← Back to team overview

openstack team mailing list archive

Re: Using Foreign Keys

 

On Apr 19, 2012, at 8:59 PM, Vaze, Mandar wrote:

> +1 for data integrity  ...
> 
> Here is an example that could use data integrity check :
> 
> tenant information is managed in keystone DB
> ovs_quantum DB has tenant_id column for networks table.
> When I use stack.sh - it puts a string "default" in tenant_id column - when it creates network via "nova-manage network create" and it WORKS !!!! 

> 
> I see two problems here :
> 
> 1. tenant_id are uuid - so string "default" should be rejected with check _is_like_uuid - but that is only partial solution.

tenant_ids are strings. It is an implementation detail that keystone uses uuids.

> 2. tenant_id should be valid ID from keystone.tenants

This would require nova-manage having logic to be able to connect to keystone which it doesn't have.  One of the drawbacks of having decoupled services is everything isn't in one database where you can support foreign keys. We could in theory add logic to nova to allow it to verify things inside of keystone, but I'm not sure this makes sense from a security perspective. It would require nova to have administrative access to keystone to find out what tenants exist.

Alternatively we could force administrative commands like network create to be done through the api using the context of the intended network. This has a drawback as well of making things administratively more difficult. An admin would have to get an administrative token for the intended tenant somehow before making the call.

Vish



Follow ups

References