[openstack-dev] [Neutron] Question about service subnets spec

John Davidge John.Davidge at rackspace.com
Tue Jun 7 13:56:48 UTC 2016


Resurrecting this thread from last week.

On 5/31/16, 10:11 PM, "Brian Haley" <brian.haley at hpe.com> wrote:

>> At this point the enumeration values map simply to device owners.  For
>>example:
>>
>>    router_ports -> "network:router_gateway"
>>    dvr_fip_ports -> "network:floatingip_agent_gateway"
>>
>> It was at this point that I questioned the need for the abstraction at
>> all.  Hence the proposal to use the device owners directly.
>
>I would agree, think having another name to refer to a device_owner makes
>it
>more confusing.  Using it directly let's us be flexible for deployers,
>and
>allows for using additional owners values if/when they are added.

I agree that a further abstraction is probably not desirable here. If this
is only going to be exposed to admins then using the existing device_owner
values shouldn¹t cause confusion for users.

>
>> Armando expressed some concern about using the device owner as a
>> security issue.  We have the following policy on device_owner:
>>
>>    "not rule:network_device or rule:context_is_advsvc or
>> rule:admin_or_network_owner"
>>
>> At the moment, I don't see this as much of an issue.  Do you?
>
>I don't, since only admins should be able to set device_owner to these
>values
>(that's the policy we're talking about here, right?).
>
>To be honest, I think Armando's other comment - "Do we want to expose
>device_owner via tha API or leave it an implementation detail?" is
>important as
>well.  Even though I think an admin should know this level of neutron
>detail,
>will they really?  It's hard to answer that question being so close to
>the code

Seeing as device_owner is already exposed by the port API I don¹t think
this is an issue. And if we agree that a further abstraction isn¹t a good
idea then I don¹t see how we would get around exposing it in this context.

https://review.openstack.org/#/c/300207

John


________________________________
Rackspace Limited is a company registered in England & Wales (company registered number 03897010) whose registered office is at 5 Millington Road, Hyde Park Hayes, Middlesex UB3 4AZ. Rackspace Limited privacy policy can be viewed at www.rackspace.co.uk/legal/privacy-policy - This e-mail message may contain confidential or privileged information intended for the recipient. Any dissemination, distribution or copying of the enclosed material is prohibited. If you receive this transmission in error, please notify us immediately by e-mail at abuse at rackspace.com and delete the original message. Your cooperation is appreciated.



More information about the OpenStack-dev mailing list