16:00:10 <schwicke> #startmeeting hierarchical_multitenancy 16:00:11 <openstack> Meeting started Fri Jul 4 16:00:10 2014 UTC and is due to finish in 60 minutes. The chair is schwicke. Information about MeetBot at http://wiki.debian.org/MeetBot. 16:00:12 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 16:00:14 <openstack> The meeting name has been set to 'hierarchical_multitenancy' 16:00:33 <schwicke> here we go 16:00:39 <sajeesh> ok 16:00:50 <schwicke> #info welcome to nirbhay 16:01:15 <schwicke> there are a couple of things to be discussed I think 16:01:19 <nirbhay> thanks schwicke 16:01:23 <raildo> #info welcome to rodrigods 16:01:33 <rodrigods> hi all 16:01:35 <raildo> he work with me 16:01:38 <sajeesh> In raildo's blueprint it has been written that,domain_id will renamed to parent_project_id. Whether domains will be dropped ? 16:01:59 <schwicke> #info welcome to rodrigods ! 16:01:59 <sajeesh> hi rodrigods..welcome 16:02:30 <schwicke> let's start with the design document I suggest 16:02:35 <rodrigods> thanks, please continue 16:02:40 <sajeesh> ok fine 16:02:52 <schwicke> #topic discussion of the design document circulated by Sajeesh 16:03:12 <raildo> The concept domain is not removed, it is the root of the hierarchy. 16:03:53 <schwicke> I understand though that there are no specific quotas for domains to be implemented, right ? 16:03:57 <raildo> what is being proposed is using only use the domain_id column as parent_project_id. 16:03:59 <sajeesh> ok 16:04:42 <raildo> I think the problem is that the other services do not know domain 16:04:53 <sajeesh> ok 16:05:51 <rodrigods> schwicke, right, AFAIK 16:06:06 <schwicke> I think so 16:06:51 <schwicke> for the initial implementation I'd be tempted to ignore the domain from the quota perspective. 16:07:07 <sajeesh> +1 16:07:17 <raildo> +1 16:07:28 <rodrigods> ++ 16:07:28 <schwicke> ok, so lets do that 16:08:02 <raildo> in future, we can think in use this BPs https://blueprints.launchpad.net/nova/+spec/domain-quota-driver-api , https://blueprints.launchpad.net/nova/+spec/domain-quota-driver 16:08:05 <schwicke> #AGREED no special treatment of domains is implemened for nova. We'll just ignore them for now 16:08:20 <schwicke> #link https://blueprints.launchpad.net/nova/+spec/domain-quota-driver-api , https://blueprints.launchpad.net/nova/+spec/domain-quota-driver 16:08:24 <schwicke> ok 16:08:31 <schwicke> let's move on 16:08:34 <raildo> ok 16:08:45 <sajeesh> schwicke shall we discuss about getting the parent projects 16:08:54 <schwicke> there was a discussion about how far up we need to go in the tree 16:09:00 <schwicke> sajeesh: yes 16:09:14 <schwicke> #topic getting the parent projects 16:09:33 <sajeesh> schwicke,that depends on the role of person who is acting on the child project 16:09:57 <schwicke> so let's say we have a user of project E with rights in C, D by inheritance 16:10:27 <schwicke> The question is if he needs to know about A and B or not. And that depends on which kind of quota we are storing 16:10:44 <schwicke> did I get it right ? 16:10:50 <raildo> yes 16:10:51 <sajeesh> yes 16:11:16 <rodrigods> if it doesn't know about A and B, if it creates a new instance in E, there is an inconsistence problem over there 16:11:25 <sajeesh> evenif he knows about A and B,he cannot do anything on it. 16:11:25 <raildo> +1 16:11:26 <schwicke> I think if we store the used quota at the project level then we have to go up to the root 16:11:33 <raildo> rodrigods: +1 16:12:16 <sajeesh> shwicke, can you please eloborate that point 16:12:25 <schwicke> rodirgods: can you give an example ? 16:13:11 <schwicke> I think the used quota can be obtained on the fly by summing the usage of the current project plus all its children, right ? 16:13:21 <schwicke> So there is no need to store that 16:13:30 <rodrigods> schwicke, ++ 16:13:52 <schwicke> We need to store the limit at each project level 16:14:15 <raildo> schwicke: i agree 16:14:16 <rodrigods> if A has 100 of free quota, C has quota 10. An user with a role in C and D requests a new instance in C with quota 10. Shoudn't the free quota from A be updated to 90? 16:14:27 <schwicke> but if John changes the quota in C, D or E that does not affect the total quota in A or B, right ? 16:15:02 <raildo> if C, D, E are childrens of B and A, should be changed. 16:15:19 <schwicke> The free quota is the limit minus the used quota, isn't it ? 16:15:31 <schwicke> so no need to store that either so noting to update in A 16:15:38 <sajeesh> rodrigods,a user having a role in A should update it 16:15:40 <schwicke> correct me if I'm wrong guys! 16:16:08 <rodrigods> sajeesh, manually? 16:16:16 <schwicke> I think that the only quota that we need to store is the limit 16:16:19 <sajeesh> yes 16:16:35 <sajeesh> rodrigods,yes 16:17:01 <schwicke> What we have to check though if John updates C is that the usage of B is not exceeded. 16:17:22 <rodrigods> schwicke, ++ 16:17:27 <schwicke> So it should be enough to know the children and the immediate parent 16:17:29 <schwicke> right ? 16:17:34 <sajeesh> rodigods,scope of a user is limited upto the project he has role.Beyond that automatic updation cannot happen 16:17:47 <rodrigods> schwicke, right 16:18:15 <raildo> IMO, the problem here is independent of the role. The problem is to maintain the consistency of data. 16:18:16 <sajeesh> shwicke,children should know about immediate parent only 16:19:08 <raildo> If you do not update A and B, apparent that C, D, E are not part of the hierarchy, which is not true. 16:19:47 <schwicke> we agree that A is the root of the tree in this example, right >? 16:19:47 <sajeesh> raildo,a user having no role in A and B cannot update it 16:20:21 <schwicke> raildo: can you give an example where this can go wrong ? 16:20:45 <rodrigods> sajeesh, the update is not made by the user, IMO. Once a user request some quota from below the hierarchy, this change should be reflected through its parents 16:21:03 <raildo> Imagine if we'd quota domain and projetc. This would be like to create an instance, I would update the quota project and not update the quota field. That would be wrong. 16:22:33 <raildo> sajeesh: Why not? Even though he did not rule on that project, he is a child (or grandchild, or whatever) it. 16:23:50 <sajeesh> raildo, shwicke shall we discuss this matter through detailed email 16:24:11 <raildo> sajeesh: ok, no problem 16:24:13 <schwicke> I think we should try to sort that out. 16:24:19 <schwicke> It's pretty important 16:24:21 <sajeesh> ok fine...thanks 16:24:29 <sajeesh> it is very very important 16:24:37 <rodrigods> let's elaborate a simple example 16:24:44 <schwicke> Yes. 16:24:50 <rodrigods> an hierarchy like? A -> B -> C 16:24:54 <schwicke> fine 16:24:57 <sajeesh> ok 16:24:58 <schwicke> restart from scratch 16:25:00 <rodrigods> user1 has role member in B and C 16:25:03 <schwicke> So A is the root 16:25:12 <rodrigods> and user2 has role member in A, B and C 16:25:36 <schwicke> define "member" 16:25:54 <rodrigods> schwicke, a role that has permissions to create instances, for example 16:26:01 <schwicke> ok 16:26:02 <sajeesh> ok 16:26:11 <nirbhay> ok 16:26:12 <schwicke> that does not give you the right yet to create a sub-project, does it ? 16:26:30 <rodrigods> schwicke, let's say no 16:26:38 <schwicke> OK 16:26:48 <rodrigods> quotas: A=100, B=50, C=25 16:27:15 <schwicke> Quota of A can only be changed by the cloud admin 16:27:37 <rodrigods> schwicke, yeah 16:27:45 <schwicke> Let's distinguish 2 roles: 16:28:00 <schwicke> A member can only create VMs within the projects to which he belongs 16:28:13 <schwicke> A project admin can create sub-projects and set their quotas 16:28:14 <schwicke> OK ? 