forked from openstack/nova
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Hack in prefix matching for project_id in nova
This is example code to show how a nested scope would allow for multitenancy in nova. The basic idea is to store the fully nested scope of an object in the project_id field. In other words, the owner of a given instance would be: company.unit.project For listing/actions we can do prefix matching of the current ownership scope. This patch expects the full scope to be passed in by project_id. The real version of this should probably pass scope in a new keystone context field. Note that this also hacks in a new policy matcher which allows for a prefix match from the creds dictionary against the target object. It looks like: prefix:project_id:%(project_id)s This says: make sure the context project_id is a prefix of project_id in the target object. If we had a scoping field from keystone called ownership, this could be something like: prefix:ownership:%(project_id)s This will obviously need to be added to oslo in the full version. Change-Id: I0ab6f65d55608603499b48ac74d2a467ffcaa93b
- Loading branch information
1 parent
4b2bd32
commit ae4de19
Showing
3 changed files
with
41 additions
and
4 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters