Jump to: navigation, search

POC for QuotaManagement

Revision as of 12:16, 11 February 2014 by Vinod kumar boppanna (talk | contribs) (Authentication)

Introduction

This Page explains the Proof of Concept for Quota Management in the Openstack Hierarchical Multitenancy setup.

Setup

Please see the following picture for an example Hierarchical Multitenancy setup.

ProjectHierarchy

Authentication

Every user has to authenticate with keystone using a project scope. For example, userA can authenticate using the project scope as "ProjH.ProjA". The cloud admin can authenticate using any scope. When authenticated, the entire hierarchy is parsed starting from the scope project till the leaf node and construct the roles the user has at each level. See the following examples.

Example 1

Cloud Admin authenticates at "ProjH", keystone will send the following information (or token) for this session.
Scope
ProjH
Roles (find role at each project level upto the leaf node)

  • ProjH, admin
  • ProjH.ProjA, admin
  • ProjH.ProjA.ProjA1, admin
  • ProjH.ProjA.ProjA2, admin
  • ProjH.ProjA.ProjA1.ProjA3, admin
  • ProjH.ProjA.ProjA1.ProjA4, admin
  • ProjH.ProjB, admin
  • ProjH.ProjB.ProjB1, admin
  • ProjH.ProjB.ProjB2, admin
  • ProjH.ProjB.ProjB1.ProjB3, admin
  • ProjH.ProjB.ProjB1.ProjB4, admin

Noteː For Cloud Admin, the entire Hierarchy of the Projects is not required (as he is the super admin and possess all the rights to do anything). But this can be useful to check the action requested by the admin with an hierarchy actually exists or not, without again contacting the Keystone again. For example, if admin wants to list the quotas for ProjH.ProjC, but by seeing the roles, he can be notified immediately that this hierarchy does not exist

Example 2

Cloud Admin authenticates at "ProjH.ProjA.ProjA1", keystone will send the following information (or token) for this session.
Scope
ProjH.ProjA.ProjA1
Roles (find role at each project level upto the leaf node)

  • ProjH.ProjA.ProjA1, admin
  • ProjH.ProjA.ProjA1.ProjA3, admin
  • ProjH.ProjA.ProjA1.ProjA4, admin

̽

Example 3

User A authenticates at "ProjH.ProjA", keystone will send the following information (or token) for this session.
Scope
ProjH.ProjA
Roles (find role at each project level upto the leaf node)

  • ProjH.ProjA, project-admin
  • ProjH.ProjA.ProjA1, project-admin
  • ProjH.ProjA.ProjA2, project-admin
  • ProjH.ProjA.ProjA1.ProjectA3, project-admin
  • ProjH.ProjA.ProjA1.ProjectA3, member
  • ProjH.ProjA.ProjA1.ProjectA4, project-admin
Example 4

User B authenticates at "ProjH.ProjA", keystone will reject the authentication as User B does not have any role at "ProjH.ProjA". User B can authenticate using the scope as "ProjH.ProjA.ProjA1.ProjA3" or "ProjH.ProjB" or "ProjH.ProjB.ProjB2".

Implementation

Please check the following table for the APIs to manage Quotas for Domain, Project and User respectively. These APIs can be used by admin (i.e with role admin) to get the quota limits of any domain/project/user. A non-admin user can only use these APIs to see the quotas of a domain to which he/she belongs or of a project in which he/she is a member. In addition the non-admin user can see his/her own quota limits. To make this possible, Keystone V3 auth tokens needs to be used. The context provided by the token has domain_id, project_id and user_id respectively.

Method URI Description
GET v2/{tenant_id}/domain-quota-sets/{domain_id} Shows quotas for a Domain
GET v2/{tenant_id}/domain-quota-sets/{domain_id}/defaults Shows default quotas for a Domain
GET v2/{tenant_id}/domain-quota-sets/{domain_id}?project_id={project_id} Shows quotas for a Project
GET v2/{tenant_id}/domain-quota-sets/{domain_id}?project_id={project_id}&user_id={user_id} Shows quotas for a User in a Project
DELETE v2/{tenant_id}/domain-quota-sets/{domain_id} Deletes quotas for the domain and for all the projects in this domain (In addition deletes quota for all the users in the projects)
DELETE v2/{tenant_id}/domain-quota-sets/{domain_id}?project_id={project_id} Deletes quotas for a Project and for all the Users in that Project
DELETE v2/{tenant_id}/domain-quota-sets/{domain_id}?project_id={project_id}&user_id={user_id} Delete quotas for a User in a Project
PUT v2/{tenant_id}/domain-quota-sets/{domain_id} Creates or Updates quotas for the domain
PUT v2/{tenant_id}/domain-quota-sets/{domain_id}?project_id={project_id} Creates or Updates quotas for a Project
PUT v2/{tenant_id}/domain-quota-sets/{domain_id}?project_id={project_id}&user_id={user_id} Creates or Updates quotas for a User in a Project