openstack team mailing list archive

Thread
Date

Re: Identity API v3 - Why allow multi-tenant users?

To: <openstack@xxxxxxxxxxxxxxxxxxx>
From: "Kevin L. Mitchell" <kevin.mitchell@xxxxxxxxxxxxx>
Date: Tue, 29 May 2012 12:59:56 -0500
In-reply-to: <719CD19D2B2BFA4CB1B3F00D2A8CDCD04EAE3F1E@AUSP01DAG0106.collaborationhost.net>
Organization: Rackspace

On Tue, 2012-05-29 at 17:18 +0000, Caitlin Bestler wrote:
> One of the major complication I see in the API is that users can be
> associated with multiple tenants.
>  
> What is the benefit of this? What functionality would be lost if a
> human user merely had to use a different account with each tenant?
>  
> There are numerous issues with multi-tenant users. For example, if a
> user is associated with multiple tenants, who resets the user’s
> password?

The use case that immediately springs to mind is that of a consultant.
A consultant may be working for several clients that all happen to use
one OpenStack-powered provider, and it would be handy for that
consultant to only have to worry about a single set of login
credentials, but still be able to access the relevant parts of all the
tenants for which he or she is working.

I could imagine several other somewhat similar scenarios, such as the
value-added reseller; having multiple tenants allows them to ensure the
proper client is billed the proper amount, while still being able to
perform whatever their value-add is.
-- 
Kevin L. Mitchell <kevin.mitchell@xxxxxxxxxxxxx>

References

Identity API v3 - Why allow multi-tenant users?
From: Caitlin Bestler, 2012-05-29