The current taxonomy model is very hard to understand for both Users and Developers, which in turn complicates life for both.
Even during the primary design , there were many arguments for a simpler model. There was even an followup RFC to change this to the said simpler model afterwards best summarized in Ivan’s comment on that . We even have user feedback on the topic e.g. .
Every time we try to introduce a new resource/entity, we have a hard time figuring out how it fits with our existing multi-tenancy models. It’s also more complicated by the fact that some resources belong to a single Organization and Location (Host) while some others belong to multiple (Subnet, Domain). Some only support single Organization multi-tenancy but not Location at all (all Katello resources). Some ignore the multitenancy completely (Operating System). When you have a more complex object that combines other resources, it’s causing a lot of problems (e.g. Host living in org 1 being assigned to org-less OS, assigned to the subnet available in 3 orgs, being assigned LCE from a single Org but no Loc etc). Also with Katello, orgs can no longer be nested, while in non-katello installations Organizations can be nested in a tree structure, so Host in fact belongs to multiple organizations.
I’d like to propose a way out of that. In my current effort I need to have Ansible roles taxable at least by Organization so I’m proposing to start implementing this new model in Foreman Ansible, but I’d love to take it into the Foreman core for all the resources.
The proposal: Organizations should be the only taxonomy with a strict single organization per resource restriction and location would be only a classification, but not a multi-tenancy source.
This is a simple proposal that would have to be properly designed and thought through. Though the steps in my mind are:
- Identify resources that can have multiple organizations assigned for no reason and simplify that by forcing a single organization (Hostgroup would be the first in Foreman core)
- Identify resources that need to be shared across the organizations and figure a way to do so (keeping the current model would be the easiest) but need to be limited to only resources that has to be shared.
- Consider dropping Organizations nesting, to get rid of multi-tenancy of models completely
- Making location only a classification - remove Location from RBAC, stop enforcing its selection and stop filtering by it in default scope and permission checks
As this was discussed many times, I’d appreciate it if you raise blockers and thoughts to this plan in general and try not to deep dive into the implementation design yet, as I’ll have a thread once we’d start the design of each step where we can discuss implementation details.