16:28:17 <rodrigods> ok 16:28:20 <sajeesh> ok 16:28:52 <rodrigods> let's say user1 with role member, creates an instance in C that uses 15 of quota 16:29:02 <sajeesh> ok 16:29:03 <schwicke> ok 16:29:08 <rodrigods> what happens with the free quota from the role tree? 16:29:20 <rodrigods> whole tree* 16:29:40 <raildo> A= 85, b=35, c=10? 16:29:41 <schwicke> nothing 16:30:00 <schwicke> The quota values are the ceilings. They stay as they are 16:30:18 <schwicke> Let's say the quota is in number of VMS 16:30:24 <sajeesh> it depends on how much free quota C is having 16:30:44 <rodrigods> free quota, I meant 16:30:54 <schwicke> so anybody belonging to C can still create instances consuming 10 quota 16:31:06 <raildo> in the case od rodrigods, that would be the free quota of each project. 16:31:13 <nirbhay> ok 16:31:36 <sajeesh> ok....it C is having free quota of 25,then if it uses 15 ,then there will no change in the tree 16:31:39 <schwicke> yes, we need to decide on what we want to store here. 16:32:43 <sajeesh> free quota of C will get reduced to 10 16:32:51 <schwicke> yes 16:32:53 <raildo> schwicke: Currently in Nova, there are three tables for quotas: Quotas, quota usage, reservations. You do not intend to follow the same pattern? 16:33:44 <schwicke> hmm 16:33:55 <schwicke> we probably have to 16:34:18 <sajeesh> I want to add allocation...but that need to be decided 16:34:47 <schwicke> sajeesh: I think raildo is right. If we already have the quota usage at each level then we need the full tree ... 16:35:20 <rodrigods> schwicke, ++ 16:35:41 <raildo> schwicke: I believe that you understood what I wanted to say. 16:35:42 <schwicke> I'd prefer if we could retrieve the usage on the fly instead 16:36:04 <rodrigods> schwicke, yeah, that approach ltgm 16:36:14 <schwicke> thinking loud ... that would be a major change which we should avoid 16:36:22 <sajeesh> schwicke ,raildo as I said I require a detailed discussion before we freeze the design 16:37:02 <sajeesh> through mail....shall we freeze the design in our next meeting 16:37:10 <schwicke> what I don't like very much is that I see the risk that the used quota gets out of date 16:37:31 <schwicke> we can have a summary on this by e-mail. 16:37:39 <raildo> schwicke: ok 16:37:43 <sajeesh> ok 16:38:03 <sajeesh> I will write a more detailed documentation 16:38:04 <schwicke> sajeesh: the point is that if we have to store the used quota that value will always change even at the root of the tree 16:38:15 <sajeesh> ok 16:38:30 <schwicke> ok, let's summaries the disucssion via e-mail 16:38:37 <sajeesh> ok 16:38:54 <rodrigods> please add me as CC: rodrigods@lsd.ufcg.edu.br 16:38:55 * schwicke summarize the used quota issue via e-mail 16:39:14 <sajeesh> rodrigods,sure 16:39:20 <schwicke> #ACTION: summarize the used quota issue via e-mail 16:39:24 <schwicke> (sorry) 16:39:42 <schwicke> is there any other issue which is blocking finalizing the design ? 16:39:55 <sajeesh> no 16:40:31 <sajeesh> we will be able to freeze the design in our next meeting 16:40:41 <schwicke> I'd be tempted to say that we have to go for a full tree access and update the used quota each time a new instance is created, and later on see if that can be improved by getting this info on the fly 16:41:02 <schwicke> So let's move on 16:41:06 <raildo> rodrigods is implementing the delete project in the hierarchy, as we discussed. I believe that he can speak a little of how it's going. 16:41:12 <sajeesh> shwicke,I will think about it 16:41:20 <sajeesh> ok 16:41:44 <raildo> #topic delete project 16:42:09 <schwicke> I think the idea was to restrict ourselves in the first iteration to have only the option to delete the leaves, right ? 