.ProjB.ProjB1.ProjB3, admin&lt;br /&gt;
* ProjH.ProjB.ProjB1.ProjB4, admin&lt;br /&gt;
&amp;lt;u&amp;gt;Noteː&amp;lt;/u&amp;gt;&lt;br /&gt;
* For Cloud Admin, the entire Hierarchy of the Projects is not required (as he is the super admin and possess all the rights to do anything). But this can be useful to check the action requested by the admin with an hierarchy actually exists or not, without again contacting the Keystone again. For example, if admin wants to list the quotas for ProjH.ProjC, but by seeing the roles, he can be notified immediately that this hierarchy does not exist.&lt;br /&gt;
* It is important to limit the maximum depth of the Project Hierarchy. Otherwise, the roles list can become huge.&lt;br /&gt;
&lt;br /&gt;
===== Example 2 =====&lt;br /&gt;
Cloud Admin authenticates at &amp;quot;ProjH.ProjA.ProjA1&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA.ProjA1 &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;u&amp;gt;Roles (find role at each project level upto the leaf node)&amp;lt;/u&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
* ProjH.ProjA.ProjA1, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA3, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA4, admin&lt;br /&gt;
̽&lt;br /&gt;
&lt;br /&gt;
===== Example 3 =====&lt;br /&gt;
User A authenticates at &amp;quot;ProjH.ProjA&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the leaf node)&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
* ProjH.ProjA, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA1, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA2, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjectA3, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjectA3, member&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjectA4, project-admin&lt;br /&gt;
&lt;br /&gt;
===== Example 4 =====&lt;br /&gt;
User B authenticates at &amp;quot;ProjH.ProjA&amp;quot;, keystone will reject the authentication as User B does not have any role at &amp;quot;ProjH.ProjA&amp;quot;. User B can authenticate using the scope as &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot; or &amp;quot;ProjH.ProjB&amp;quot; or &amp;quot;ProjH.ProjB.ProjB2&amp;quot;.&lt;br /&gt;
&lt;br /&gt;
== Quota Tables ==&lt;br /&gt;
&lt;br /&gt;
There are four tables useful for Quota Management, namely &amp;quot;quotas&amp;quot;, &amp;quot;quota_usages&amp;quot;, &amp;quot;project_user_quotas&amp;quot; and &amp;quot;reservations&amp;quot; respectively. &lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Table || Description || Important Fields&lt;br /&gt;
|-&lt;br /&gt;
| quotas || Stores the quota values for resources (like instances, cores etc) of a Project || project_id&lt;br /&gt;
|-&lt;br /&gt;
| project_user_quotas || Stores the quota allotment to a User in a Project || project_id, user_id&lt;br /&gt;
|-&lt;br /&gt;
| quota_usages || Stores the quota already in use by a User in a Project || project_id, user_id&lt;br /&gt;
|-&lt;br /&gt;
| reservations || Stores the reservations made for a resource by a User in a Project || project_id, user_id&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
The project_id field in these tables stores the project complete hierarchy, like if quota values are defined for &amp;quot;ProjA1&amp;quot;, then the project_id is &amp;quot;ProjH.ProjA.ProjA1&amp;quot;.&lt;br /&gt;
&lt;br /&gt;
== API URLs ==&lt;br /&gt;
The URLs does not need to include any project names up to the authentication scope. The URLs only need to include the hierarchy after the scope for executing an operation. For example, if User A authenticates using scope as &amp;quot;ProjH.ProjA&amp;quot; and the User A want to update the quotas assigned to &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot;, then the URL can be like&lt;br /&gt;
&lt;br /&gt;
PUT Request  -&amp;gt;  http://&amp;lt;nova listening ip&amp;gt;:8774/v3/os-quota-sets?project_id=ProjA1.ProjA3&lt;br /&gt;
&lt;br /&gt;
When the above URL fired, the complete hierarchy will be formed by prepend the scope id to the project_id in the URL, that means here it will be &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot;. Now, the program can check the role possessed by the user at this level (User A has memeber and project-admin roles at this level). As the user possess the &amp;quot;project-admin&amp;quot; role, the update operation on quotas is allowed.&lt;/div&gt;</summary>
		<author><name>Vinod kumar boppanna</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=POC_for_QuotaManagement&amp;diff=41880</id>
		<title>POC for QuotaManagement</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=POC_for_QuotaManagement&amp;diff=41880"/>
				<updated>2014-02-11T12:32:45Z</updated>
		
		<summary type="html">&lt;p&gt;Vinod kumar boppanna: /* Quota Tables */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Introduction ==&lt;br /&gt;
&lt;br /&gt;
This Page explains the Proof of Concept for Quota Management in the Openstack Hierarchical Multitenancy setup.&lt;br /&gt;
&lt;br /&gt;
== Setup ==&lt;br /&gt;
&lt;br /&gt;
Please see the following picture for an example Hierarchical Multitenancy setup.&lt;br /&gt;
&lt;br /&gt;
[[File:ProjectHierarchy.png|ProjectHierarchy]]&lt;br /&gt;
&lt;br /&gt;
== Authentication ==&lt;br /&gt;
&lt;br /&gt;
Every user has to authenticate with keystone using a project scope. For example, userA can authenticate using the project scope as &amp;quot;ProjH.ProjA&amp;quot;. The cloud admin can authenticate using any scope. When authenticated, the entire hierarchy is parsed starting from the scope project till the leaf node and construct the roles the user has at each level. See the following examples. &lt;br /&gt;
&lt;br /&gt;
===== Example 1 =====&lt;br /&gt;
Cloud Admin authenticates at &amp;quot;ProjH&amp;quot;, keystone will send the following information (or token) for this session. &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the leaf node)&amp;lt;/ins&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
* ProjH,  admin&lt;br /&gt;
* ProjH.ProjA, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1, admin&lt;br /&gt;
* ProjH.ProjA.ProjA2, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA3, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA4, admin&lt;br /&gt;
* ProjH.ProjB, admin&lt;br /&gt;
* ProjH.ProjB.ProjB1, admin&lt;br /&gt;
* ProjH.ProjB.ProjB2, admin&lt;br /&gt;
* ProjH.ProjB.ProjB1.ProjB3, admin&lt;br /&gt;
* ProjH.ProjB.ProjB1.ProjB4, admin&lt;br /&gt;
&amp;lt;u&amp;gt;Noteː&amp;lt;/u&amp;gt;&lt;br /&gt;
* For Cloud Admin, the entire Hierarchy of the Projects is not required (as he is the super admin and possess all the rights to do anything). But this can be useful to check the action requested by the admin with an hierarchy actually exists or not, without again contacting the Keystone again. For example, if admin wants to list the quotas for ProjH.ProjC, but by seeing the roles, he can be notified immediately that this hierarchy does not exist.&lt;br /&gt;
* It is important to limit the maximum depth of the Project Hierarchy. Otherwise, the roles list can become huge.&lt;br /&gt;
&lt;br /&gt;
===== Example 2 =====&lt;br /&gt;
Cloud Admin authenticates at &amp;quot;ProjH.ProjA.ProjA1&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA.ProjA1 &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;u&amp;gt;Roles (find role at each project level upto the leaf node)&amp;lt;/u&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
* ProjH.ProjA.ProjA1, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA3, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA4, admin&lt;br /&gt;
̽&lt;br /&gt;
&lt;br /&gt;
===== Example 3 =====&lt;br /&gt;
User A authenticates at &amp;quot;ProjH.ProjA&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the leaf node)&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
* ProjH.ProjA, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA1, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA2, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjectA3, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjectA3, member&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjectA4, project-admin&lt;br /&gt;
&lt;br /&gt;
===== Example 4 =====&lt;br /&gt;
User B authenticates at &amp;quot;ProjH.ProjA&amp;quot;, keystone will reject the authentication as User B does not have any role at &amp;quot;ProjH.ProjA&amp;quot;. User B can authenticate using the scope as &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot; or &amp;quot;ProjH.ProjB&amp;quot; or &amp;quot;ProjH.ProjB.ProjB2&amp;quot;.&lt;br /&gt;
&lt;br /&gt;
== Quota Tables ==&lt;br /&gt;
&lt;br /&gt;
There are four tables useful for Quota Management, namely &amp;quot;quotas&amp;quot;, &amp;quot;quota_usages&amp;quot;, &amp;quot;project_user_quotas&amp;quot; and &amp;quot;reservations&amp;quot; respectively. &lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Table || Description || Important Fields&lt;br /&gt;
|-&lt;br /&gt;
| quotas || Stores the quota values for resources (like instances, cores etc) of a Project || project_id&lt;br /&gt;
|-&lt;br /&gt;
| project_user_quotas || Stores the quota allotment to a User in a Project || project_id, user_id&lt;br /&gt;
|-&lt;br /&gt;
| quota_usages || Stores the quota already in use by a User in a Project || project_id, user_id&lt;br /&gt;
|-&lt;br /&gt;
| reservations || Stores the reservations made for a resource by a User in a Project || project_id, user_id&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
The project_id field in these tables stores the project complete hierarchy, like if quota values are defined for &amp;quot;ProjA1&amp;quot;, then the project_id is &amp;quot;ProjH.ProjA.ProjA1&amp;quot;.&lt;/div&gt;</summary>
		<author><name>Vinod kumar boppanna</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=POC_for_QuotaManagement&amp;diff=41878</id>
		<title>POC for QuotaManagement</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=POC_for_QuotaManagement&amp;diff=41878"/>
				<updated>2014-02-11T12:30:28Z</updated>
		
