<div dir="ltr"><div class="gmail_extra"><br><div class="gmail_quote">On 21 November 2014 10:35, Antonio Messina <span dir="ltr"><<a href="mailto:antonio.s.messina@gmail.com" target="_blank">antonio.s.messina@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">Hi all,<br>
<br>
I'm running a Juno testbed with Neutron, ml2 and ovs. We have use<br>
cases where we would like to create a shared vlan network and directly<br>
attach a VM on this network. This is not hard to do, and I've<br>
described how I did at this page:<br>
<a href="http://www.s3it.uzh.ch/blog/openstack-neutron-vlan/" target="_blank">http://www.s3it.uzh.ch/blog/openstack-neutron-vlan/</a><br>
<br>
However, there are a few issues with this implementation:<br>
<br>
1) *any* tenant can attach VM directly to this network. I would like<br>
to be able to only allow specific tenants to do it. Can I update<br>
the policy.json rule "network:attach_external_network" with<br>
something like:<br>
<br>
"network:attach_external_network": "project_name:'Project1' or<br>
project_name:'Project2'"<br>
<br>
will it work?<br></blockquote><div><br></div><div>Nope... sorry.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br>
2) *any* external/shared network will share the same permissions,<br>
while I would like to have a few "special" vlan networks as<br>
described before, and a "standard" external network to be used for<br>
floating IPs.<br>
<br>
Ideally, I would like to update the previous policy rule with something<br>
like:<br>
<br>
"admin_api or (network_name: 'vlan842' and project_name:'project1')"<br>
<br>
but I don't know which "variables" can be used inside the<br>
policy.json file.<br></blockquote><div><br></div><div>You can use either fields like "name" for a network or attributes from the request context.</div><div>As far as I can remember project_name is not among those, but tenant_id is.</div><div><br></div><div>Your rule can therefore become fields:networks:name='vlan842' and tenant_id:<project1_uuid></div><div>Still you can't apply that to "attach_external_network" as the policy engine does not understand it.</div><div>There is a workaround, and it would be to define a rule on port creation.</div><div>I am not sure if this can work for you, but perhaps it's worth trying</div><div><br></div><div><font face="monospace" color="#000000">create_port: admin or (<span class="" style="font-size:12.222222328186px;line-height:18.6666660308838px;white-space:pre">field:networks:router:external=False</span><span class="" style="font-size:12.222222328186px;line-height:18.6666660308838px;white-space:pre"> or (</span></font></div><div><font face="monospace" color="#000000"><span class="" style="font-size:12.222222328186px;line-height:18.6666660308838px;white-space:pre"> (</span>fields:networks:name='vlan842' and tenant_id:<project1_uuid><span style="font-size:12.222222328186px;line-height:18.6666660308838px;white-space:pre">)))</span></font></div><div><font face="monospace" color="#000000"><span style="font-size:12.222222328186px;line-height:18.6666660308838px;white-space:pre"><br></span></font></div><div><font color="#000000" face="arial, helvetica, sans-serif"><span style="font-size:12.222222328186px;line-height:18.6666660308838px;white-space:pre">Caveat: I have not tested this rule.</span></font></div><div><font color="#000000" face="arial, helvetica, sans-serif"><span style="font-size:12.222222328186px;line-height:18.6666660308838px;white-space:pre">The meaning of it should be that a tenant can create a port (or attach a vm) on a network if:</span></font></div><div><font color="#000000" face="arial, helvetica, sans-serif"><span style="font-size:12.222222328186px;line-height:18.6666660308838px;white-space:pre">* is an admin, or</span></font></div><div><font color="#000000" face="arial, helvetica, sans-serif"><span style="font-size:12.222222328186px;line-height:18.6666660308838px;white-space:pre">* the network is not external or</span></font></div><div><font color="#000000" face="arial, helvetica, sans-serif"><span style="font-size:12.222222328186px;line-height:18.6666660308838px;white-space:pre">* the network is called vlan842 regardless of whether it is external or not but only if the tenant is 'tenant_1'</span></font></div><div><font color="#000000" face="arial, helvetica, sans-serif"><span style="font-size:12.222222328186px;line-height:18.6666660308838px;white-space:pre"><br></span></font></div><div><font color="#000000" face="arial, helvetica, sans-serif"><span style="font-size:12.222222328186px;line-height:18.6666660308838px;white-space:pre">One issue with this rule is that if vlan842 is not external anyone can plug into it. But maybe this can solved by making the rule a bit more convoluted.</span></font></div><div><font color="#000000" face="arial, helvetica, sans-serif"><span style="font-size:12.222222328186px;line-height:18.6666660308838px;white-space:pre">This process however requires a lot of manual steps and probably requires the admin to have too many insights in neutron internals.</span></font></div><div><font color="#000000" face="arial, helvetica, sans-serif"><span style="font-size:12px;line-height:18.6666660308838px;white-space:pre">Looking to the future, there is a work in progress to simplify this [1]</span></font></div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br>
3) I don't know if this is a bug or was caused by my changes, but<br>
after the change I've made in `network:attach_external_network` an<br>
unprivileged user on a demo tenant can also see a tenant network<br>
(not external) created by admin *without* `--shared` on the `admin`<br>
tenant. The user cannot, however, see the details of the network,<br>
nor attach any interface to it (either router or VM interface).<br></blockquote><div><br></div><div>network:attach_external_network should be just ignored by the policy engine.</div><div>If this triggers an error which then causes rule processing to be stopped then it might be a bug.</div><div>Did you also remove any rule?</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br>
Is there a way to do it? What variables can be used in the policy.json<br>
file, apart from the standard "project_id" and "user_id"?<br>
<br>
Thank you in advance for your precious help<br>
<br>
Cheers,<br>
Antonio<br></blockquote><div><br></div><div>[1] <a href="https://review.openstack.org/#/c/132661/">https://review.openstack.org/#/c/132661/</a> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<span class=""><font color="#888888"><br>
--<br>
<a href="mailto:antonio.s.messina@gmail.com">antonio.s.messina@gmail.com</a><br>
<a href="mailto:antonio.messina@uzh.ch">antonio.messina@uzh.ch</a> <a href="tel:%2B41%20%280%2944%20635%2042%2022" value="+41446354222">+41 (0)44 635 42 22</a><br>
S3IT: Service and Support for Science IT <a href="http://www.s3it.uzh.ch/" target="_blank">http://www.s3it.uzh.ch/</a><br>
University of Zurich<br>
Winterthurerstrasse 190<br>
CH-8057 Zurich Switzerland<br>
<br>
_______________________________________________<br>
Mailing list: <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
Post to : <a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a><br>
Unsubscribe : <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
</font></span></blockquote></div><br></div></div>