Thank you buc,
Nice to have your answer this morning.
First I have to correct my OpenStack/Keystone language
By Tenant I meant Domain and not “Project”
So let’s start having only one Openstack. I can connect keystone where I declare 2 Domains, and 10 different users in each Domain. I assign _admin role to one and _user to 9 others in each Domain.
Then I declare in my ManageIQ this single OpenStack as my Cloud Provider.
Finally I create a new service catalog, and a new service item pointing my single Openstack.
- But my users are sitting in my keystone and are not the same that the ones accessing ManageIQ, how the “order” of a service item could work if the user is not defined from one end to the other with consistent access rights?
… As I reach saturation, now let’s extend the capacity of my Cloud. In a remote datacenter I create a new Openstack cluster. I have then to “clone” all (almost all) I have in the first cluster, at least Domains, User groups, users, etc. and go back to ManageIQ and declare a new Provider.
- But now I have two keystones that shall be synchronized upstream and downstream, how to deal with consistency if ManageIQ doesn’t hold the master user reference?
Growing over time with 10s and 10s of clusters, I do not want the “user” having any visibility on my technical setup and be asked to chose where to place the VM. I want my CMS to place automatically the requested VM in a placement zone somewhere based on a predefined policy (role, Domain, geography, resources occupation balance, traffic, latency, affinity, etc.)
- Again if my user definitions and roles are sitting in each keystone, how the policy engine could sort out where to place the user’s workload?
I suppose that I have solve these questions outside ManageIQ with a kind of master KeyCloak…
Looking forward to having your insight