		<summary type="html">&lt;p&gt;Vinod kumar boppanna: /* Example 1 */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Introduction ==&lt;br /&gt;
&lt;br /&gt;
This Page explains the Proof of Concept for Quota Management in the Openstack Hierarchical Multitenancy setup.&lt;br /&gt;
&lt;br /&gt;
== Setup ==&lt;br /&gt;
&lt;br /&gt;
Please see the following picture for an example Hierarchical Multitenancy setup.&lt;br /&gt;
&lt;br /&gt;
[[File:ProjectHierarchy.png|ProjectHierarchy]]&lt;br /&gt;
&lt;br /&gt;
== Authentication ==&lt;br /&gt;
&lt;br /&gt;
Every user has to authenticate with keystone using a project scope. For example, userA can authenticate using the project scope as &amp;quot;ProjH.ProjA&amp;quot;. The cloud admin can authenticate using any scope. When authenticated, the entire hierarchy is parsed starting from the scope project till the leaf node and construct the roles the user has at each level. See the following examples. &lt;br /&gt;
&lt;br /&gt;
===== Example 1 =====&lt;br /&gt;
Cloud Admin authenticates at &amp;quot;ProjH&amp;quot;, keystone will send the following information (or token) for this session. &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the leaf node)&amp;lt;/ins&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
* ProjH,  admin&lt;br /&gt;
* ProjH.ProjA, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1, admin&lt;br /&gt;
* ProjH.ProjA.ProjA2, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA3, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA4, admin&lt;br /&gt;
* ProjH.ProjB, admin&lt;br /&gt;
* ProjH.ProjB.ProjB1, admin&lt;br /&gt;
* ProjH.ProjB.ProjB2, admin&lt;br /&gt;
* ProjH.ProjB.ProjB1.ProjB3, admin&lt;br /&gt;
* ProjH.ProjB.ProjB1.ProjB4, admin&lt;br /&gt;
&amp;lt;u&amp;gt;Noteː&amp;lt;/u&amp;gt;&lt;br /&gt;
* For Cloud Admin, the entire Hierarchy of the Projects is not required (as he is the super admin and possess all the rights to do anything). But this can be useful to check the action requested by the admin with an hierarchy actually exists or not, without again contacting the Keystone again. For example, if admin wants to list the quotas for ProjH.ProjC, but by seeing the roles, he can be notified immediately that this hierarchy does not exist.&lt;br /&gt;
* It is important to limit the maximum depth of the Project Hierarchy. Otherwise, the roles list can become huge.&lt;br /&gt;
&lt;br /&gt;
===== Example 2 =====&lt;br /&gt;
Cloud Admin authenticates at &amp;quot;ProjH.ProjA.ProjA1&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA.ProjA1 &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;u&amp;gt;Roles (find role at each project level upto the leaf node)&amp;lt;/u&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
* ProjH.ProjA.ProjA1, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA3, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA4, admin&lt;br /&gt;
̽&lt;br /&gt;
&lt;br /&gt;
===== Example 3 =====&lt;br /&gt;
User A authenticates at &amp;quot;ProjH.ProjA&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the leaf node)&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
* ProjH.ProjA, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA1, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA2, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjectA3, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjectA3, member&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjectA4, project-admin&lt;br /&gt;
&lt;br /&gt;
===== Example 4 =====&lt;br /&gt;
User B authenticates at &amp;quot;ProjH.ProjA&amp;quot;, keystone will reject the authentication as User B does not have any role at &amp;quot;ProjH.ProjA&amp;quot;. User B can authenticate using the scope as &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot; or &amp;quot;ProjH.ProjB&amp;quot; or &amp;quot;ProjH.ProjB.ProjB2&amp;quot;.&lt;br /&gt;
&lt;br /&gt;
== Quota Tables ==&lt;br /&gt;
&lt;br /&gt;
There are four tables useful for Quota Management, namely &amp;quot;quotas&amp;quot;, &amp;quot;quota_usages&amp;quot;, &amp;quot;project_user_quotas&amp;quot; and &amp;quot;reservations&amp;quot; respectively. &lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Table || Description || Important Fields&lt;br /&gt;
|-&lt;br /&gt;
| quotas || Stores the quota values for resources (like instances, cores etc) of a Project || project_id&lt;br /&gt;
|-&lt;br /&gt;
| project_user_quotas || Stores the quota allotment to a User in a Project || project_id, user_id&lt;br /&gt;
|-&lt;br /&gt;
| quota_usages || Stores the quota already in use by a User in a Project || project_id, user_id&lt;br /&gt;
|-&lt;br /&gt;
| reservations || Stores the reservations made for a resource by a User in a Project || project_id, user_id&lt;br /&gt;
|}&lt;/div&gt;</summary>
		<author><name>Vinod kumar boppanna</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=POC_for_QuotaManagement&amp;diff=41875</id>
		<title>POC for QuotaManagement</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=POC_for_QuotaManagement&amp;diff=41875"/>
				<updated>2014-02-11T12:26:37Z</updated>
		
		<summary type="html">&lt;p&gt;Vinod kumar boppanna: /* Implementation */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Introduction ==&lt;br /&gt;
&lt;br /&gt;
This Page explains the Proof of Concept for Quota Management in the Openstack Hierarchical Multitenancy setup.&lt;br /&gt;
&lt;br /&gt;
== Setup ==&lt;br /&gt;
&lt;br /&gt;
Please see the following picture for an example Hierarchical Multitenancy setup.&lt;br /&gt;
&lt;br /&gt;
[[File:ProjectHierarchy.png|ProjectHierarchy]]&lt;br /&gt;
&lt;br /&gt;
== Authentication ==&lt;br /&gt;
&lt;br /&gt;
Every user has to authenticate with keystone using a project scope. For example, userA can authenticate using the project scope as &amp;quot;ProjH.ProjA&amp;quot;. The cloud admin can authenticate using any scope. When authenticated, the entire hierarchy is parsed starting from the scope project till the leaf node and construct the roles the user has at each level. See the following examples. &lt;br /&gt;
&lt;br /&gt;
===== Example 1 =====&lt;br /&gt;
Cloud Admin authenticates at &amp;quot;ProjH&amp;quot;, keystone will send the following information (or token) for this session. &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the leaf node)&amp;lt;/ins&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
* ProjH,  admin&lt;br /&gt;
* ProjH.ProjA, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1, admin&lt;br /&gt;
* ProjH.ProjA.ProjA2, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA3, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA4, admin&lt;br /&gt;
* ProjH.ProjB, admin&lt;br /&gt;
* ProjH.ProjB.ProjB1, admin&lt;br /&gt;
* ProjH.ProjB.ProjB2, admin&lt;br /&gt;
* ProjH.ProjB.ProjB1.ProjB3, admin&lt;br /&gt;
* ProjH.ProjB.ProjB1.ProjB4, admin&lt;br /&gt;
&amp;lt;u&amp;gt;Noteː&amp;lt;/u&amp;gt; For Cloud Admin, the entire Hierarchy of the Projects is not required (as he is the super admin and possess all the rights to do anything). But this can be useful to check the action requested by the admin with an hierarchy actually exists or not, without again contacting the Keystone again. For example, if admin wants to list the quotas for ProjH.ProjC, but by seeing the roles, he can be notified immediately that this hierarchy does not exist&lt;br /&gt;
&lt;br /&gt;
===== Example 2 =====&lt;br /&gt;
Cloud Admin authenticates at &amp;quot;ProjH.ProjA.ProjA1&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA.ProjA1 &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;u&amp;gt;Roles (find role at each project level upto the leaf node)&amp;lt;/u&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
* ProjH.ProjA.ProjA1, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA3, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA4, admin&lt;br /&gt;
̽&lt;br /&gt;
&lt;br /&gt;
===== Example 3 =====&lt;br /&gt;
User A authenticates at &amp;quot;ProjH.ProjA&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the leaf node)&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
* ProjH.ProjA, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA1, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA2, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjectA3, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjectA3, member&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjectA4, project-admin&lt;br /&gt;
&lt;br /&gt;
===== Example 4 =====&lt;br /&gt;
User B authenticates at &amp;quot;ProjH.ProjA&amp;quot;, keystone will reject the authentication as User B does not have any role at &amp;quot;ProjH.ProjA&amp;quot;. User B can authenticate using the scope as &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot; or &amp;quot;ProjH.ProjB&amp;quot; or &amp;quot;ProjH.ProjB.ProjB2&amp;quot;.&lt;br /&gt;
&lt;br /&gt;
== Quota Tables ==&lt;br /&gt;
&lt;br /&gt;
There are four tables useful for Quota Management, namely &amp;quot;quotas&amp;quot;, &amp;quot;quota_usages&amp;quot;, &amp;quot;project_user_quotas&amp;quot; and &amp;quot;reservations&amp;quot; respectively. &lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Table || Description || Important Fields&lt;br /&gt;
|-&lt;br /&gt;
| quotas || Stores the quota values for resources (like instances, cores etc) of a Project || project_id&lt;br /&gt;
|-&lt;br /&gt;
| project_user_quotas || Stores the quota allotment to a User in a Project || project_id, user_id&lt;br /&gt;
|-&lt;br /&gt;
| quota_usages || Stores the quota already in use by a User in a Project || project_id, user_id&lt;br /&gt;
|-&lt;br /&gt;
| reservations || Stores the reservations made for a resource by a User in a Project || project_id, user_id&lt;br /&gt;
|}&lt;/div&gt;</summary>
		<author><name>Vinod kumar boppanna</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=POC_for_QuotaManagement&amp;diff=41874</id>
		<title>POC for QuotaManagement</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=POC_for_QuotaManagement&amp;diff=41874"/>
				<updated>2014-02-11T12:16:36Z</updated>
		
