openstack team mailing list archive
-
openstack team
-
Mailing list archive
-
Message #14328
Glance/Swift tenant specific storage
I started working on the Glance swift-tenant-specific-storage blueprint last week.
I've got a working branch in play here:
https://github.com/dprince/glance/commits/swift_multi_tenant3
Some details on how I've done things so far:
* Update Glance so that it uses the service catalog for each user to obtain the Swift storage URL.
* Provide backend stores access to the context. Glance Essex doesn't give stores access to the RequestContext (auth token). We'll need this information for tenant specific storage if we want to be able to access individual swift accounts.
* Store images in separate containers. Swift only allows individual ACL's to be set per container... not per object. As such it appears we'll need to store each image in a separate container in order to support setting public and/or individual read/write access on each image.
* Set 'public' access for images in Swift.
* Set 'private' read and/or write access for Glance image members which have been granted access to specific images.
* Delayed delete (scrubber) will require an authenticated context in order to delete Swift images from the backend. Glance can either be make to grant write access to this account (for all images) or an administrative Swift account could be used to run the delayed delete operation.
* Maintain full support with the existing single tenant Glance swift storage scheme.
--------
I made some general implementation notes up on this wiki page as well:
http://wiki.openstack.org/GlanceSwiftTenantSpecificStorage
I'm anxious to get things up for review but before I do so I wanted to ask if this implementation looks reasonable? Any thoughts or feedback?
Dan
Follow ups