16:42:25 <sajeesh> yes 16:42:47 <rodrigods> yeah 16:43:41 <rodrigods> we only have to check whether the target "project_id" is parent_project_id from another project 16:43:58 <schwicke> correct 16:44:02 <sajeesh> right 16:44:04 <rodrigods> that's almost complete, but has the dependency of the changes in the project table 16:44:12 <sajeesh> ok 16:44:13 <rodrigods> if a new column parent_project_id will be added 16:44:36 <rodrigods> or if domain_id will be renamed and the data from domains table migrated 16:45:00 <schwicke> rodrigods: this is in keystone,right ? 16:45:07 <raildo> schwicke: yes 16:45:11 <schwicke> ok 16:45:45 <schwicke> I wonder if we should touch the domain stuff 16:46:31 <sajeesh> for the time being,I think we should not touch 16:47:14 <raildo> +1 16:47:18 <rodrigods> ok 16:47:21 <rodrigods> makes sense to me 16:47:29 <rodrigods> add a new column, then 16:47:52 <schwicke> by feeling would be taht renaming the domain_id is calling for trouble 16:47:59 <schwicke> s/taht/that/ 16:48:01 <schwicke> :) 16:48:17 <sajeesh> yes 16:48:39 <schwicke> so shall we go for that ? 16:49:04 <raildo> I had thought of this solution first, but ayoung, dolphm, asked me to make this change. But I'm more relaxed creating a new column. 16:49:45 <rodrigods> if keystone folks step the foot in renaming, we can do that, but let's not touch in it for now 16:49:50 <rodrigods> makes sense? 16:49:52 <schwicke> hope then they will accept this 16:49:58 <sajeesh> +1 16:50:02 <raildo> yes 16:50:10 <schwicke> +1 16:50:14 <schwicke> #AGREED don't touch the domain stuff in keystone but rather add a new column for the parent project 16:50:22 <schwicke> 10min left 16:50:24 <raildo> I'll update the spec 16:50:27 <schwicke> ok 16:51:06 <raildo> we have something else to discuss? 16:51:18 <schwicke> I think we still need to clarify about using keystone API V3 16:51:32 <schwicke> #topic keystone API version to be used 16:51:35 <sajeesh> yes 16:51:51 <schwicke> my understanding is that we don't have much of a choice here, do we ? 16:52:11 <rodrigods> ++ 16:52:14 <sajeesh> I am afraid,no 16:52:23 <raildo> to use Inherited roles is necessary using keystone API v3 16:52:30 <sajeesh> ok 16:52:33 <schwicke> +1 16:52:37 <raildo> there is no other option. 16:52:44 <sajeesh> ok 16:52:47 <schwicke> #AGREED: we have to use keystone API V3 16:52:51 <sajeesh> +1 16:52:57 <raildo> +1 16:53:04 <schwicke> for the next meeting I think we need to think a bout about roles 16:53:10 <schwicke> can prepare this via e-mail 16:53:23 <sajeesh> yes I will send a detailed document 16:53:28 <schwicke> that's coming back to our inital discussion 16:54:10 <schwicke> sajeesh: we could be a bit more explicit on that in your design document eventually. 16:54:25 <sajeesh> schwicke,sure 16:54:30 <schwicke> Anything else for today ? 16:54:44 <sajeesh> nothing 16:54:52 <schwicke> I have something 16:54:54 <raildo> let's go watch the world cup! 16:54:57 <raildo> =] 16:54:59 <schwicke> #TOPIC meeting time 16:55:19 <schwicke> is everybody comfortable with the time of the meeting ? 16:55:28 <sajeesh> I am ok 16:55:44 <schwicke> for me it clashes a bit with dinner. Not a big issue though 16:55:47 <raildo> no :( Here in Brazil this time is not very comfortable. 16:56:00 <rodrigods> schwicke, lunch time here 16:56:09 <schwicke> shall we have it one hour earlier ? 16:56:20 <schwicke> think about it. We'll see next week 16:56:29 <sajeesh> ok 16:56:34 <raildo> maybe, 2 hours? 16:56:47 <raildo> would be perfect for us. 16:56:49 <schwicke> that would be 4pm in Geneva 16:56:53 <schwicke> would be good for us 16:57:00 <sajeesh> 2 hours will be difficult for me ..one and a half hours ? 16:57:01 <rodrigods> and 11am in Brazil 16:57:16 <schwicke> right, we have to think about India as well :) 16:57:25 <raildo> yes 16:57:30 <schwicke> let's discuss offline 16:57:36 <raildo> yeah 16:57:42 <rodrigods> yeah 16:57:43 <sajeesh> yes 16:57:46 <schwicke> #agreed : discuss better timing offline 16:57:50 <schwicke> #endmeeting