		<summary type="html">&lt;p&gt;Vinod kumar boppanna: /* Authentication */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Introduction ==&lt;br /&gt;
&lt;br /&gt;
This Page explains the Proof of Concept for Quota Management in the Openstack Hierarchical Multitenancy setup.&lt;br /&gt;
&lt;br /&gt;
== Setup ==&lt;br /&gt;
&lt;br /&gt;
Please see the following picture for an example Hierarchical Multitenancy setup.&lt;br /&gt;
&lt;br /&gt;
[[File:ProjectHierarchy.png|ProjectHierarchy]]&lt;br /&gt;
&lt;br /&gt;
== Authentication ==&lt;br /&gt;
&lt;br /&gt;
Every user has to authenticate with keystone using a project scope. For example, userA can authenticate using the project scope as &amp;quot;ProjH.ProjA&amp;quot;. The cloud admin can authenticate using any scope. When authenticated, the entire hierarchy is parsed starting from the scope project till the leaf node and construct the roles the user has at each level. See the following examples. &lt;br /&gt;
&lt;br /&gt;
===== Example 1 =====&lt;br /&gt;
Cloud Admin authenticates at &amp;quot;ProjH&amp;quot;, keystone will send the following information (or token) for this session. &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the leaf node)&amp;lt;/ins&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
* ProjH,  admin&lt;br /&gt;
* ProjH.ProjA, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1, admin&lt;br /&gt;
* ProjH.ProjA.ProjA2, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA3, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA4, admin&lt;br /&gt;
* ProjH.ProjB, admin&lt;br /&gt;
* ProjH.ProjB.ProjB1, admin&lt;br /&gt;
* ProjH.ProjB.ProjB2, admin&lt;br /&gt;
* ProjH.ProjB.ProjB1.ProjB3, admin&lt;br /&gt;
* ProjH.ProjB.ProjB1.ProjB4, admin&lt;br /&gt;
&amp;lt;u&amp;gt;Noteː&amp;lt;/u&amp;gt; For Cloud Admin, the entire Hierarchy of the Projects is not required (as he is the super admin and possess all the rights to do anything). But this can be useful to check the action requested by the admin with an hierarchy actually exists or not, without again contacting the Keystone again. For example, if admin wants to list the quotas for ProjH.ProjC, but by seeing the roles, he can be notified immediately that this hierarchy does not exist&lt;br /&gt;
&lt;br /&gt;
===== Example 2 =====&lt;br /&gt;
Cloud Admin authenticates at &amp;quot;ProjH.ProjA.ProjA1&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA.ProjA1 &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;u&amp;gt;Roles (find role at each project level upto the leaf node)&amp;lt;/u&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
* ProjH.ProjA.ProjA1, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA3, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA4, admin&lt;br /&gt;
̽&lt;br /&gt;
&lt;br /&gt;
===== Example 3 =====&lt;br /&gt;
User A authenticates at &amp;quot;ProjH.ProjA&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the leaf node)&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
* ProjH.ProjA, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA1, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA2, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjectA3, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjectA3, member&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjectA4, project-admin&lt;br /&gt;
&lt;br /&gt;
===== Example 4 =====&lt;br /&gt;
User B authenticates at &amp;quot;ProjH.ProjA&amp;quot;, keystone will reject the authentication as User B does not have any role at &amp;quot;ProjH.ProjA&amp;quot;. User B can authenticate using the scope as &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot; or &amp;quot;ProjH.ProjB&amp;quot; or &amp;quot;ProjH.ProjB.ProjB2&amp;quot;.&lt;br /&gt;
&lt;br /&gt;
= Implementation =&lt;br /&gt;
&lt;br /&gt;
Please check the following table for the APIs to manage Quotas for Domain, Project and User respectively. These APIs can be used by admin (i.e with role admin) to get the quota limits of any domain/project/user. A non-admin user can only use these APIs to see the quotas of a domain to which he/she belongs or of a project in which he/she is a member. In addition the non-admin user can see his/her own quota limits. To make this possible, Keystone V3 auth tokens needs to be used. The context provided by the token has domain_id, project_id and user_id respectively. &lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Method || URI || Description &lt;br /&gt;
|-&lt;br /&gt;
| GET || v2/{tenant_id}/domain-quota-sets/{domain_id} || Shows quotas for a Domain&lt;br /&gt;
|-&lt;br /&gt;
| GET || v2/{tenant_id}/domain-quota-sets/{domain_id}/defaults || Shows default quotas for a Domain&lt;br /&gt;
|-&lt;br /&gt;
| GET || v2/{tenant_id}/domain-quota-sets/{domain_id}?project_id={project_id} || Shows quotas for a Project&lt;br /&gt;
|-&lt;br /&gt;
| GET || v2/{tenant_id}/domain-quota-sets/{domain_id}?project_id={project_id}&amp;amp;user_id={user_id} || Shows quotas for a User in a Project&lt;br /&gt;
|-&lt;br /&gt;
| DELETE || v2/{tenant_id}/domain-quota-sets/{domain_id} || Deletes quotas for the domain and for all the projects in this domain (In addition deletes quota for all the users in the projects)&lt;br /&gt;
|-&lt;br /&gt;
| DELETE || v2/{tenant_id}/domain-quota-sets/{domain_id}?project_id={project_id} || Deletes quotas for a Project and for all the Users in that Project&lt;br /&gt;
|-&lt;br /&gt;
| DELETE || v2/{tenant_id}/domain-quota-sets/{domain_id}?project_id={project_id}&amp;amp;user_id={user_id} || Delete quotas for a User in a Project&lt;br /&gt;
|-&lt;br /&gt;
| PUT || v2/{tenant_id}/domain-quota-sets/{domain_id} || Creates or Updates quotas for the domain&lt;br /&gt;
|-&lt;br /&gt;
| PUT || v2/{tenant_id}/domain-quota-sets/{domain_id}?project_id={project_id} || Creates or Updates quotas for a Project&lt;br /&gt;
|-&lt;br /&gt;
| PUT || v2/{tenant_id}/domain-quota-sets/{domain_id}?project_id={project_id}&amp;amp;user_id={user_id} || Creates or Updates quotas for a User in a Project&lt;br /&gt;
|}&lt;/div&gt;</summary>
		<author><name>Vinod kumar boppanna</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=POC_for_QuotaManagement&amp;diff=41873</id>
		<title>POC for QuotaManagement</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=POC_for_QuotaManagement&amp;diff=41873"/>
				<updated>2014-02-11T12:15:43Z</updated>
		
		<summary type="html">&lt;p&gt;Vinod kumar boppanna: /* Explanation */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Introduction ==&lt;br /&gt;
&lt;br /&gt;
This Page explains the Proof of Concept for Quota Management in the Openstack Hierarchical Multitenancy setup.&lt;br /&gt;
&lt;br /&gt;
== Setup ==&lt;br /&gt;
&lt;br /&gt;
Please see the following picture for an example Hierarchical Multitenancy setup.&lt;br /&gt;
&lt;br /&gt;
[[File:ProjectHierarchy.png|ProjectHierarchy]]&lt;br /&gt;
&lt;br /&gt;
== Authentication ==&lt;br /&gt;
&lt;br /&gt;
Every user has to authenticate with keystone using a project scope. For example, userA can authenticate using the project scope as &amp;quot;ProjH.ProjA&amp;quot;. The cloud admin can authenticate using any scope. When authenticated, the entire hierarchy is parsed starting from the scope project till the leaf node and construct the roles the user has at each level. See the following examples. &lt;br /&gt;
&lt;br /&gt;
===== Example 1 =====&lt;br /&gt;
Cloud Admin authenticates at &amp;quot;ProjH&amp;quot;, keystone will send the following information (or token) for this session. &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the leaf node)&amp;lt;/ins&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
* ProjH,  admin&lt;br /&gt;
* ProjH.ProjA, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1, admin&lt;br /&gt;
* ProjH.ProjA.ProjA2, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA3, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA4, admin&lt;br /&gt;
* ProjH.ProjB, admin&lt;br /&gt;
* ProjH.ProjB.ProjB1, admin&lt;br /&gt;
* ProjH.ProjB.ProjB2, admin&lt;br /&gt;
* ProjH.ProjB.ProjB1.ProjB3, admin&lt;br /&gt;
* ProjH.ProjB.ProjB1.ProjB4, admin&lt;br /&gt;
&amp;lt;u&amp;gt;Noteː&amp;lt;/u&amp;gt; For Cloud Admin, the entire Hierarchy of the Projects is not required (as he is the super admin and possess all the rights to do anything). But this can be useful to check the action requested by the admin with an hierarchy actually exists or not, without again contacting the Keystone again. For example, if admin wants to list the quotas for ProjH.ProjC, but by seeing the roles, he can be notified immediately that this hierarchy does not exist&lt;br /&gt;
&lt;br /&gt;
===== Example 2 =====&lt;br /&gt;
Cloud Admin authenticates at &amp;quot;ProjH.ProjA.ProjA1&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA.ProjA1 &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;u&amp;gt;Roles (find role at each project level upto the leaf node)&amp;lt;/u&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
* ProjH.ProjA.ProjA1, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA3, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA4, admin&lt;br /&gt;
̽&lt;br /&gt;
&lt;br /&gt;
===== Example 3 =====&lt;br /&gt;
User A authenticates at &amp;quot;ProjH.ProjA&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the leaf node)&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
* ProjH.ProjA, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA1, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA2, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjectA3, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjectA3, member&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjectA4, project-admin&lt;br /&gt;
&lt;br /&gt;
===== Example 4 =====&lt;br /&gt;
User B authenticates at &amp;quot;ProjH.ProjA&amp;quot;, keystone will reject the authentication as User B does not have any role at &amp;quot;ProjH.ProjA&amp;quot;. User B can authenticate using the scope as &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot; or &amp;quot;ProjH.ProjB&amp;quot; or &amp;quot;ProjH.ProjB.ProjB2&amp;quot;.&lt;/div&gt;</summary>
		<author><name>Vinod kumar boppanna</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=POC_for_QuotaManagement&amp;diff=41872</id>
		<title>POC for QuotaManagement</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=POC_for_QuotaManagement&amp;diff=41872"/>
				<updated>2014-02-11T12:15:05Z</updated>
		
