Designate

How multi tenancy works ?

Asked by Philip Peshin

Hello team,
I am experimenting with Designate for multi tenant environment where each tenant is supposed to get his own domain and can manage records in it.
I see that you have tenant_id field in domains table, but I do not see an API in v1 to set it (domain schema does not have this field)

Am I missing something (i haven't look at v2 APIs yet)

Thanks,
Philip

Question information

Language:
English Edit question
Status:
Answered
For:
Designate Edit question
Assignee:
Kiall Mac Innes Edit question
Last query:
Last reply:
Revision history for this message
Graham Hayes (grahamhayes) said : 		#1

Hi Philip,

We use keystone to do multi tenancy in designate.

The person who creates the domain is the tenant that gets used in the tennent_id field, and as such the ability to manage the domain.

Hope this helps!

Graham

Revision history for this message
Philip Peshin (ppeshin) said : 		#2

Thanks for answer. I tried creating domain as tenant, and got 403 error. I guess from the code it's policy driven? Could you point me to example of policy.json file?

Thanks,
Phil.

Revision history for this message
Graham Hayes (grahamhayes) said : 		#3

There is one in the project - https://github.com/stackforge/designate/blob/master/etc/designate/policy.json

This should allow you to create a domain as a tennant.

Is keystone connected ok?

Revision history for this message
Philip Peshin (ppeshin) said : 		#4

After I looked more closely at the policy file and a log file - i realized what's happened an why I was getting 403.

When the tenant attempted to create a domain - here is what was written in the log:
"Forbidden: Unable to create subdomain in another tenants domain"

Apparently I created a "main" domain with admin user and tried to create subdomain in it as a tenant. So I know how to make it work now - create separate domains for tenants, not subdomains. But this still does not solve my problem. I thought of having a "main" domain with some records in it, owner by admin. And subdomains owned by tenants. How do I solve it? Any suggestions?

Thanks,
Phil

Revision history for this message
Graham Hayes (grahamhayes) said : 		#5

I am not sure, I am assigning the question to Kiall to have a look at, but my gut says that there is not a way of doing that yet.

If we don't, please log a blueprint, so we can look at including it in the project, and track it in the future.

Thanks,

Graham

Revision history for this message
Graham Hayes (grahamhayes) said : 		#6

Hi Philip,

Talk this over with Kiall...

Currently there is no way to do this, but it should be an quick enough change, to wrap some of the calls to a policy check.

If you could create a blueprint, that would be great, and it can in to the list of features.

Thanks,

Graham

Revision history for this message
Ruslan Kiianchuk (zoresvit) said : 		#7

Hi.

So was there any blueprint filed for this feature? I wonder for the current status since I might need such functionality. If there's still none, I'll be glad to start the blueprint.

Thank you.

Can you help with this problem?

Provide an answer of your own, or ask Philip Peshin for more information if necessary.

To post a message you must log in.