263d5438f0
Manila APIs have had the requirement to include project_id in the URLs since the very beginning. This comes from an old assumption that our APIs would be differentiated per-tenant on the cloud, and we would allow different kinds of API endpoints (public, admin, internal, etc). While it is possible to set up different endpoints against the API service, the same and complete API is exposed at each of these endpoints. We don't _need_ the project_id information that we receive in the URL for any of our APIs to function. We rather authorize tenants by gathering information from the Identity service (Keystone) and wrapping that into a RequestContext object that we then rely on to ensure namespace isolation. Removing the requirement for "project_id" simplifies our API endpoint structure in the service catalog as well as provides a way for system scoped users to interact with manila without having to declare their project. In order to make project_id optional in urls, the possible values of project_id have to be constrained. This change introduces a new configuration option so deployers may control that. This configuration option defaults to accepting UUIDs with and without dashes. Since manila can be used in standalone deployments without the need for Keystone, this change introduces a noauth middleware that can work without project_id in the URL paths. The API version has been incremented to signal this change to end users. When 2.60 is available, deployments may drop "project_id" in the service catalog endpoint for Manila and end users applications can stop needing it as well (if they don't already rely on the service catalog for this data). APIImpact Implements: bp remove-project-id-from-urls Change-Id: I5127e150e8a71e621890f30dba6720b3932cf583 Signed-off-by: Goutham Pacha Ravi <gouthampravi@gmail.com>
27 lines
1.4 KiB
YAML
27 lines
1.4 KiB
YAML
---
|
|
prelude: >
|
|
Manila v2 API URLs no longer require a project_id to be specified.
|
|
features:
|
|
- |
|
|
It is now possible to omit the %{project_id}s from the API endpoints for
|
|
the v2 API. While the behavior of the APIs have not been altered, the
|
|
service recognizes URLs with and without project ids in the path. It is
|
|
recommended that you adjust the service catalog in your cloud to remove
|
|
the project_id substitution, especially if you would like to enable
|
|
users operating at system scope.
|
|
- |
|
|
A new "noauth" auth strategy is available, and is named "noauthv2".
|
|
It can be enabled by setting the configuration option
|
|
``[DEFAULT]/auth_strategy`` to ``noauthv2``. This auth strategy can be
|
|
used when project_id substitution is removed from the manila endpoint URL.
|
|
upgrade:
|
|
- |
|
|
In order to make project_id optional in urls, the possible values of
|
|
project_id had to be constrained. A new configuration option called
|
|
``project_id_regex`` has been added in the ``[DEFAULT]`` section. The
|
|
default value for this option is ``[0-9a-f\-]+`` and it matches hex
|
|
UUIDs with and without dashes, therefore covering the formats supported
|
|
by the OpenStack Identity service. If your cloud uses other formats, set
|
|
this configuration option accordingly, or remove project_id from the
|
|
manila endpoint URL in your service catalog.
|