		<summary type="html">&lt;p&gt;Vinod kumar boppanna: /* Example 2 */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Introduction ==&lt;br /&gt;
&lt;br /&gt;
This Page explains the Proof of Concept for Quota Management in the Openstack Hierarchical Multitenancy setup.&lt;br /&gt;
&lt;br /&gt;
== Setup ==&lt;br /&gt;
&lt;br /&gt;
Please see the following picture for an example Hierarchical Multitenancy setup.&lt;br /&gt;
&lt;br /&gt;
[[File:ProjectHierarchy.png|ProjectHierarchy]]&lt;br /&gt;
&lt;br /&gt;
== Explanation ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;u&amp;gt;Authentication:&amp;lt;/u&amp;gt; Every user has to authenticate with keystone using a project scope. For example, userA can authenticate using the project scope as &amp;quot;ProjH.ProjA&amp;quot;. The cloud admin can authenticate using any scope. When authenticated, the entire hierarchy is parsed starting from the scope project till the leaf node and construct the roles the user has at each level. See the following examples. &lt;br /&gt;
&lt;br /&gt;
===== Example 1 =====&lt;br /&gt;
Cloud Admin authenticates at &amp;quot;ProjH&amp;quot;, keystone will send the following information (or token) for this session. &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the leaf node)&amp;lt;/ins&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
* ProjH,  admin&lt;br /&gt;
* ProjH.ProjA, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1, admin&lt;br /&gt;
* ProjH.ProjA.ProjA2, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA3, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA4, admin&lt;br /&gt;
* ProjH.ProjB, admin&lt;br /&gt;
* ProjH.ProjB.ProjB1, admin&lt;br /&gt;
* ProjH.ProjB.ProjB2, admin&lt;br /&gt;
* ProjH.ProjB.ProjB1.ProjB3, admin&lt;br /&gt;
* ProjH.ProjB.ProjB1.ProjB4, admin&lt;br /&gt;
&amp;lt;u&amp;gt;Noteː&amp;lt;/u&amp;gt; For Cloud Admin, the entire Hierarchy of the Projects is not required (as he is the super admin and possess all the rights to do anything). But this can be useful to check the action requested by the admin with an hierarchy actually exists or not, without again contacting the Keystone again. For example, if admin wants to list the quotas for ProjH.ProjC, but by seeing the roles, he can be notified immediately that this hierarchy does not exist&lt;br /&gt;
&lt;br /&gt;
===== Example 2 =====&lt;br /&gt;
Cloud Admin authenticates at &amp;quot;ProjH.ProjA.ProjA1&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA.ProjA1 &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;u&amp;gt;Roles (find role at each project level upto the leaf node)&amp;lt;/u&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
* ProjH.ProjA.ProjA1, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA3, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA4, admin&lt;br /&gt;
̽&lt;br /&gt;
&lt;br /&gt;
===== Example 3 =====&lt;br /&gt;
User A authenticates at &amp;quot;ProjH.ProjA&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the leaf node)&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
* ProjH.ProjA, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA1, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA2, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjectA3, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjectA3, member&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjectA4, project-admin&lt;br /&gt;
&lt;br /&gt;
===== Example 4 =====&lt;br /&gt;
User B authenticates at &amp;quot;ProjH.ProjA&amp;quot;, keystone will reject the authentication as User B does not have any role at &amp;quot;ProjH.ProjA&amp;quot;. User B can authenticate using the scope as &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot; or &amp;quot;ProjH.ProjB&amp;quot; or &amp;quot;ProjH.ProjB.ProjB2&amp;quot;.&lt;/div&gt;</summary>
		<author><name>Vinod kumar boppanna</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=POC_for_QuotaManagement&amp;diff=41871</id>
		<title>POC for QuotaManagement</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=POC_for_QuotaManagement&amp;diff=41871"/>
				<updated>2014-02-11T11:12:21Z</updated>
		
		<summary type="html">&lt;p&gt;Vinod kumar boppanna: /* Example 2 */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Introduction ==&lt;br /&gt;
&lt;br /&gt;
This Page explains the Proof of Concept for Quota Management in the Openstack Hierarchical Multitenancy setup.&lt;br /&gt;
&lt;br /&gt;
== Setup ==&lt;br /&gt;
&lt;br /&gt;
Please see the following picture for an example Hierarchical Multitenancy setup.&lt;br /&gt;
&lt;br /&gt;
[[File:ProjectHierarchy.png|ProjectHierarchy]]&lt;br /&gt;
&lt;br /&gt;
== Explanation ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;u&amp;gt;Authentication:&amp;lt;/u&amp;gt; Every user has to authenticate with keystone using a project scope. For example, userA can authenticate using the project scope as &amp;quot;ProjH.ProjA&amp;quot;. The cloud admin can authenticate using any scope. When authenticated, the entire hierarchy is parsed starting from the scope project till the leaf node and construct the roles the user has at each level. See the following examples. &lt;br /&gt;
&lt;br /&gt;
===== Example 1 =====&lt;br /&gt;
Cloud Admin authenticates at &amp;quot;ProjH&amp;quot;, keystone will send the following information (or token) for this session. &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the leaf node)&amp;lt;/ins&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
* ProjH,  admin&lt;br /&gt;
* ProjH.ProjA, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1, admin&lt;br /&gt;
* ProjH.ProjA.ProjA2, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA3, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA4, admin&lt;br /&gt;
* ProjH.ProjB, admin&lt;br /&gt;
* ProjH.ProjB.ProjB1, admin&lt;br /&gt;
* ProjH.ProjB.ProjB2, admin&lt;br /&gt;
* ProjH.ProjB.ProjB1.ProjB3, admin&lt;br /&gt;
* ProjH.ProjB.ProjB1.ProjB4, admin&lt;br /&gt;
&amp;lt;u&amp;gt;Noteː&amp;lt;/u&amp;gt; For Cloud Admin, the entire Hierarchy of the Projects is not required (as he is the super admin and possess all the rights to do anything). But this can be useful to check the action requested by the admin with an hierarchy actually exists or not, without again contacting the Keystone again. For example, if admin wants to list the quotas for ProjH.ProjC, but by seeing the roles, he can be notified immediately that this hierarchy does not exist&lt;br /&gt;
&lt;br /&gt;
===== Example 2 =====&lt;br /&gt;
Cloud Admin authenticates at &amp;quot;ProjH.ProjA.ProjA1&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA.ProjA1 &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;u&amp;gt;Roles (find role at each project level upto the leaf node)&amp;lt;/u&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
̇̇̇̇̇̇̇̇̇̈* ProjH.ProjA.ProjA1, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA3, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA4, admin&lt;br /&gt;
̽&lt;br /&gt;
&lt;br /&gt;
===== Example 3 =====&lt;br /&gt;
User A authenticates at &amp;quot;ProjH.ProjA&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the leaf node)&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
* ProjH.ProjA, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA1, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA2, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjectA3, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjectA3, member&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjectA4, project-admin&lt;br /&gt;
&lt;br /&gt;
===== Example 4 =====&lt;br /&gt;
User B authenticates at &amp;quot;ProjH.ProjA&amp;quot;, keystone will reject the authentication as User B does not have any role at &amp;quot;ProjH.ProjA&amp;quot;. User B can authenticate using the scope as &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot; or &amp;quot;ProjH.ProjB&amp;quot; or &amp;quot;ProjH.ProjB.ProjB2&amp;quot;.&lt;/div&gt;</summary>
		<author><name>Vinod kumar boppanna</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=POC_for_QuotaManagement&amp;diff=41870</id>
		<title>POC for QuotaManagement</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=POC_for_QuotaManagement&amp;diff=41870"/>
				<updated>2014-02-11T11:11:46Z</updated>
		
		<summary type="html">&lt;p&gt;Vinod kumar boppanna: /* Example 2 */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Introduction ==&lt;br /&gt;
&lt;br /&gt;
This Page explains the Proof of Concept for Quota Management in the Openstack Hierarchical Multitenancy setup.&lt;br /&gt;
&lt;br /&gt;
== Setup ==&lt;br /&gt;
&lt;br /&gt;
Please see the following picture for an example Hierarchical Multitenancy setup.&lt;br /&gt;
&lt;br /&gt;
[[File:ProjectHierarchy.png|ProjectHierarchy]]&lt;br /&gt;
&lt;br /&gt;
== Explanation ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;u&amp;gt;Authentication:&amp;lt;/u&amp;gt; Every user has to authenticate with keystone using a project scope. For example, userA can authenticate using the project scope as &amp;quot;ProjH.ProjA&amp;quot;. The cloud admin can authenticate using any scope. When authenticated, the entire hierarchy is parsed starting from the scope project till the leaf node and construct the roles the user has at each level. See the following examples. &lt;br /&gt;
&lt;br /&gt;
===== Example 1 =====&lt;br /&gt;
Cloud Admin authenticates at &amp;quot;ProjH&amp;quot;, keystone will send the following information (or token) for this session. &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the leaf node)&amp;lt;/ins&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
* ProjH,  admin&lt;br /&gt;
* ProjH.ProjA, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1, admin&lt;br /&gt;
* ProjH.ProjA.ProjA2, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA3, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA4, admin&lt;br /&gt;
* ProjH.ProjB, admin&lt;br /&gt;
* ProjH.ProjB.ProjB1, admin&lt;br /&gt;
* ProjH.ProjB.ProjB2, admin&lt;br /&gt;
* ProjH.ProjB.ProjB1.ProjB3, admin&lt;br /&gt;
* ProjH.ProjB.ProjB1.ProjB4, admin&lt;br /&gt;
&amp;lt;u&amp;gt;Noteː&amp;lt;/u&amp;gt; For Cloud Admin, the entire Hierarchy of the Projects is not required (as he is the super admin and possess all the rights to do anything). But this can be useful to check the action requested by the admin with an hierarchy actually exists or not, without again contacting the Keystone again. For example, if admin wants to list the quotas for ProjH.ProjC, but by seeing the roles, he can be notified immediately that this hierarchy does not exist&lt;br /&gt;
&lt;br /&gt;
===== Example 2 =====&lt;br /&gt;
Cloud Admin authenticates at &amp;quot;ProjH.ProjA.ProjA1&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA.ProjA1 &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the leaf node)&amp;lt;/ins&amp;gt;&lt;br /&gt;
̇̇̇̇̇̇̇̇̇̈* ProjH.ProjA.ProjA1, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA3, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA4, admin&lt;br /&gt;
̽&lt;br /&gt;
&lt;br /&gt;
===== Example 3 =====&lt;br /&gt;
User A authenticates at &amp;quot;ProjH.ProjA&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the leaf node)&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
* ProjH.ProjA, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA1, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA2, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjectA3, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjectA3, member&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjectA4, project-admin&lt;br /&gt;
&lt;br /&gt;
===== Example 4 =====&lt;br /&gt;
User B authenticates at &amp;quot;ProjH.ProjA&amp;quot;, keystone will reject the authentication as User B does not have any role at &amp;quot;ProjH.ProjA&amp;quot;. User B can authenticate using the scope as &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot; or &amp;quot;ProjH.ProjB&amp;quot; or &amp;quot;ProjH.ProjB.ProjB2&amp;quot;.&lt;/div&gt;</summary>
		<author><name>Vinod kumar boppanna</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=POC_for_QuotaManagement&amp;diff=41869</id>
		<title>POC for QuotaManagement</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=POC_for_QuotaManagement&amp;diff=41869"/>
				<updated>2014-02-11T11:11:33Z</updated>
		
