►
From YouTube: CDS Infernalis (Day 1) -- RGW: Multitenancy
Description
Videos from Ceph Developer Summit: Infernalis (Day 1)
03 March 2015
https://wiki.ceph.com/Planning/CDS/Infernalis_(Mar_2015)
B
B
The
the
discussion
is
s3
well
well
when
we
developed
the
gateway.
Originally,
we
follow
the
s3
user
module
in,
in
which
you
you
have
one
global
namespace
users
are
created
within
that
namespace
buckets
are
also
sharing
this
same
namespace.
B
So
when
you
create
a
bucket,
it
needs
to
be
unique
through
the
system
and
then,
when
edit,
we
added
swift
well
at
the
time,
swift
was
kind
of
like
using
sw
off
and
the
notion
of
tenants
was
it
might
existed,
but
it
was
hidden
very
carefully
within
the
interfaces.
B
So
we
need
to
do
swift.
We
created
subusers
and
basically
a
user
is
kind
of
like
just
a
different
way
to
look
at
the
the
the
rgw
user.
So
you
can
have
multiple
sub
users
for
a
single
rgw
user.
They
have
a
very
coarse
permission
system
in
which.
B
User
can
have
a
subuser
inherits
all
the
the
owning
users
rights,
but
you
can
limit
its
operations
to
do
read-only
operations
or
write
only
operations
or
but
but
basically
it's
just
a
different
way
to
access
the
user.
B
But
still
they
all
live
in
one
global
namespace
right
so
then
comes
the
the
idea
of
different
tenants.
You
know
people
want
to
be
able
to
create
completely
separate
applications
that
don't
share
the
same
namespace,
each,
creating
the
their
own
buckets
having
their
own
names.
They
don't
need
to
live
in
one
global
namespace,
which
makes
sense
so.
B
What
we
propose
here
is
the
the
ability
to
to
do.
Just
that
we
add
each
rgb
user
can
will
have
a
tenant
property
that
it
belongs
to.
B
Each
bucket
will
have
a
tenant
property
and
all
existing
users
gonna
live
in
the
exist
in
the
global
tenant.
All
new
users,
if
they
belong
to
a
different
tenant,
will
get
will
inherit
that
tenant's
properties
buckets
will
not
need
to
be
unique
across
different
tenants.
They'll
only
need
to
be
unique
across
that
tenant,
a
user.
We
could
be
referenced
as
a
tenant,
column
user.
So.
B
A
user
now
we
will
will
be
referenced
through
the
tenant.
It
belongs
to
the
same.
Go
kind
of
goes
to
two
buckets
probably
cannot
use
the
colon
character
for
it
for
for
some
kind
of
issues
with
a
packet
instance
like
this,
but
did
already
use
the
column
character,
but
a
bucket
will
be
a
reference
could
be
referenced
through
the
tenant
now
operations
that
go
on
a
specific
user
through
a
specific
user.
If
the
tenant
is
not
specified
explicitly,
then
the
the
user's
tenant
is
gonna
is
gonna,
be
used.
B
B
If
a
user
gives
permissions
to
another
user
in
in
the
the
the
echo
in
the
list
of
icos
that
it
provides
for
for
a
specific
object
or
packet,
then
it
is
assumed
that
the
user's
tenant
is
the
one
that
is
using
that
policy.
B
Let's
see
okay,
so
how
does
that
play
with
s3?
Where
we
not
much
needs
to
change,
because.
B
There's
not
not
much
that
in
the
gateway
that
is
is
like
attendant
is
just
a
namespace
right.
So
but
one
thing
that
kind
of
conflicts
with
the
s3
3
ways
of
things
is
that
with
s3
you
you're
able
to
access
a
specific
bucket
through
going
to
to
a
virtual
host
name
right.
You
specify
packet
dot
domain,
and
that
brings
you
to
the
to
the
specific
bracket.
Now
there
are
a
few
options
to
do
that
now,
on
with
s3.
B
First
of
all
is
is
saying:
okay,
if
you
go,
do
that
you
just
go
to
the
to
the
global
bucket.
You
cannot
access
the
markets
in
different
tenants
using
that
api.
That's
one
option.
Another
option
is
being
able
to
specify
different
domains
for
different
tenants.
We
can
either
do
it
through
an
entire
domain
like
packet,
dot,
tenant
domain,
one
packet.10
and
domain
two
or
doing
it
is
having
this
10
to
the
sub
domain,
so
say
market.tenant.domain
and
can
probably
have
it
configurable.
B
Multi-Tenancy
functionality,
we
can
extend
that
we
can
the
the
once
we
have
that
there
are
other
things
that
we
can
add.
For
example,.
B
Have
like
some
kind
of
a
property
that
belongs
to
those
users,
but
but
we
can
do
stuff
and
configure
stuff
at
the
tenant
level.
We
can
say:
okay,
a
tenant
would
have
different
storage,
specific
storage
policies
that
it
uses
or
placement
target.
We
can
provide
quota
by
tenants
not
by
users
or
globally.
B
Get
getting
statistics
about
usage
at
the
tenant
level?
We
can
do
it
nowadays
if
a
per
user,
if
coda
is
set,
but
we
can
might
have
it
like
happening
anyway,
per
user
and
per
tenant
or
have
some
kind
of
a
tenant
admins
that
can
administer
their
users,
which
is
kind
of
sounds
to
me
like
further
down
down
the
line.
B
We
will
have
to
you
know
once
we
have
that
we
will
have
to
either
rethink
that
or
keep
keystone
mapping
into.
