Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

Bug 1062821

Summary: [RFE][keystone]: Hierarchical Multitenancy
Product: Red Hat OpenStack Reporter: RHOS Integration <rhos-integ>
Component: openstack-keystoneAssignee: Nathan Kinder <nkinder>
Status: CLOSED CURRENTRELEASE QA Contact: Rodrigo Duarte <rduartes>
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: ayoung, fpezzell, ipetrova, jschluet, mabrams, markmc, mkranz, nbarcet, nkinder, pablo.iranzo, rduartes, skinjo, srevivo, ukalifon
Target Milestone: z5Keywords: FutureFeature, Triaged, ZStream
Target Release: 7.0 (Kilo)   
Hardware: Unspecified   
OS: Unspecified   
URL: https://blueprints.launchpad.net/keystone/+spec/hierarchical-multitenancy
Whiteboard: upstream_milestone_kilo-1 upstream_status_implemented upstream_definition_approved
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-02-24 17:58:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1271123    

Description RHOS Integration 2014-02-08 05:04:56 UTC
Cloned from launchpad blueprint https://blueprints.launchpad.net/keystone/+spec/hierarchical-multitenancy.

Description:

This blueprint encompases migration to "hierarchical ownership" as described by https://wiki.openstack.org/wiki/HierarchicalMultitenancy

Implementation Impact:

- In SQL, the project.domain_id column is is renamed to 'parent_project_id'
- Contents of the domain table must be migrated to the project table, and the domain table dropped
- /v3/domains is exposed as SELECT * FROM project WHERE parent_project_id IS NULL;
- Manager methods for projects (list_projects, etc) rewrite all project ID's as "openstack.<self.parent_project_id>.<self.id>"
- Role assignments to project='openstack' are persisted with a null target (instead of project_id='openstack')

API Impact:

- Everything about domains is deprecated (?)
- GET /v3/projects might return projects with a "children" attribute, containing a list of children (reflecting the entire tree)

Specification URL (additional information):

None

Comment 4 Udi 2015-06-25 11:03:43 UTC
None of the points mentioned in the description of the RFE seem to be implemented. There is still a "domain" table, projects are not children of the domains etc... Is there more updated documentation for the feature?

Comment 7 Nathan Kinder 2015-07-01 05:53:36 UTC
(In reply to Udi from comment #4)
> None of the points mentioned in the description of the RFE seem to be
> implemented. There is still a "domain" table, projects are not children of
> the domains etc... Is there more updated documentation for the feature?

Have you consulted the HMT spec and the actual API documents?  The initial description of this bug was simply copied from an old proposed blueprint.  Things often change as the spec goes through review and as the feature is implemented.

Features should be tested from an API perspective, so the API docs are the authoritative place to look for documentation on using a feature.  If you want to look inside of the black-box, you should look at the spec (though I would caution against relying on things like internal database structure, as they might change during a release cycle).  The bottom line is to test the API.

Comment 13 Rodrigo Duarte 2016-02-19 19:41:06 UTC
I can see a manual test plan for this in Polarion, but this still not ON_QA yet. I believe the manual tests can be automated in tempest, just need to confirm what is the next step here.

Comment 15 Irina Petrova 2016-05-31 12:56:29 UTC
Hey there,

Can we do a little summary on this BZ?

So far HMT has been implemented upstream in Kilo. [1]

However, we still consider it a Tech Preview in OSP 8 (Liberty). [2]

What's more, it's been in Tech Preview since OSP 7 (Kilo). [3]

This means that HMT should work by default but we are not done testing it just yet, or that it needs some additional settings/configuration?

Also, Pablo Iranzo Gómez created a Solution Article according to which we're expecting HMT in OSP 10. [4] How about we change the BZ Target Release to 10 if that's the case?

Thanks.

--Irina

[1] https://blueprints.launchpad.net/keystone/+spec/hierarchical-multitenancy
[2] https://access.redhat.com/documentation/en/red-hat-openstack-platform/version-8/users-and-identity-management-guide/#multi-tenenacy
[3] https://access.redhat.com/documentation/en/red-hat-enterprise-linux-openstack-platform/version-7/users-and-identity-management-guide/#multi-tenenacy
[4] https://access.redhat.com/solutions/2323021

Comment 17 Nathan Kinder 2017-02-24 17:58:42 UTC
Nested projects (which is what is being referred to as "Hierarchical Multitenancy" in this bug) is already implemented and tested in OSP10.  Note that some people may expect more from this feature that what the blueprint covers, such as nested quotas and similar functionality in other services.  Those should be handled as separate RFEs against the appropriate components, not here in this Keystone bug.  Closing this as CURRENTRELEASE.