How do I effectively disable/enable a tenant using the API?
I am a Java developer interacting with OpenStack through the REST API - I am unfortunately not yet familiar with the product, but happily learning.
I have a user story by which I need to deactivate a tenant. The business case, I suppose, is pretty standard: if a user happens to not respect my company's conditions of service, then we want to block all accesses to his/her tenant(s), so that no one can access it anymore, in any of read/write mode.
I have checked out the API documentation, and found out that a tenant could be as easily enabled/disabled as setting the "enabled" property of the tenant object, using an updateTenant service call.
My problem, however, is that the setting of this property, while reported to be working by the code returned by the service call, does not happen to yield the effects that I expect. Namely, even with a disabled tenant, I can still insert some object into a container held by the tenant.
Hence my question: how do I effectively disable/enable a tenant, so as to prevent any write/read on it? Am I using the right method (and if so, why is it failing)? Should I use another approach? Could this possibly be related to some security setting (roles or tokens in use)?
On my single node grizzly installation (a basic devstack setup), a disabled tenant is able to spawn instances (using existing token of a user belonging to that tenant). Can the operations that can be performed by a disabled tenant be configured (policy or elsewhere) ?
Seems like a bug. What about firing a bug report in launchpad?