How to isolate dedicated cinder volume nodes for a tenant ?

I have a private cloud with Ice House and I try to segregate/divide my cloud in several part I already use host-aggregate (nova) to assign specific compute nodes for tenant isolation and I try to do the same for cinder-volumes. I've tried a solution based on volume types and quotas but if user don't define type when he create a cinder volume, this volume may land on wrong cinder volumes type & quota (cinder) : hitchnyc post about openstack-multi-tenant-isolation

-- Sandbox architecture --

  • cinder001 need to provide LVM iSCSI volume only for tenant001
  • Note : tenant001 spawn VM only on compute001 thanks to host-aggregate
  • cinder002-003 need to provide LVM iSCSI volumes for the other tenants

I already used some custom filter based on map (json file with association between volume-nodes and tenant :

  • cinder.conf >
  • map.conf like this >

    { "*": [ "cinder002", "cinder003" ], "<"tenant001 uuid">: [ "cinder001" ] }

But I wondering if it's possible to handle this more at APIs level because this solution is too static