		<summary type="html">&lt;p&gt;Vinod kumar boppanna: /* Explanation */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Introduction ==&lt;br /&gt;
&lt;br /&gt;
This Page explains the Proof of Concept for Quota Management in the Openstack Hierarchical Multitenancy setup.&lt;br /&gt;
&lt;br /&gt;
== Setup ==&lt;br /&gt;
&lt;br /&gt;
Please see the following picture for an example Hierarchical Multitenancy setup.&lt;br /&gt;
&lt;br /&gt;
[[File:ProjectHierarchy.png|ProjectHierarchy]]&lt;br /&gt;
&lt;br /&gt;
== Explanation ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;u&amp;gt;Authentication:&amp;lt;/u&amp;gt; Every user has to authenticate with keystone using a project scope. For example, userA can authenticate using the project scope as &amp;quot;ProjH.ProjA&amp;quot;. The cloud admin can authenticate using any scope. When authenticated, the entire hierarchy is parsed starting from the scope project till the leaf node and construct the roles the user has at each level. See the following examples. &lt;br /&gt;
&lt;br /&gt;
===== Example 1 =====&lt;br /&gt;
Cloud Admin authenticates at &amp;quot;ProjH&amp;quot;, keystone will send the following information (or token) for this session. &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the leaf node)&amp;lt;/ins&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
* ProjH,  admin&lt;br /&gt;
* ProjH.ProjA, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1, admin&lt;br /&gt;
* ProjH.ProjA.ProjA2, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA3, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA4, admin&lt;br /&gt;
* ProjH.ProjB, admin&lt;br /&gt;
* ProjH.ProjB.ProjB1, admin&lt;br /&gt;
* ProjH.ProjB.ProjB2, admin&lt;br /&gt;
* ProjH.ProjB.ProjB1.ProjB3, admin&lt;br /&gt;
* ProjH.ProjB.ProjB1.ProjB4, admin&lt;br /&gt;
&amp;lt;u&amp;gt;Noteː&amp;lt;/u&amp;gt; For Cloud Admin, the entire Hierarchy of the Projects is not required (as he is the super admin and possess all the rights to do anything). But this can be useful to check the action requested by the admin with an hierarchy actually exists or not, without again contacting the Keystone again. For example, if admin wants to list the quotas for ProjH.ProjC, but by seeing the roles, he can be notified immediately that this hierarchy does not exist&lt;br /&gt;
&lt;br /&gt;
===== Example 2 =====&lt;br /&gt;
Cloud Admin authenticates at &amp;quot;ProjH.ProjA.ProjA1&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA.ProjA1 &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the leaf node)&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
̇̇̇̇̇̇̇̇̇̈* ProjH.ProjA.ProjA1, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA3, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA4, admin&lt;br /&gt;
̽&lt;br /&gt;
&lt;br /&gt;
===== Example 3 =====&lt;br /&gt;
User A authenticates at &amp;quot;ProjH.ProjA&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the leaf node)&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
* ProjH.ProjA, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA1, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA2, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjectA3, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjectA3, member&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjectA4, project-admin&lt;br /&gt;
&lt;br /&gt;
===== Example 4 =====&lt;br /&gt;
User B authenticates at &amp;quot;ProjH.ProjA&amp;quot;, keystone will reject the authentication as User B does not have any role at &amp;quot;ProjH.ProjA&amp;quot;. User B can authenticate using the scope as &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot; or &amp;quot;ProjH.ProjB&amp;quot; or &amp;quot;ProjH.ProjB.ProjB2&amp;quot;.&lt;/div&gt;</summary>
		<author><name>Vinod kumar boppanna</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=POC_for_QuotaManagement&amp;diff=41868</id>
		<title>POC for QuotaManagement</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=POC_for_QuotaManagement&amp;diff=41868"/>
				<updated>2014-02-11T11:10:49Z</updated>
		
		<summary type="html">&lt;p&gt;Vinod kumar boppanna: /* Explanation */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Introduction ==&lt;br /&gt;
&lt;br /&gt;
This Page explains the Proof of Concept for Quota Management in the Openstack Hierarchical Multitenancy setup.&lt;br /&gt;
&lt;br /&gt;
== Setup ==&lt;br /&gt;
&lt;br /&gt;
Please see the following picture for an example Hierarchical Multitenancy setup.&lt;br /&gt;
&lt;br /&gt;
[[File:ProjectHierarchy.png|ProjectHierarchy]]&lt;br /&gt;
&lt;br /&gt;
== Explanation ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;u&amp;gt;Authentication:&amp;lt;/u&amp;gt; Every user has to authenticate with keystone using a project scope. For example, userA can authenticate using the project scope as &amp;quot;ProjH.ProjA&amp;quot;. The cloud admin can authenticate using any scope. When authenticated, the entire hierarchy is parsed starting from the scope project till the leaf node and construct the roles the user has at each level. See the following examples. &lt;br /&gt;
&lt;br /&gt;
===== Example 1 =====&lt;br /&gt;
Cloud Admin authenticates at &amp;quot;ProjH&amp;quot;, keystone will send the following information (or token) for this session. &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the leaf node)&amp;lt;/ins&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
* ProjH,  admin&lt;br /&gt;
* ProjH.ProjA, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1, admin&lt;br /&gt;
* ProjH.ProjA.ProjA2, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA3, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA4, admin&lt;br /&gt;
* ProjH.ProjB, admin&lt;br /&gt;
* ProjH.ProjB.ProjB1, admin&lt;br /&gt;
* ProjH.ProjB.ProjB2, admin&lt;br /&gt;
* ProjH.ProjB.ProjB1.ProjB3, admin&lt;br /&gt;
* ProjH.ProjB.ProjB1.ProjB4, admin&lt;br /&gt;
&amp;lt;u&amp;gt;Noteː&amp;lt;/u&amp;gt; For Cloud Admin, the entire Hierarchy of the Projects is not required (as he is the super admin and possess all the rights to do anything). But this can be useful to check the action requested by the admin with an hierarchy actually exists or not, without again contacting the Keystone again. For example, if admin wants to list the quotas for ProjH.ProjC, but by seeing the roles, he can be notified immediately that this hierarchy does not exist&lt;br /&gt;
&lt;br /&gt;
===== Example 2 =====&lt;br /&gt;
Cloud Admin authenticates at &amp;quot;ProjH.ProjA.ProjA1&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA.ProjA1 &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the leaf node)&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
̇̇̇̇̇̇̇̇̇̈* ProjH.ProjA.ProjA1, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA3, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA4, admin&lt;br /&gt;
̽&lt;br /&gt;
&lt;br /&gt;
===== Example 3 =====&lt;br /&gt;
User A authenticates at &amp;quot;ProjH.ProjA&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the leaf node)&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
* ProjH.ProjA, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA1, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA2, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjectA3, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjectA3, member&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjectA4, project-admin&lt;br /&gt;
&lt;br /&gt;
===== Example 3 =====&lt;br /&gt;
User B authenticates at &amp;quot;ProjH.ProjA&amp;quot;, keystone will reject the authentication as User B does not have any role at &amp;quot;ProjH.ProjA&amp;quot;. User B can authenticate using the scope as &amp;quot;ProjH.ProjA.ProjA1.ProjA3&amp;quot; or &amp;quot;ProjH.ProjB&amp;quot; or &amp;quot;ProjH.ProjB.ProjB2&amp;quot;.&lt;/div&gt;</summary>
		<author><name>Vinod kumar boppanna</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=POC_for_QuotaManagement&amp;diff=41867</id>
		<title>POC for QuotaManagement</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=POC_for_QuotaManagement&amp;diff=41867"/>
				<updated>2014-02-11T11:08:09Z</updated>
		
		<summary type="html">&lt;p&gt;Vinod kumar boppanna: /* Example 1 */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Introduction ==&lt;br /&gt;
&lt;br /&gt;
This Page explains the Proof of Concept for Quota Management in the Openstack Hierarchical Multitenancy setup.&lt;br /&gt;
&lt;br /&gt;
== Setup ==&lt;br /&gt;
&lt;br /&gt;
Please see the following picture for an example Hierarchical Multitenancy setup.&lt;br /&gt;
&lt;br /&gt;
[[File:ProjectHierarchy.png|ProjectHierarchy]]&lt;br /&gt;
&lt;br /&gt;
== Explanation ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;u&amp;gt;Authentication:&amp;lt;/u&amp;gt; Every user has to authenticate with keystone using a project scope. For example, userA can authenticate using the project scope as &amp;quot;ProjH.ProjA&amp;quot;. The cloud admin can authenticate using any scope. When authenticated, the entire hierarchy is parsed starting from the scope project till the leaf node and construct the roles the user has at each level. See the following examples. &lt;br /&gt;
&lt;br /&gt;
===== Example 1 =====&lt;br /&gt;
Cloud Admin authenticates at &amp;quot;ProjH&amp;quot;, keystone will send the following information (or token) for this session. &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the leaf node)&amp;lt;/ins&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
* ProjH,  admin&lt;br /&gt;
* ProjH.ProjA, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1, admin&lt;br /&gt;
* ProjH.ProjA.ProjA2, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA3, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA4, admin&lt;br /&gt;
* ProjH.ProjB, admin&lt;br /&gt;
* ProjH.ProjB.ProjB1, admin&lt;br /&gt;
* ProjH.ProjB.ProjB2, admin&lt;br /&gt;
* ProjH.ProjB.ProjB1.ProjB3, admin&lt;br /&gt;
* ProjH.ProjB.ProjB1.ProjB4, admin&lt;br /&gt;
&amp;lt;u&amp;gt;Noteː&amp;lt;/u&amp;gt; For Cloud Admin, the entire Hierarchy of the Projects is not required (as he is the super admin and possess all the rights to do anything). But this can be useful to check the action requested by the admin with an hierarchy actually exists or not, without again contacting the Keystone again. For example, if admin wants to list the quotas for ProjH.ProjC, but by seeing the roles, he can be notified immediately that this hierarchy does not exist&lt;br /&gt;
&lt;br /&gt;
===== Example 2 =====&lt;br /&gt;
Cloud Admin authenticates at &amp;quot;ProjH.ProjA.ProjA1&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA.ProjA1 &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the leaf node)&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
̇̇̇̇̇̇̇̇̇̈* ProjH.ProjA.ProjA1, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA3, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA4, admin&lt;br /&gt;
̽&lt;br /&gt;
&lt;br /&gt;
===== Example 3 =====&lt;br /&gt;
User A authenticates at &amp;quot;ProjH.ProjA&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the leaf node)&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
* ProjH.ProjA, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA1, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA2, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjectA3, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjectA3, member&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjectA4, project-admin&lt;br /&gt;
̝&lt;/div&gt;</summary>
		<author><name>Vinod kumar boppanna</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=POC_for_QuotaManagement&amp;diff=41866</id>
		<title>POC for QuotaManagement</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=POC_for_QuotaManagement&amp;diff=41866"/>
				<updated>2014-02-11T11:07:55Z</updated>
		
