I still remember the day when a customer asked me to configure multi-tenant isolation on his/her brand new OpenStack cloud. It was a good 15 minutes of stress and fear, as I had heard of a few horror stories related to it. Anyone who has read the blueprint (https://blueprints.launchpad.net/nova/+spec/multi-tenancy-aggregates) on this feature will know why I was close to panic mode. While the blueprint is very clear on what is needed configuration wise, I personally knew that it was also no guarantee that all the steps were listed and/or worked, as promised. It was at this point that I decided to make sure whether the steps to do this were first clearly documented and proven before promising anything to the customer.
As mentioned earlier, in order to enable the complete feature the OpenStack identity (Keystone), compute (Nova), and block storage (Cinder) services will be involved. The complete multi-tenant isolation feature covers both computing and block storage...