[openstack-dev] quantum security model ?

Prashanth Prahalad prashanth.prahal at gmail.com
Mon Oct 28 08:09:40 UTC 2013


Hi Folks,

I'm trying to understand the quantum security model. I've OVS plugin
configured with VLAN isolation.

I've a tenant project (alt_demo)

*(admin) > keystone tenant-list*
+----------------------------------+----------+---------+
|                id                |   name   | enabled |
+----------------------------------+----------+---------+
| c19f9a2d16b74c3c971dbfbc1afdc687 |  admin   |   True  |
| a37209139af44a8a8a2a8e519e3f8478 | alt_demo |   True  |
| 70e910a7296d4a19be4b32d5bcaf3996 | services |   True  |
+----------------------------------+----------+---------+


I've a user (alt_demo) who is a 'member' of project alt_demo. (alt_demo is
not an admin)

*(admin > keystone user-list*
+----------------------------------+----------+---------+-------------------+
|                id                |   name   | enabled |       email
|
+----------------------------------+----------+---------+-------------------+
| 338a1897720a4be48023a6987c76191d |  admin   |   True  |   test at test.com
|
| c2dc7ac0e8bf4628bc7d3b2fe285793a | alt_demo |   True  | alt_demo at demo.com|
| 94936f26d48e481dadacda322fc51858 |  cinder  |   True  |  cinder at localhost|
| b7db5ef2f2d849b1a8dfc7f043bf4289 |  glance  |   True  |  glance at localhost|
| a42b0ca85f914cf88dc6361da5e08a0c |   nova   |   True  |   nova at localhost |
| 2f0f85cb85f242c7b9c5f620886b9537 | quantum  |   True  | quantum at localhost|
+----------------------------------+----------+---------+-------------------+


As *alt_demo*, try to create a network

*(alt_demo) > quantum net-create alt-net*
Created a new network:
+-----------------+--------------------------------------+
| Field           | Value                                |
+-----------------+--------------------------------------+
| admin_state_up  | True                                 |
| id              | c1629dac-91dd-424a-bc82-8b97323f5059 |
| name            | alt-net                              |
| router:external | False                                |
| shared          | False                                |
| status          | ACTIVE                               |
| subnets         |                                      |
| tenant_id       | a37209139af44a8a8a2a8e519e3f8478     |
+-----------------+--------------------------------------+


Now, the question I've is the user "alt_demo" cannot see the
VLAN/provider-network and other details which is very confusing (when the
user was able to create the network, he should be able to see details of
the network he just created).

*(alt_demo) > quantum net-show alt-net*
+-----------------+--------------------------------------+
| Field           | Value                                |
+-----------------+--------------------------------------+
| admin_state_up  | True                                 |
| id              | c1629dac-91dd-424a-bc82-8b97323f5059 |
| name            | alt-net                              |
| router:external | False                                |
| shared          | False                                |
| status          | ACTIVE                               |
| subnets         |                                      |
| tenant_id       | a37209139af44a8a8a2a8e519e3f8478     |
+-----------------+--------------------------------------+


Here's what an "admin" user sees :

*(admin) > quantum net-show alt-net*
+---------------------------+--------------------------------------+
| Field                     | Value                                |
+---------------------------+--------------------------------------+
| admin_state_up            | True                                 |
| id                        | c1629dac-91dd-424a-bc82-8b97323f5059 |
| name                      | alt-net                              |
| *provider:network_type     | vlan*                                 |
| *provider:physical_network | physnet1*                             |
| *provider:segmentation_id  | 46                                   *|
| router:external           | False                                |
| shared                    | False                                |
| status                    | ACTIVE                               |
| subnets                   |                                      |
| tenant_id                 | a37209139af44a8a8a2a8e519e3f8478     |
+---------------------------+--------------------------------------+


Thanks !
Prashanth
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20131028/1acfe2fa/attachment.html>


More information about the OpenStack-dev mailing list