		<summary type="html">&lt;p&gt;Vinod kumar boppanna: /* Example 3 */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Introduction ==&lt;br /&gt;
&lt;br /&gt;
This Page explains the Proof of Concept for Quota Management in the Openstack Hierarchical Multitenancy setup.&lt;br /&gt;
&lt;br /&gt;
== Setup ==&lt;br /&gt;
&lt;br /&gt;
Please see the following picture for an example Hierarchical Multitenancy setup.&lt;br /&gt;
&lt;br /&gt;
[[File:ProjectHierarchy.png|ProjectHierarchy]]&lt;br /&gt;
&lt;br /&gt;
== Explanation ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;u&amp;gt;Authentication:&amp;lt;/u&amp;gt; Every user has to authenticate with keystone using a project scope. For example, userA can authenticate using the project scope as &amp;quot;ProjH.ProjA&amp;quot;. The cloud admin can authenticate using any scope. When authenticated, the entire hierarchy is parsed starting from the scope project till the leaf node and construct the roles the user has at each level. See the following examples. &lt;br /&gt;
&lt;br /&gt;
===== Example 1 =====&lt;br /&gt;
Cloud Admin authenticates at &amp;quot;ProjH&amp;quot;, keystone will send the following information (or token) for this session. &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope Project&amp;lt;/ins&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the leaf node)&amp;lt;/ins&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
* ProjH,  admin&lt;br /&gt;
* ProjH.ProjA, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1, admin&lt;br /&gt;
* ProjH.ProjA.ProjA2, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA3, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA4, admin&lt;br /&gt;
* ProjH.ProjB, admin&lt;br /&gt;
* ProjH.ProjB.ProjB1, admin&lt;br /&gt;
* ProjH.ProjB.ProjB2, admin&lt;br /&gt;
* ProjH.ProjB.ProjB1.ProjB3, admin&lt;br /&gt;
* ProjH.ProjB.ProjB1.ProjB4, admin&lt;br /&gt;
&amp;lt;u&amp;gt;Noteː&amp;lt;/u&amp;gt; For Cloud Admin, the entire Hierarchy of the Projects is not required (as he is the super admin and possess all the rights to do anything). But this can be useful to check the action requested by the admin with an hierarchy actually exists or not, without again contacting the Keystone again. For example, if admin wants to list the quotas for ProjH.ProjC, but by seeing the roles, he can be notified immediately that this hierarchy does not exist&lt;br /&gt;
&lt;br /&gt;
===== Example 2 =====&lt;br /&gt;
Cloud Admin authenticates at &amp;quot;ProjH.ProjA.ProjA1&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA.ProjA1 &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the leaf node)&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
̇̇̇̇̇̇̇̇̇̈* ProjH.ProjA.ProjA1, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA3, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA4, admin&lt;br /&gt;
̽&lt;br /&gt;
&lt;br /&gt;
===== Example 3 =====&lt;br /&gt;
User A authenticates at &amp;quot;ProjH.ProjA&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the leaf node)&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
* ProjH.ProjA, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA1, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA2, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjectA3, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjectA3, member&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjectA4, project-admin&lt;br /&gt;
̝&lt;/div&gt;</summary>
		<author><name>Vinod kumar boppanna</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=POC_for_QuotaManagement&amp;diff=41865</id>
		<title>POC for QuotaManagement</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=POC_for_QuotaManagement&amp;diff=41865"/>
				<updated>2014-02-11T11:07:36Z</updated>
		
		<summary type="html">&lt;p&gt;Vinod kumar boppanna: /* Example 2 */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Introduction ==&lt;br /&gt;
&lt;br /&gt;
This Page explains the Proof of Concept for Quota Management in the Openstack Hierarchical Multitenancy setup.&lt;br /&gt;
&lt;br /&gt;
== Setup ==&lt;br /&gt;
&lt;br /&gt;
Please see the following picture for an example Hierarchical Multitenancy setup.&lt;br /&gt;
&lt;br /&gt;
[[File:ProjectHierarchy.png|ProjectHierarchy]]&lt;br /&gt;
&lt;br /&gt;
== Explanation ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;u&amp;gt;Authentication:&amp;lt;/u&amp;gt; Every user has to authenticate with keystone using a project scope. For example, userA can authenticate using the project scope as &amp;quot;ProjH.ProjA&amp;quot;. The cloud admin can authenticate using any scope. When authenticated, the entire hierarchy is parsed starting from the scope project till the leaf node and construct the roles the user has at each level. See the following examples. &lt;br /&gt;
&lt;br /&gt;
===== Example 1 =====&lt;br /&gt;
Cloud Admin authenticates at &amp;quot;ProjH&amp;quot;, keystone will send the following information (or token) for this session. &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope Project&amp;lt;/ins&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the leaf node)&amp;lt;/ins&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
* ProjH,  admin&lt;br /&gt;
* ProjH.ProjA, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1, admin&lt;br /&gt;
* ProjH.ProjA.ProjA2, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA3, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA4, admin&lt;br /&gt;
* ProjH.ProjB, admin&lt;br /&gt;
* ProjH.ProjB.ProjB1, admin&lt;br /&gt;
* ProjH.ProjB.ProjB2, admin&lt;br /&gt;
* ProjH.ProjB.ProjB1.ProjB3, admin&lt;br /&gt;
* ProjH.ProjB.ProjB1.ProjB4, admin&lt;br /&gt;
&amp;lt;u&amp;gt;Noteː&amp;lt;/u&amp;gt; For Cloud Admin, the entire Hierarchy of the Projects is not required (as he is the super admin and possess all the rights to do anything). But this can be useful to check the action requested by the admin with an hierarchy actually exists or not, without again contacting the Keystone again. For example, if admin wants to list the quotas for ProjH.ProjC, but by seeing the roles, he can be notified immediately that this hierarchy does not exist&lt;br /&gt;
&lt;br /&gt;
===== Example 2 =====&lt;br /&gt;
Cloud Admin authenticates at &amp;quot;ProjH.ProjA.ProjA1&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA.ProjA1 &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the leaf node)&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
̇̇̇̇̇̇̇̇̇̈* ProjH.ProjA.ProjA1, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA3, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA4, admin&lt;br /&gt;
̽&lt;br /&gt;
&lt;br /&gt;
===== Example 3 =====&lt;br /&gt;
User A authenticates at &amp;quot;ProjH.ProjA&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope Project&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the leaf node)&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
* ProjH.ProjA, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA1, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA2, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjectA3, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjectA3, member&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjectA4, project-admin&lt;br /&gt;
̝&lt;/div&gt;</summary>
		<author><name>Vinod kumar boppanna</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=POC_for_QuotaManagement&amp;diff=41864</id>
		<title>POC for QuotaManagement</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=POC_for_QuotaManagement&amp;diff=41864"/>
				<updated>2014-02-11T11:00:52Z</updated>
		
		<summary type="html">&lt;p&gt;Vinod kumar boppanna: /* Example 2 */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Introduction ==&lt;br /&gt;
&lt;br /&gt;
This Page explains the Proof of Concept for Quota Management in the Openstack Hierarchical Multitenancy setup.&lt;br /&gt;
&lt;br /&gt;
== Setup ==&lt;br /&gt;
&lt;br /&gt;
Please see the following picture for an example Hierarchical Multitenancy setup.&lt;br /&gt;
&lt;br /&gt;
[[File:ProjectHierarchy.png|ProjectHierarchy]]&lt;br /&gt;
&lt;br /&gt;
== Explanation ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;u&amp;gt;Authentication:&amp;lt;/u&amp;gt; Every user has to authenticate with keystone using a project scope. For example, userA can authenticate using the project scope as &amp;quot;ProjH.ProjA&amp;quot;. The cloud admin can authenticate using any scope. When authenticated, the entire hierarchy is parsed starting from the scope project till the leaf node and construct the roles the user has at each level. See the following examples. &lt;br /&gt;
&lt;br /&gt;
===== Example 1 =====&lt;br /&gt;
Cloud Admin authenticates at &amp;quot;ProjH&amp;quot;, keystone will send the following information (or token) for this session. &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope Project&amp;lt;/ins&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the leaf node)&amp;lt;/ins&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
* ProjH,  admin&lt;br /&gt;
* ProjH.ProjA, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1, admin&lt;br /&gt;
* ProjH.ProjA.ProjA2, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA3, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA4, admin&lt;br /&gt;
* ProjH.ProjB, admin&lt;br /&gt;
* ProjH.ProjB.ProjB1, admin&lt;br /&gt;
* ProjH.ProjB.ProjB2, admin&lt;br /&gt;
* ProjH.ProjB.ProjB1.ProjB3, admin&lt;br /&gt;
* ProjH.ProjB.ProjB1.ProjB4, admin&lt;br /&gt;
&amp;lt;u&amp;gt;Noteː&amp;lt;/u&amp;gt; For Cloud Admin, the entire Hierarchy of the Projects is not required (as he is the super admin and possess all the rights to do anything). But this can be useful to check the action requested by the admin with an hierarchy actually exists or not, without again contacting the Keystone again. For example, if admin wants to list the quotas for ProjH.ProjC, but by seeing the roles, he can be notified immediately that this hierarchy does not exist&lt;br /&gt;
&lt;br /&gt;
===== Example 2 =====&lt;br /&gt;
Cloud Admin authenticates at &amp;quot;ProjH.ProjA.ProjA1&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope Project&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA.ProjA1 &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the leaf node)&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
̇̇̇̇̇̇̇* ProjH.ProjA.ProjA1, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA3, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA4, admin&lt;br /&gt;
&lt;br /&gt;
===== Example 3 =====&lt;br /&gt;
User A authenticates at &amp;quot;ProjH.ProjA&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope Project&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the leaf node)&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
* ProjH.ProjA, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA1, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA2, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjectA3, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjectA3, member&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjectA4, project-admin&lt;br /&gt;
̝&lt;/div&gt;</summary>
		<author><name>Vinod kumar boppanna</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=POC_for_QuotaManagement&amp;diff=41863</id>
		<title>POC for QuotaManagement</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=POC_for_QuotaManagement&amp;diff=41863"/>
				<updated>2014-02-11T10:59:27Z</updated>
		
		<summary type="html">&lt;p&gt;Vinod kumar boppanna: /* Example 1 */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Introduction ==&lt;br /&gt;
&lt;br /&gt;
This Page explains the Proof of Concept for Quota Management in the Openstack Hierarchical Multitenancy setup.&lt;br /&gt;
&lt;br /&gt;
== Setup ==&lt;br /&gt;
&lt;br /&gt;
Please see the following picture for an example Hierarchical Multitenancy setup.&lt;br /&gt;
&lt;br /&gt;
[[File:ProjectHierarchy.png|ProjectHierarchy]]&lt;br /&gt;
&lt;br /&gt;
== Explanation ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;u&amp;gt;Authentication:&amp;lt;/u&amp;gt; Every user has to authenticate with keystone using a project scope. For example, userA can authenticate using the project scope as &amp;quot;ProjH.ProjA&amp;quot;. The cloud admin can authenticate using any scope. When authenticated, the entire hierarchy is parsed starting from the scope project till the leaf node and construct the roles the user has at each level. See the following examples. &lt;br /&gt;
&lt;br /&gt;
===== Example 1 =====&lt;br /&gt;
Cloud Admin authenticates at &amp;quot;ProjH&amp;quot;, keystone will send the following information (or token) for this session. &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope Project&amp;lt;/ins&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the leaf node)&amp;lt;/ins&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
* ProjH,  admin&lt;br /&gt;
* ProjH.ProjA, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1, admin&lt;br /&gt;
* ProjH.ProjA.ProjA2, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA3, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA4, admin&lt;br /&gt;
* ProjH.ProjB, admin&lt;br /&gt;
* ProjH.ProjB.ProjB1, admin&lt;br /&gt;
* ProjH.ProjB.ProjB2, admin&lt;br /&gt;
* ProjH.ProjB.ProjB1.ProjB3, admin&lt;br /&gt;
* ProjH.ProjB.ProjB1.ProjB4, admin&lt;br /&gt;
&amp;lt;u&amp;gt;Noteː&amp;lt;/u&amp;gt; For Cloud Admin, the entire Hierarchy of the Projects is not required (as he is the super admin and possess all the rights to do anything). But this can be useful to check the action requested by the admin with an hierarchy actually exists or not, without again contacting the Keystone again. For example, if admin wants to list the quotas for ProjH.ProjC, but by seeing the roles, he can be notified immediately that this hierarchy does not exist&lt;br /&gt;
&lt;br /&gt;
===== Example 2 =====&lt;br /&gt;
Cloud Admin authenticates at &amp;quot;ProjH.ProjA.ProjA1&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope Project&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA.ProjA1 &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the leaf node)&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
̇̇̇* ProjH.ProjA.ProjA1, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA3, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA4, admin&lt;br /&gt;
&lt;br /&gt;
===== Example 3 =====&lt;br /&gt;
User A authenticates at &amp;quot;ProjH.ProjA&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope Project&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the leaf node)&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
* ProjH.ProjA, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA1, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA2, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjectA3, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjectA3, member&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjectA4, project-admin&lt;br /&gt;
̝&lt;/div&gt;</summary>
		<author><name>Vinod kumar boppanna</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=POC_for_QuotaManagement&amp;diff=41862</id>
		<title>POC for QuotaManagement</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=POC_for_QuotaManagement&amp;diff=41862"/>
				<updated>2014-02-11T10:57:01Z</updated>
		
		<summary type="html">&lt;p&gt;Vinod kumar boppanna: /* Explanation */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Introduction ==&lt;br /&gt;
&lt;br /&gt;
This Page explains the Proof of Concept for Quota Management in the Openstack Hierarchical Multitenancy setup.&lt;br /&gt;
&lt;br /&gt;
== Setup ==&lt;br /&gt;
&lt;br /&gt;
Please see the following picture for an example Hierarchical Multitenancy setup.&lt;br /&gt;
&lt;br /&gt;
[[File:ProjectHierarchy.png|ProjectHierarchy]]&lt;br /&gt;
&lt;br /&gt;
== Explanation ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;u&amp;gt;Authentication:&amp;lt;/u&amp;gt; Every user has to authenticate with keystone using a project scope. For example, userA can authenticate using the project scope as &amp;quot;ProjH.ProjA&amp;quot;. The cloud admin can authenticate using any scope. When authenticated, the entire hierarchy is parsed starting from the scope project till the leaf node and construct the roles the user has at each level. See the following examples. &lt;br /&gt;
&lt;br /&gt;
===== Example 1 =====&lt;br /&gt;
Cloud Admin authenticates at &amp;quot;ProjH&amp;quot;, keystone will send the following information (or token) for this session. &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope Project&amp;lt;/ins&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the leaf node)&amp;lt;/ins&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
* ProjH,  admin&lt;br /&gt;
* ProjH.ProjA, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1, admin&lt;br /&gt;
* ProjH.ProjA.ProjA2, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA3, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA4, admin&lt;br /&gt;
* ProjH.ProjB, admin&lt;br /&gt;
* ProjH.ProjB.ProjB1, admin&lt;br /&gt;
* ProjH.ProjB.ProjB2, admin&lt;br /&gt;
* ProjH.ProjB.ProjB1.ProjB3, admin&lt;br /&gt;
* ProjH.ProjB.ProjB1.ProjB4, admin&lt;br /&gt;
Noteː For Cloud Admin, the entire Hierarchy of the Projects is not required (as he is the super admin and possess all the rights to do anything). But this can be useful to check the action requested by the admin with an hierarchy actually exists or not, without again contacting the Keystone again. For example, if admin wants to list the quotas for ProjH.ProjC, but by seeing the roles, he can be notified immediately that this hierarchy does not exist&lt;br /&gt;
&lt;br /&gt;
===== Example 2 =====&lt;br /&gt;
Cloud Admin authenticates at &amp;quot;ProjH.ProjA.ProjA1&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope Project&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA.ProjA1 &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the leaf node)&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
̇̇̇* ProjH.ProjA.ProjA1, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA3, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA4, admin&lt;br /&gt;
&lt;br /&gt;
===== Example 3 =====&lt;br /&gt;
User A authenticates at &amp;quot;ProjH.ProjA&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope Project&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the leaf node)&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
* ProjH.ProjA, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA1, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA2, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjectA3, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjectA3, member&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjectA4, project-admin&lt;br /&gt;
̝&lt;/div&gt;</summary>
		<author><name>Vinod kumar boppanna</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=POC_for_QuotaManagement&amp;diff=41861</id>
		<title>POC for QuotaManagement</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=POC_for_QuotaManagement&amp;diff=41861"/>
				<updated>2014-02-11T10:56:25Z</updated>
		
		<summary type="html">&lt;p&gt;Vinod kumar boppanna: /* Explanation */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Introduction ==&lt;br /&gt;
&lt;br /&gt;
This Page explains the Proof of Concept for Quota Management in the Openstack Hierarchical Multitenancy setup.&lt;br /&gt;
&lt;br /&gt;
== Setup ==&lt;br /&gt;
&lt;br /&gt;
Please see the following picture for an example Hierarchical Multitenancy setup.&lt;br /&gt;
&lt;br /&gt;
[[File:ProjectHierarchy.png|ProjectHierarchy]]&lt;br /&gt;
&lt;br /&gt;
== Explanation ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;inʂ&amp;gt;Authentication:&amp;lt;/ins&amp;gt; Every user has to authenticate with keystone using a project scope. For example, userA can authenticate using the project scope as &amp;quot;ProjH.ProjA&amp;quot;. The cloud admin can authenticate using any scope. When authenticated, the entire hierarchy is parsed starting from the scope project till the leaf node and construct the roles the user has at each level. See the following examples. &lt;br /&gt;
&lt;br /&gt;
===== Example 1 =====&lt;br /&gt;
Cloud Admin authenticates at &amp;quot;ProjH&amp;quot;, keystone will send the following information (or token) for this session. &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope Project&amp;lt;/ins&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the leaf node)&amp;lt;/ins&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
* ProjH,  admin&lt;br /&gt;
* ProjH.ProjA, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1, admin&lt;br /&gt;
* ProjH.ProjA.ProjA2, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA3, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA4, admin&lt;br /&gt;
* ProjH.ProjB, admin&lt;br /&gt;
* ProjH.ProjB.ProjB1, admin&lt;br /&gt;
* ProjH.ProjB.ProjB2, admin&lt;br /&gt;
* ProjH.ProjB.ProjB1.ProjB3, admin&lt;br /&gt;
* ProjH.ProjB.ProjB1.ProjB4, admin&lt;br /&gt;
Noteː For Cloud Admin, the entire Hierarchy of the Projects is not required (as he is the super admin and possess all the rights to do anything). But this can be useful to check the action requested by the admin with an hierarchy actually exists or not, without again contacting the Keystone again. For example, if admin wants to list the quotas for ProjH.ProjC, but by seeing the roles, he can be notified immediately that this hierarchy does not exist&lt;br /&gt;
&lt;br /&gt;
===== Example 2 =====&lt;br /&gt;
Cloud Admin authenticates at &amp;quot;ProjH.ProjA.ProjA1&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope Project&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA.ProjA1 &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the leaf node)&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
̇̇̇* ProjH.ProjA.ProjA1, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA3, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA4, admin&lt;br /&gt;
&lt;br /&gt;
===== Example 3 =====&lt;br /&gt;
User A authenticates at &amp;quot;ProjH.ProjA&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope Project&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the leaf node)&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
* ProjH.ProjA, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA1, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA2, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjectA3, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjectA3, member&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjectA4, project-admin&lt;br /&gt;
̝&lt;/div&gt;</summary>
		<author><name>Vinod kumar boppanna</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=POC_for_QuotaManagement&amp;diff=41860</id>
		<title>POC for QuotaManagement</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=POC_for_QuotaManagement&amp;diff=41860"/>
				<updated>2014-02-11T10:54:43Z</updated>
		
