|Summary:||[RFE][keystone]: Hierarchical Multitenancy|
|Product:||Red Hat OpenStack||Reporter:||RHOS Integration <rhos-integ>|
|Component:||openstack-keystone||Assignee:||Nathan Kinder <nkinder>|
|Status:||CLOSED CURRENTRELEASE||QA Contact:||Rodrigo Duarte <rduartes>|
|Version:||unspecified||CC:||ayoung, fpezzell, ipetrova, jschluet, mabrams, markmc, mkranz, nbarcet, nkinder, pablo.iranzo, rduartes, skinjo, srevivo, ukalifon|
|Target Milestone:||z5||Keywords:||FutureFeature, Triaged, ZStream|
|Target Release:||7.0 (Kilo)|
|Whiteboard:||upstream_milestone_kilo-1 upstream_status_implemented upstream_definition_approved|
|Fixed In Version:||Doc Type:||Enhancement|
|Doc Text:||Story Points:||---|
|Last Closed:||2017-02-24 17:58:42 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
|Bug Depends On:|
Description RHOS Integration 2014-02-08 05:04:56 UTC
Cloned from launchpad blueprint https://blueprints.launchpad.net/keystone/+spec/hierarchical-multitenancy. Description: This blueprint encompases migration to "hierarchical ownership" as described by https://wiki.openstack.org/wiki/HierarchicalMultitenancy Implementation Impact: - In SQL, the project.domain_id column is is renamed to 'parent_project_id' - Contents of the domain table must be migrated to the project table, and the domain table dropped - /v3/domains is exposed as SELECT * FROM project WHERE parent_project_id IS NULL; - Manager methods for projects (list_projects, etc) rewrite all project ID's as "openstack.<self.parent_project_id>.<self.id>" - Role assignments to project='openstack' are persisted with a null target (instead of project_id='openstack') API Impact: - Everything about domains is deprecated (?) - GET /v3/projects might return projects with a "children" attribute, containing a list of children (reflecting the entire tree) Specification URL (additional information): None
Comment 4 Udi 2015-06-25 11:03:43 UTC
None of the points mentioned in the description of the RFE seem to be implemented. There is still a "domain" table, projects are not children of the domains etc... Is there more updated documentation for the feature?
Comment 7 Nathan Kinder 2015-07-01 05:53:36 UTC
(In reply to Udi from comment #4) > None of the points mentioned in the description of the RFE seem to be > implemented. There is still a "domain" table, projects are not children of > the domains etc... Is there more updated documentation for the feature? Have you consulted the HMT spec and the actual API documents? The initial description of this bug was simply copied from an old proposed blueprint. Things often change as the spec goes through review and as the feature is implemented. Features should be tested from an API perspective, so the API docs are the authoritative place to look for documentation on using a feature. If you want to look inside of the black-box, you should look at the spec (though I would caution against relying on things like internal database structure, as they might change during a release cycle). The bottom line is to test the API.
Comment 13 Rodrigo Duarte 2016-02-19 19:41:06 UTC
I can see a manual test plan for this in Polarion, but this still not ON_QA yet. I believe the manual tests can be automated in tempest, just need to confirm what is the next step here.
Comment 15 Irina Petrova 2016-05-31 12:56:29 UTC
Hey there, Can we do a little summary on this BZ? So far HMT has been implemented upstream in Kilo.  However, we still consider it a Tech Preview in OSP 8 (Liberty).  What's more, it's been in Tech Preview since OSP 7 (Kilo).  This means that HMT should work by default but we are not done testing it just yet, or that it needs some additional settings/configuration? Also, Pablo Iranzo Gómez created a Solution Article according to which we're expecting HMT in OSP 10.  How about we change the BZ Target Release to 10 if that's the case? Thanks. --Irina  https://blueprints.launchpad.net/keystone/+spec/hierarchical-multitenancy  https://access.redhat.com/documentation/en/red-hat-openstack-platform/version-8/users-and-identity-management-guide/#multi-tenenacy  https://access.redhat.com/documentation/en/red-hat-enterprise-linux-openstack-platform/version-7/users-and-identity-management-guide/#multi-tenenacy  https://access.redhat.com/solutions/2323021
Comment 17 Nathan Kinder 2017-02-24 17:58:42 UTC
Nested projects (which is what is being referred to as "Hierarchical Multitenancy" in this bug) is already implemented and tested in OSP10. Note that some people may expect more from this feature that what the blueprint covers, such as nested quotas and similar functionality in other services. Those should be handled as separate RFEs against the appropriate components, not here in this Keystone bug. Closing this as CURRENTRELEASE.