[openstack-dev] quantum security model ?
Prashanth Prahalad
prashanth.prahal at gmail.com
Mon Oct 28 08:09:40 UTC 2013
Hi Folks,
I'm trying to understand the quantum security model. I've OVS plugin
configured with VLAN isolation.
I've a tenant project (alt_demo)
*(admin) > keystone tenant-list*
+----------------------------------+----------+---------+
| id | name | enabled |
+----------------------------------+----------+---------+
| c19f9a2d16b74c3c971dbfbc1afdc687 | admin | True |
| a37209139af44a8a8a2a8e519e3f8478 | alt_demo | True |
| 70e910a7296d4a19be4b32d5bcaf3996 | services | True |
+----------------------------------+----------+---------+
I've a user (alt_demo) who is a 'member' of project alt_demo. (alt_demo is
not an admin)
*(admin > keystone user-list*
+----------------------------------+----------+---------+-------------------+
| id | name | enabled | email
|
+----------------------------------+----------+---------+-------------------+
| 338a1897720a4be48023a6987c76191d | admin | True | test at test.com
|
| c2dc7ac0e8bf4628bc7d3b2fe285793a | alt_demo | True | alt_demo at demo.com|
| 94936f26d48e481dadacda322fc51858 | cinder | True | cinder at localhost|
| b7db5ef2f2d849b1a8dfc7f043bf4289 | glance | True | glance at localhost|
| a42b0ca85f914cf88dc6361da5e08a0c | nova | True | nova at localhost |
| 2f0f85cb85f242c7b9c5f620886b9537 | quantum | True | quantum at localhost|
+----------------------------------+----------+---------+-------------------+
As *alt_demo*, try to create a network
*(alt_demo) > quantum net-create alt-net*
Created a new network:
+-----------------+--------------------------------------+
| Field | Value |
+-----------------+--------------------------------------+
| admin_state_up | True |
| id | c1629dac-91dd-424a-bc82-8b97323f5059 |
| name | alt-net |
| router:external | False |
| shared | False |
| status | ACTIVE |
| subnets | |
| tenant_id | a37209139af44a8a8a2a8e519e3f8478 |
+-----------------+--------------------------------------+
Now, the question I've is the user "alt_demo" cannot see the
VLAN/provider-network and other details which is very confusing (when the
user was able to create the network, he should be able to see details of
the network he just created).
*(alt_demo) > quantum net-show alt-net*
+-----------------+--------------------------------------+
| Field | Value |
+-----------------+--------------------------------------+
| admin_state_up | True |
| id | c1629dac-91dd-424a-bc82-8b97323f5059 |
| name | alt-net |
| router:external | False |
| shared | False |
| status | ACTIVE |
| subnets | |
| tenant_id | a37209139af44a8a8a2a8e519e3f8478 |
+-----------------+--------------------------------------+
Here's what an "admin" user sees :
*(admin) > quantum net-show alt-net*
+---------------------------+--------------------------------------+
| Field | Value |
+---------------------------+--------------------------------------+
| admin_state_up | True |
| id | c1629dac-91dd-424a-bc82-8b97323f5059 |
| name | alt-net |
| *provider:network_type | vlan* |
| *provider:physical_network | physnet1* |
| *provider:segmentation_id | 46 *|
| router:external | False |
| shared | False |
| status | ACTIVE |
| subnets | |
| tenant_id | a37209139af44a8a8a2a8e519e3f8478 |
+---------------------------+--------------------------------------+
Thanks !
Prashanth
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20131028/1acfe2fa/attachment.html>
More information about the OpenStack-dev
mailing list