		<summary type="html">&lt;p&gt;Vinod kumar boppanna: /* Explanation */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Introduction ==&lt;br /&gt;
&lt;br /&gt;
This Page explains the Proof of Concept for Quota Management in the Openstack Hierarchical Multitenancy setup.&lt;br /&gt;
&lt;br /&gt;
== Setup ==&lt;br /&gt;
&lt;br /&gt;
Please see the following picture for an example Hierarchical Multitenancy setup.&lt;br /&gt;
&lt;br /&gt;
[[File:ProjectHierarchy.png|ProjectHierarchy]]&lt;br /&gt;
&lt;br /&gt;
== Explanation ==&lt;br /&gt;
&lt;br /&gt;
Authentication: Every user has to authenticate with keystone using a project scope. For example, userA can authenticate using the project scope as &amp;quot;ProjH.ProjA&amp;quot;. The cloud admin can authenticate using any scope. When authenticated, the entire hierarchy is parsed starting from the scope project till the leaf node and construct the roles the user has at each level. See the following examples. &lt;br /&gt;
&lt;br /&gt;
===== Example 1 =====&lt;br /&gt;
Cloud Admin authenticates at &amp;quot;ProjH&amp;quot;, keystone will send the following information (or token) for this session. &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope Project&amp;lt;/ins&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the leaf node)&amp;lt;/ins&amp;gt; &amp;lt;br/&amp;gt;&lt;br /&gt;
* ProjH,  admin&lt;br /&gt;
* ProjH.ProjA, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1, admin&lt;br /&gt;
* ProjH.ProjA.ProjA2, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA3, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA4, admin&lt;br /&gt;
* ProjH.ProjB, admin&lt;br /&gt;
* ProjH.ProjB.ProjB1, admin&lt;br /&gt;
* ProjH.ProjB.ProjB2, admin&lt;br /&gt;
* ProjH.ProjB.ProjB1.ProjB3, admin&lt;br /&gt;
* ProjH.ProjB.ProjB1.ProjB4, admin&lt;br /&gt;
Noteː For Cloud Admin, the entire Hierarchy of the Projects is not required (as he is the super admin and possess all the rights to do anything). But this can be useful to check the action requested by the admin with an hierarchy actually exists or not, without again contacting the Keystone again. For example, if admin wants to list the quotas for ProjH.ProjC, but by seeing the roles, he can be notified immediately that this hierarchy does not exist&lt;br /&gt;
&lt;br /&gt;
===== Example 2 =====&lt;br /&gt;
Cloud Admin authenticates at &amp;quot;ProjH.ProjA.ProjA1&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope Project&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA.ProjA1 &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the leaf node)&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
̇̇̇* ProjH.ProjA.ProjA1, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA3, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA4, admin&lt;br /&gt;
&lt;br /&gt;
===== Example 3 =====&lt;br /&gt;
User A authenticates at &amp;quot;ProjH.ProjA&amp;quot;, keystone will send the following information (or token) for this session.&amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope Project&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
ProjH.ProjA &amp;lt;br/&amp;gt;&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the leaf node)&amp;lt;/ins&amp;gt;&amp;lt;br/&amp;gt;&lt;br /&gt;
* ProjH.ProjA, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA1, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA2, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjectA3, project-admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjectA3, member&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjectA4, project-admin&lt;br /&gt;
̝&lt;/div&gt;</summary>
		<author><name>Vinod kumar boppanna</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=POC_for_QuotaManagement&amp;diff=41858</id>
		<title>POC for QuotaManagement</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=POC_for_QuotaManagement&amp;diff=41858"/>
				<updated>2014-02-11T10:49:52Z</updated>
		
		<summary type="html">&lt;p&gt;Vinod kumar boppanna: /* Setup */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Introduction ==&lt;br /&gt;
&lt;br /&gt;
This Page explains the Proof of Concept for Quota Management in the Openstack Hierarchical Multitenancy setup.&lt;br /&gt;
&lt;br /&gt;
== Setup ==&lt;br /&gt;
&lt;br /&gt;
Please see the following picture for an example Hierarchical Multitenancy setup.&lt;br /&gt;
&lt;br /&gt;
[[File:ProjectHierarchy.png|ProjectHierarchy]]&lt;br /&gt;
&lt;br /&gt;
== Explanation ==&lt;br /&gt;
&lt;br /&gt;
Authentication: Every user has to authenticate with keystone using a project scope. For example, userA can authenticate using the project scope as &amp;quot;ProjH.ProjA&amp;quot;. The cloud admin can authenticate using any scope. When authenticated, the entire hierarchy is parsed starting from the scope project till the leaf node and construct the roles the user has at each level. See the following examples. &lt;br /&gt;
&lt;br /&gt;
=== Example 1 ===&lt;br /&gt;
Cloud Admin authenticates at &amp;quot;ProjH&amp;quot;, keystone will send the following information (or token) for this session.&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope Project&amp;lt;/ins&amp;gt;&lt;br /&gt;
ProjH&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the leaf node)&amp;lt;/ins&amp;gt;&lt;br /&gt;
* ProjH,  admin&lt;br /&gt;
* ProjH.ProjA, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1, admin&lt;br /&gt;
* ProjH.ProjA.ProjA2, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA3, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA4, admin&lt;br /&gt;
* ProjH.ProjB, admin&lt;br /&gt;
* ProjH.ProjB.ProjB1, admin&lt;br /&gt;
* ProjH.ProjB.ProjB2, admin&lt;br /&gt;
* ProjH.ProjB.ProjB1.ProjB3, admin&lt;br /&gt;
* ProjH.ProjB.ProjB1.ProjB4, admin&lt;br /&gt;
Noteː For Cloud Admin, the entire Hierarchy of the Projects is not required (as he is the super admin and possess all the rights to do anything). But this can be useful to check the action requested by the admin with an hierarchy actually exists or not, without again contacting the Keystone again. For example, if admin wants to list the quotas for ProjH.ProjC, but by seeing the roles, he can be notified immediately that this hierarchy does not exist&lt;br /&gt;
&lt;br /&gt;
=== Example 2 ===&lt;br /&gt;
Cloud Admin authenticates at &amp;quot;ProjH.ProjA.ProjA1&amp;quot;, keystone will send the following information (or token) for this session.&lt;br /&gt;
&amp;lt;ins&amp;gt;Scope Project&amp;lt;/ins&amp;gt;&lt;br /&gt;
ProjH.ProjA.ProjA1&lt;br /&gt;
&amp;lt;ins&amp;gt;Roles (find role at each project level upto the leaf node)&amp;lt;/ins&amp;gt;&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA3, admin&lt;br /&gt;
* ProjH.ProjA.ProjA1.ProjA4, admin&lt;/div&gt;</summary>
		<author><name>Vinod kumar boppanna</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=POC_for_QuotaManagement&amp;diff=41857</id>
		<title>POC for QuotaManagement</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=POC_for_QuotaManagement&amp;diff=41857"/>
				<updated>2014-02-11T10:30:40Z</updated>
		
		<summary type="html">&lt;p&gt;Vinod kumar boppanna: /* Setup */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Introduction ==&lt;br /&gt;
&lt;br /&gt;
This Page explains the Proof of Concept for Quota Management in the Openstack Hierarchical Multitenancy setup.&lt;br /&gt;
&lt;br /&gt;
== Setup ==&lt;br /&gt;
&lt;br /&gt;
Please see the following picture for an example Hierarchical Multitenancy setup.&lt;br /&gt;
&lt;br /&gt;
[[File:ProjectHierarchy.png|ProjectHierarchy]]&lt;/div&gt;</summary>
		<author><name>Vinod kumar boppanna</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=POC_for_QuotaManagement&amp;diff=41856</id>
		<title>POC for QuotaManagement</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=POC_for_QuotaManagement&amp;diff=41856"/>
				<updated>2014-02-11T10:29:08Z</updated>
		
		<summary type="html">&lt;p&gt;Vinod kumar boppanna: /* Introduction */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Introduction ==&lt;br /&gt;
&lt;br /&gt;
This Page explains the Proof of Concept for Quota Management in the Openstack Hierarchical Multitenancy setup.&lt;br /&gt;
&lt;br /&gt;
== Setup ==&lt;br /&gt;
&lt;br /&gt;
Please see the following picture for an example Hierarchical Multitenancy setup.&lt;/div&gt;</summary>
		<author><name>Vinod kumar boppanna</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=File:ProjectHierarchy.png&amp;diff=41855</id>
		<title>File:ProjectHierarchy.png</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=File:ProjectHierarchy.png&amp;diff=41855"/>
				<updated>2014-02-11T10:28:11Z</updated>
		
		<summary type="html">&lt;p&gt;Vinod kumar boppanna: &lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;&lt;/div&gt;</summary>
		<author><name>Vinod kumar boppanna</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=POC_for_QuotaManagement&amp;diff=41854</id>
		<title>POC for QuotaManagement</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=POC_for_QuotaManagement&amp;diff=41854"/>
				<updated>2014-02-11T10:23:43Z</updated>
		
		<summary type="html">&lt;p&gt;Vinod kumar boppanna: Created page with &amp;quot;== Introduction ==  This Page explains the Proof of Concept for Quota Management in the Openstack Hierarchical Multitenancy setup.&amp;quot;&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Introduction ==&lt;br /&gt;
&lt;br /&gt;
This Page explains the Proof of Concept for Quota Management in the Openstack Hierarchical Multitenancy setup.&lt;/div&gt;</summary>
		<author><name>Vinod kumar boppanna</name></author>	</entry>

	</feed>