Ask Your Question
1

Heat Resource Plugin for third party storage

asked 2014-11-12 07:33:05 -0500

Pradip gravatar image

Hello,

We come across this: http://docs.openstack.org/developer/heat/pluginguide.html (http://docs.openstack.org/developer/h...)

Looks like it solves three of the purposes listed below:

  1. Define a custom resource type with properties and attributes
  2. Register the resource to the Hear orchestrator
  3. Write a driver/plugin (most likely the Life Cycle methods) which can create/manage the resources when encounter from the Heat orchestration engine.

Am I right?

Now the question is: in one place it is mentioned as:

" It defines methods corresponding to the life cycle as well as the basic hooks for plug-ins to handle the work of communicating with specific down-stream services "

Can this down-stream service be anything (say a third-party storage array)? Or it has to be a OpenStack service only?

Thanks in advance, Pradip

edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted
1

answered 2014-11-12 10:50:26 -0500

zaneb gravatar image

In principle it can be anything.

In practice you'll want to think carefully about authentication. Heat can always authenticate to OpenStack services with the user's Keystone credentials. With a non-Keystone-authenticated service, you have a number of options, none of which are especially good:

  • Don't have any authentication on the service
  • Have Heat itself authenticate, so any Heat user can access the service (i.e. non-multitenant)
  • Put the user's credentials in the template (as properties to the resource)

All of those have security implications that you may or may not be willing to accept depending on your own particular circumstances.

edit flag offensive delete link more

Comments

Thanks Zaneb. It makes sense.

One question still hovers my mind. When we will be writing the life cycle methods, - what are all possible ways we can interact with the underlying service? Through SOAP/REST API calls? through the command line interface exposed by the service (assume #3 for authen)?

Pradip gravatar imagePradip ( 2014-11-12 22:26:56 -0500 )edit

Zaneb,

Valid, very valid concern (regarding auth). Just seeing that it is possible to authenticate any down-stream service by overriding the keystone authenticator. Lets say writing a PAM authenticator plugin with keystone for third-party. Does it make sense to you? Thanks, Pradip

Pradip gravatar imagePradip ( 2014-11-14 00:14:38 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2014-11-12 07:33:05 -0500

Seen: 156 times

Last updated: Nov 12 '14