<p dir="ltr">The only issue with the separate service proxying API calls is that it can't receive requests between the service and core plugins. </p>
<p dir="ltr">What kind of stability requirements were you concerned about? A response change would be similar to having a custom policy.json file where things that violate constraints would result in a 403.</p>
<div class="gmail_quote">On Aug 8, 2014 1:04 PM, "Maru Newby" <<a href="mailto:marun@redhat.com">marun@redhat.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
On Aug 8, 2014, at 10:56 AM, Kevin Benton <<a href="mailto:blak111@gmail.com">blak111@gmail.com</a>> wrote:<br>
<br>
> There is an enforcement component to the group policy that allows you to use the current APIs and it's the reason that group policy is integrated into the neutron project. If someone uses the current APIs, the group policy plugin will make sure they don't violate any policy constraints before passing the request into the regular core/service plugins.<br>
<br>
<br>
The enforcement requirement might be easier to implement through code-based integration, but a separate service could provide the same guarantee against constraint violation by proxying v2 API calls for an endpoint to which access was restricted.<br>
<br>
Apologies if I've missed discussion of this (it's a big thread), but won't enforcement by group policy on the v2 API have the potential to violate stability requirements? If new errors related to enforcement can result from API calls, that would seem to be a change in behavior. Do we have a precedent for allowing extensions or new services to modify core behavior in this way?<br>
<br>
<br>
m.<br>
<br>
><br>
><br>
> On Fri, Aug 8, 2014 at 11:02 AM, Salvatore Orlando <<a href="mailto:sorlando@nicira.com">sorlando@nicira.com</a>> wrote:<br>
> It might be because of the wording used, but it seems to me that you're making it sound like the group policy effort could have been completely orthogonal to neutron as we know it now.<br>
><br>
> What I understood is that the declarative abstraction offered by group policy could do without any existing neutron entity leveraging "native" drivers, but can actually be used also with existing neutron plugins through the mapping driver - which will provide a sort of backward compatibility. And still in that case I'm not sure one would be able to use "traditional" neutron API (or "legacy" as it has been called), since I don't know if the mapping driver is bidirectional.<br>
><br>
> I know this probably stems from my ignorance on the subject - I had unfortunately very little time to catch-up with this effort in the past months.<br>
><br>
> Salvatore<br>
><br>
><br>
> On 8 August 2014 18:49, Ivar Lazzaro <<a href="mailto:ivarlazzaro@gmail.com">ivarlazzaro@gmail.com</a>> wrote:<br>
> Hi Jay,<br>
><br>
> You can choose. The whole purpose of this is about flexibility, if you want to use GBP API 'only' with a specific driver you just can.<br>
> Additionally, given the 'ML2 like' architecture, the reference mapping driver can ideally run alongside by filling the core Neutron constructs without ever 'disturbing' your own driver (I'm not entirely sure about this but it seems feasible).<br>
><br>
> I hope this answers your question,<br>
> Ivar.<br>
><br>
><br>
> On Fri, Aug 8, 2014 at 6:28 PM, Jay Pipes <<a href="mailto:jaypipes@gmail.com">jaypipes@gmail.com</a>> wrote:<br>
> On 08/08/2014 08:55 AM, Kevin Benton wrote:<br>
> The existing constructs will not change.<br>
><br>
> A followup question on the above...<br>
><br>
> If GPB API is merged into Neutron, the next logical steps (from what I can tell) will be to add drivers that handle policy-based payloads/requests.<br>
><br>
> Some of these drivers, AFAICT, will *not* be deconstructing these policy requests into the low-level port, network, and subnet creation/attachment/detachment commands, but instead will be calling out as-is to hardware that speaks the higher-level abstraction API [1], not the lower-level port/subnet/network APIs. The low-level APIs would essentially be consumed entirely within the policy-based driver, which would effectively mean that the only way a system would be able to orchestrate networking in systems using these drivers would be via the high-level policy API.<br>
><br>
> Is that correct? Very sorry if I haven't explained clearly my question... this is a tough question to frame eloquently :(<br>
><br>
> Thanks,<br>
> -jay<br>
><br>
> [1] <a href="http://www.cisco.com/c/en/us/solutions/data-center-virtualization/application-centric-infrastructure/index.html" target="_blank">http://www.cisco.com/c/en/us/solutions/data-center-virtualization/application-centric-infrastructure/index.html</a><br>
><br>
> On Aug 8, 2014 9:49 AM, "CARVER, PAUL" <<a href="mailto:pc2929@att.com">pc2929@att.com</a><br>
> <mailto:<a href="mailto:pc2929@att.com">pc2929@att.com</a>>> wrote:<br>
><br>
> Wuhongning [mailto:<a href="mailto:wuhongning@huawei.com">wuhongning@huawei.com</a><br>
> <mailto:<a href="mailto:wuhongning@huawei.com">wuhongning@huawei.com</a>>] wrote:<br>
><br>
> >Does it make sense to move all advanced extension out of ML2, like<br>
> security<br>
> >group, qos...? Then we can just talk about advanced service<br>
> itself, without<br>
> >bothering basic neutron object (network/subnet/port)<br>
><br>
> A modular layer 3 (ML3) analogous to ML2 sounds like a good idea. I<br>
> still<br>
> think it's too late in the game to be shooting down all the work<br>
> that the<br>
> GBP team has put in unless there's a really clean and effective way of<br>
> running AND iterating on GBP in conjunction with Neutron without being<br>
> part of the Juno release. As far as I can tell they've worked really<br>
> hard to follow the process and accommodate input. They shouldn't have<br>
> to wait multiple more releases on a hypothetical refactoring of how<br>
> L3+ vs<br>
> L2 is structured.<br>
><br>
> But, just so I'm not making a horrible mistake, can someone reassure me<br>
> that GBP isn't removing the constructs of network/subnet/port from<br>
> Neutron?<br>
><br>
> I'm under the impression that GBP is adding a higher level abstraction<br>
> but that it's not ripping basic constructs like network/subnet/port out<br>
> of the existing API. If I'm wrong about that I'll have to change my<br>
> opinion. We need those fundamental networking constructs to be present<br>
> and accessible to users that want/need to deal with them. I'm viewing<br>
> GBP as just a higher level abstraction over the top.<br>
><br>
><br>
> _______________________________________________<br>
> OpenStack-dev mailing list<br>
> <a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
> <mailto:<a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a>><br>
> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
><br>
><br>
><br>
><br>
> _______________________________________________<br>
> OpenStack-dev mailing list<br>
> <a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
><br>
><br>
><br>
> _______________________________________________<br>
> OpenStack-dev mailing list<br>
> <a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
><br>
><br>
> _______________________________________________<br>
> OpenStack-dev mailing list<br>
> <a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
><br>
><br>
><br>
> _______________________________________________<br>
> OpenStack-dev mailing list<br>
> <a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
><br>
><br>
><br>
><br>
> --<br>
> Kevin Benton<br>
> _______________________________________________<br>
> OpenStack-dev mailing list<br>
> <a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br>
<br>
_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
</blockquote></div>