openstack team mailing list archive

Thread
Date

RE" Leustpme, Swift and Multi-tenant

To: "openstack@xxxxxxxxxxxxxxxxxxx" <openstack@xxxxxxxxxxxxxxxxxxx>, "Judd@xxxxxxxxxxxxxx" <Judd@xxxxxxxxxxxxxx>
From: Caitlin Bestler <Caitlin.Bestler@xxxxxxxxxxx>
Date: Fri, 18 Nov 2011 21:43:47 +0000
Accept-language: en-US
Thread-index: AcymOfuKx97Z9s8uS4+JkfN8WKZFyQ==
Thread-topic: RE" Leustpme, Swift and Multi-tenant

My understanding of "multi-tenant" would imply that:


*         Tenant X and Tenant Y could both have a user 'jsmith'

*         Clients for either Tenant X or Tenant Y can format HTTP submissions as user jsmith
that will look identical but will actually reference different accounts.

*         A client accessing the 'jsmith' account using network resource identified as belonging
to Tentant X will reference3 the Tenant X 'jsmith' account, and in fact cannot see any
Tenant Y accounts.

*         Therefore distinquishing between Tenant X and Tenant Y traffic has to be based on
network addressing, not on packet contents.

With Nova, using a single LDAP server that has the administrative users for each Tenant may
be acceptable. But clearly for authenticating Swift users the LDAP server referenced itself
has to be tenant dependent. The Swift User is an *end-user* of Tenant X or Tenant Y, neither
Tenant will want to enter them into a central user database.