Difference between revisions of "POC for QuotaManagement"
(→Explanation) |
(→Authentication) |
||
| Line 55: | Line 55: | ||
===== Example 4 ===== | ===== Example 4 ===== | ||
User B authenticates at "ProjH.ProjA", keystone will reject the authentication as User B does not have any role at "ProjH.ProjA". User B can authenticate using the scope as "ProjH.ProjA.ProjA1.ProjA3" or "ProjH.ProjB" or "ProjH.ProjB.ProjB2". | User B authenticates at "ProjH.ProjA", keystone will reject the authentication as User B does not have any role at "ProjH.ProjA". User B can authenticate using the scope as "ProjH.ProjA.ProjA1.ProjA3" or "ProjH.ProjB" or "ProjH.ProjB.ProjB2". | ||
| + | |||
| + | = Implementation = | ||
| + | |||
| + | Please check the following table for the APIs to manage Quotas for Domain, Project and User respectively. These APIs can be used by admin (i.e with role admin) to get the quota limits of any domain/project/user. A non-admin user can only use these APIs to see the quotas of a domain to which he/she belongs or of a project in which he/she is a member. In addition the non-admin user can see his/her own quota limits. To make this possible, Keystone V3 auth tokens needs to be used. The context provided by the token has domain_id, project_id and user_id respectively. | ||
| + | |||
| + | {| class="wikitable" | ||
| + | |- | ||
| + | ! Method || URI || Description | ||
| + | |- | ||
| + | | GET || v2/{tenant_id}/domain-quota-sets/{domain_id} || Shows quotas for a Domain | ||
| + | |- | ||
| + | | GET || v2/{tenant_id}/domain-quota-sets/{domain_id}/defaults || Shows default quotas for a Domain | ||
| + | |- | ||
| + | | GET || v2/{tenant_id}/domain-quota-sets/{domain_id}?project_id={project_id} || Shows quotas for a Project | ||
| + | |- | ||
| + | | GET || v2/{tenant_id}/domain-quota-sets/{domain_id}?project_id={project_id}&user_id={user_id} || Shows quotas for a User in a Project | ||
| + | |- | ||
| + | | DELETE || v2/{tenant_id}/domain-quota-sets/{domain_id} || Deletes quotas for the domain and for all the projects in this domain (In addition deletes quota for all the users in the projects) | ||
| + | |- | ||
| + | | DELETE || v2/{tenant_id}/domain-quota-sets/{domain_id}?project_id={project_id} || Deletes quotas for a Project and for all the Users in that Project | ||
| + | |- | ||
| + | | DELETE || v2/{tenant_id}/domain-quota-sets/{domain_id}?project_id={project_id}&user_id={user_id} || Delete quotas for a User in a Project | ||
| + | |- | ||
| + | | PUT || v2/{tenant_id}/domain-quota-sets/{domain_id} || Creates or Updates quotas for the domain | ||
| + | |- | ||
| + | | PUT || v2/{tenant_id}/domain-quota-sets/{domain_id}?project_id={project_id} || Creates or Updates quotas for a Project | ||
| + | |- | ||
| + | | PUT || v2/{tenant_id}/domain-quota-sets/{domain_id}?project_id={project_id}&user_id={user_id} || Creates or Updates quotas for a User in a Project | ||
| + | |} | ||
Revision as of 12:16, 11 February 2014
Contents
Introduction
This Page explains the Proof of Concept for Quota Management in the Openstack Hierarchical Multitenancy setup.
Setup
Please see the following picture for an example Hierarchical Multitenancy setup.
Authentication
Every user has to authenticate with keystone using a project scope. For example, userA can authenticate using the project scope as "ProjH.ProjA". The cloud admin can authenticate using any scope. When authenticated, the entire hierarchy is parsed starting from the scope project till the leaf node and construct the roles the user has at each level. See the following examples.
Example 1
Cloud Admin authenticates at "ProjH", keystone will send the following information (or token) for this session.
Scope
ProjH
Roles (find role at each project level upto the leaf node)
- ProjH, admin
- ProjH.ProjA, admin
- ProjH.ProjA.ProjA1, admin
- ProjH.ProjA.ProjA2, admin
- ProjH.ProjA.ProjA1.ProjA3, admin
- ProjH.ProjA.ProjA1.ProjA4, admin
- ProjH.ProjB, admin
- ProjH.ProjB.ProjB1, admin
- ProjH.ProjB.ProjB2, admin
- ProjH.ProjB.ProjB1.ProjB3, admin
- ProjH.ProjB.ProjB1.ProjB4, admin
Noteː For Cloud Admin, the entire Hierarchy of the Projects is not required (as he is the super admin and possess all the rights to do anything). But this can be useful to check the action requested by the admin with an hierarchy actually exists or not, without again contacting the Keystone again. For example, if admin wants to list the quotas for ProjH.ProjC, but by seeing the roles, he can be notified immediately that this hierarchy does not exist
Example 2
Cloud Admin authenticates at "ProjH.ProjA.ProjA1", keystone will send the following information (or token) for this session.
Scope
ProjH.ProjA.ProjA1
Roles (find role at each project level upto the leaf node)
- ProjH.ProjA.ProjA1, admin
- ProjH.ProjA.ProjA1.ProjA3, admin
- ProjH.ProjA.ProjA1.ProjA4, admin
̽
Example 3
User A authenticates at "ProjH.ProjA", keystone will send the following information (or token) for this session.
Scope
ProjH.ProjA
Roles (find role at each project level upto the leaf node)
- ProjH.ProjA, project-admin
- ProjH.ProjA.ProjA1, project-admin
- ProjH.ProjA.ProjA2, project-admin
- ProjH.ProjA.ProjA1.ProjectA3, project-admin
- ProjH.ProjA.ProjA1.ProjectA3, member
- ProjH.ProjA.ProjA1.ProjectA4, project-admin
Example 4
User B authenticates at "ProjH.ProjA", keystone will reject the authentication as User B does not have any role at "ProjH.ProjA". User B can authenticate using the scope as "ProjH.ProjA.ProjA1.ProjA3" or "ProjH.ProjB" or "ProjH.ProjB.ProjB2".
Implementation
Please check the following table for the APIs to manage Quotas for Domain, Project and User respectively. These APIs can be used by admin (i.e with role admin) to get the quota limits of any domain/project/user. A non-admin user can only use these APIs to see the quotas of a domain to which he/she belongs or of a project in which he/she is a member. In addition the non-admin user can see his/her own quota limits. To make this possible, Keystone V3 auth tokens needs to be used. The context provided by the token has domain_id, project_id and user_id respectively.
| Method | URI | Description |
|---|---|---|
| GET | v2/{tenant_id}/domain-quota-sets/{domain_id} | Shows quotas for a Domain |
| GET | v2/{tenant_id}/domain-quota-sets/{domain_id}/defaults | Shows default quotas for a Domain |
| GET | v2/{tenant_id}/domain-quota-sets/{domain_id}?project_id={project_id} | Shows quotas for a Project |
| GET | v2/{tenant_id}/domain-quota-sets/{domain_id}?project_id={project_id}&user_id={user_id} | Shows quotas for a User in a Project |
| DELETE | v2/{tenant_id}/domain-quota-sets/{domain_id} | Deletes quotas for the domain and for all the projects in this domain (In addition deletes quota for all the users in the projects) |
| DELETE | v2/{tenant_id}/domain-quota-sets/{domain_id}?project_id={project_id} | Deletes quotas for a Project and for all the Users in that Project |
| DELETE | v2/{tenant_id}/domain-quota-sets/{domain_id}?project_id={project_id}&user_id={user_id} | Delete quotas for a User in a Project |
| PUT | v2/{tenant_id}/domain-quota-sets/{domain_id} | Creates or Updates quotas for the domain |
| PUT | v2/{tenant_id}/domain-quota-sets/{domain_id}?project_id={project_id} | Creates or Updates quotas for a Project |
| PUT | v2/{tenant_id}/domain-quota-sets/{domain_id}?project_id={project_id}&user_id={user_id} | Creates or Updates quotas for a User in a Project |