B
You
know
a
specific
still
keep
it
into
a
specific
user
depending
on
how
how
to
do
that.
So
either
we
have
two
options:
one
keep
the
current
mapping.
The
second
one
is
is
now
map
keystone
user
into
a
tenant
and
keystone.
B
So
now
abhishek
proposing
role-based
authentication.
B
Yeah,
well,
I
I
assume
it's
something
like
you
know,
users
in
specific
tenants
would
only
have
only
have
specific
permissions.
You
know,
but
you
know.
A
B
All
right,
everything's
going
to
be
everywhere,
it's
going
to
be
included
in
the
s3,
including
swift.
It's
not
going
to
change
the
api
much
if
you
provide
an
s3
user
reference,
it's
the
reference.
If
it
has
a
column
in
it,
it
will
be
assumed
that
it's
using
a
tenant,
it's
specified
a
tenant.
If
it
doesn't
have
it,
then
it's
just
specific
find
the
user
within
the
current.
B
I
think
so
and
if
not,
we
can
make
it
configurable,
which
is
a
character
itself,
but
you
know,
I
think,
I
think
column,
because
for
colin
we
were
using
it
for
the
sub
user.
A
All
right,
so,
at
the
same,
it's
along
a
similar
vein
on
the
with
the
dns
name
thing
is:
was
dot
an
allowed
character?
Obviously,.
A
B
Right
we
can,
we
can
do
that.
We
can
either
make
the
tenant
at
the
sub-domain
or
have
paired
tenant
domains
or
both.
B
A
B
To
throw
away
some
user
concept
yeah,
we
need
to
think
about
it.
A
sub
user
concept
is
a
broken
one.
B
Rid
of
the
the
thing
is
that
there
are
users
who
are
actually
using
s3
with
sub
users,
which
kind
of
an
accident
an
accident,
because
it
wasn't
really
supposed
to
be
working
with
s3.
But
you
know
the
the
thing
with
sub
users
is
that
you
are
able
to
create
to
give
users
some
different
keys
into
the
same
data
and
actually
that's
kind
of
still
going
to
be
different
from
swift
right,
because
in
swift
under
the
same
tenant,
all
the
users
that
you
create
share
the
same
data
in
s3.
B
B
The
or
or
really
long
urls
you
are
eyes.
B
Well,
we
can
decide
on
that
in
in
swift.
The
tenant
names
are
kind
of
like
a
uad
and
they
have
a
name.
So
you
have
a
tenant
id
and
a
tenant
name
and
the
tenant
name.
It
describes
it
it's
kind
of
like.
I
know
you
should
probably
have
some
kind
of.
B
You
know
we
we
were
kind
of
user-friendly
in
in
which
we
kept
using
the
the
usernames
rather
than
the
user,
and
the
some
kind
of
you
know
128
character
or
32
character,
random
hex,
hex
string,
but
on
the
other
hand
it
poses
some
issues
like
if
you
want
to
reference
different
user
instances.
Like
you
created
the
user,
you
remove
the
user,
then
you
create
it
again
and
there's
no
difference
in
the
new
user
than
the
old
one
right.
So
your
reference
is
the
same.
B
Bucket
names-
and
that
was
solved
for
dumpling
when
we
introduced
this
bucket
instance
and
so
maybe
having
some
kind
of
a
user
instance
and
tenant
instance,
is
the
way
to
go
forward
the
correct
way
to
go
forward
yeah.
It's
a
good
point.
A
All
right
was
there
anything
else,
so
I'm
because
the
question
for
me
is
always
like
what
what
the
next
step
is
to
to
move
forward
with
this,
because
we've
talked
about
it
several
times
and
it's
it
seems
to
come
down
to,
at
least
for
me
not
knowing
very
much
about
what
people
who
are
using
sort
of
rgw
for
swift
api
are
actually
hitting
and
how
much
they,
whether
this
sort
of
fits
their
compatibility,
needs
or
whatever,
and
then
also
how
much
we're
gonna
break
things
if
we
drop
sub-users,
but
I'm
not
sure
how
to
get
that
to
get
that
feedback.
B
A
B
B
B
So
it's
currently
implementation-wise
it's
it's
not
a
very
complicated
issue.
If
you
don't
do
all
the
extra
stuff
on
them
and
and
the
stuff
is
not,
you
know,
it's
just
you
know
touches
the
the
peripherals.
It's
not
not
anything
very
complicated,
but
as
for
user
stories,
but
we
I
did
have
discussions
with
some
users
and
this
plan
seemed
fair.
B
No
one
was
really
concerned
about.
Unless
someone
someone
else
wants
to
chime
in
now
and
say
what
they
think.
I
think
it's
something
that
she
should
probably
have
anyway.
A
It's
gonna
mostly
come
down
to
like
testing
right,
there's
the
initial
effort
to
get
to
get
your
stuff
sort
of
you
know
in
shape
or
whatever
and
updated.
But
then
you
know
having
a
test
suite
that
actually
exercises
the
name
space
both
on
the
swiss
side
and
on
the
s3
side
to
make
sure
that
it
actually
makes
sense
right
and
that's
like.
B
A
Yeah,
well
maybe
we
seem
to
be
getting
more
patches
than
usual
with
fixing
swift
compatibility
issues.
So
maybe,
if
one
of
those
contributors
is
interested
in
sort
of
spearheading
the
that
effort,
that
would
be.
B
Yep
definitely
well:
the
branch
is
up
there.
I
can,
if,
if
anyone
wants
to
pick
it
up.