LOADING

Follow me

keystone 分层多租户
十一月 1, 2015|ITKeystone

keystone 分层多租户

keystone 分层多租户

keystone 分层多租户

多租户在 keystone中的实现,是通过project来实现的,project实现的目的是为了将project对属于它的用户开放,而阻止其他 project用户的访问,在介绍keystone分层多租户之前,我们来介绍domain、group、project、user之间的关系,以及在 sql数据库中的表现关系。
domain它管理user、group、project,三者依附于domain而存在,也就是说,你无论创建这三个中的哪一个,它都必须指定domain。下面我们可以查看assignment数据库

+-----------+---------------------------------------------------------------+------+-----+---------+-------+
| Field     | Type                                                          | Null | Key | Default | Extra |
+-----------+---------------------------------------------------------------+------+-----+---------+-------+
| type      | enum('UserProject','GroupProject','UserDomain','GroupDomain') | NO   | PRI | NULL    |       |
| actor_id  | varchar(64)                                                   | NO   | PRI | NULL    |       |
| target_id | varchar(64)                                                   | NO   | PRI | NULL    |       |
| role_id   | varchar(64)                                                   | NO   | PRI | NULL    |       |
| inherited | tinyint(1)                                                    | NO   | PRI | NULL    |       |
+-----------+---------------------------------------------------------------+------+-----+---------+-------+

可以看到UserProject’,’GroupProject’,’UserDomain’,’GroupDomain’,我们在设置role的 时候,只要这四中可能,也就是说我们在创建user或者group的时候,只要这4种角色行为的设置,关于role的具体细节,以后会单独分析。
对于keystone的多租户的实现,我们只需要创建下面这样的模式即可:

Cloud Service Provider:
××××BCEC----------------Domain
××××××AAAA------------Project A
××××××××aa-------------Sub-project
××××××××bb-------------Sub-project
××××××BBBB------------Project B
××××××××aa-------------Sub-project
××××××××bb-------------Sub-project
××××EBSC-----------------Domain
××××××AAAA-------------Project
×××××××aa---------------Sub-project

通过这样的模式,我们就可以实现多层租户的模式,下面是相关keystone API
获取projects列表
POST v3/projects

{
    "project": {
        "description": "Project space for Test Group",
        "domain_id": "1789d1",
        "parent_id": "7fa612",
        "enabled": true,
        "name": "Test Group"            
    }
}

获取某一租户下所有子project
GET /projects/{project_id}?subtree_as_list
返回

{
    "project": {
        "domain_id": "1789d1",
        "parent_id": "183ab2",
        "enabled": true,
        "id": "263fd9",
        "links": {
            "self": "http://identity:35357/v3/projects/263fd9"
        },
        "name": "Dev Group A",
        "subtree": [
            {
                "project": {
                    "domain_id": "1789d1",
                    "parent_id": "263fd9",
                    "enabled": true,
                    "id": "9n1jhb",
                    "links": {
                        "self": "identity:35357/v3/projects/9n1jhb"
                    },
                    "name": "Dev Group A Child 1"
                }
            },
            {
                "project": {
                    "domain_id": "1789d1",
                    "parent_id": "263fd9",
                    "enabled": true,
                    "id": "4b6aa1",
                    "links": {
                        "self": "identity:35357/v3/projects/4b6aa1"
                    },
                    "name": "Dev Group A Child 2"
                }
            },
            {
                "project": {
                    "domain_id": "1789d1", 
                    "parent_id": "4b6aa1",
                    "enabled": true,
                    "id": "b76xq8",
                    "links": {
                        "self": "identity:35357/v3/projects/b76xq8"
                    },
                    "name": "Dev Group A Grandchild"
                }
            }
        ]
    }
}

同样可以获得某一子project的上游projectlist:
GET /project/{project_id}?parents_as_list
返回:

{
    "project": {
        "domain_id": "1789d1", 
        "parent_id": "183ab2",
        "enabled": true,
        "id": "263fd9",
        "links": {
            "self": "http://identity:35357/v3/projects/263fd9"
        },
        "name": "Dev Group A"
        "parents": [
            {
                "project": {
                    "domain_id": "1789d1",
                    "parent_id": null,
                    "enabled": true,
                    "id": "183ab2",
                    "links": {
                        "self": "identity:35357/v3/projects/183ab2"
                    },
                    "name": "Dev Group A Parent"
                }
            }
        ]
    }
}

这里你或许不得不问,权限继承怎么搞?这个下回分解,可以看看os-inherited这个参数,如果为true,对于权限继续就会开启,但是具体原理下次再单独写吧。

no comments
Share

发表评论