[openstack-dev] Fwd: FW: [Neutron] Group Based Policy and the way forward

Ryan Moats rmoats at us.ibm.com
Wed Aug 6 21:06:26 UTC 2014

[snipping to save BW]

Aaron Rosen <aaronorosen at gmail.com> wrote on 08/06/2014 03:26:24 PM:

> Note: I'm not going to use the pure group policy API as I have been
> a fan of the
> 2-group approach from day 1, I'm going to use the commands as stated
> in the patch set, and I'm going to assume (dangerous I know) that I
> can specify endpoint-group on port create
> neutron grouppolicy-endpoint-group-create group1
> neutron grouppolicy-endpoint-group-create group2
> neutron port-create --endpoint-group group1 network1
> neutron port-create --endpoint-group group2 network1
> Sorry, I don't follow what this port-create command does? Here ---
> https://docs.google.com/presentation/d/
>  --- shows that endpoint-groups map to networks so i'm confused why
> network1 is coming into play here?

Let's be careful that we aren't mixing concepts. First, this is where I
said "I'm going to assume I can do this" above comes in and so the network
applies to the port-create, not to the group.

Second, the mapping you site is optional and a subtle point is that while
a group maps to a multiplicity of subnets, those subnets can themselves be
in different networks, so a group does not automatically equate to a

> neutron grouppolicy-policy-action-create action
> neutron grouppolicy-policy-classifier-create classifier
> neutron grouppolicy-policy-rule-create --action action --classifier
> classifer rule
> neutron policy-apply rule group1 group2
> Mind mapping this to my example so we can see how to achieve the
> same thing in group policy (with protocols and all)?  Looks like you
> would also need to specify (--provided-contracts, --consumed-
> contracts) when you create the endpoint-groups. Also, I don't see a
> cli command policy-apply so i'm not sure really what that does.

This is where I invoke my "I'm a fan of the 2-group approach" statement
This is my proposed shorthand for the following three commands:

neutron grouppolicy-contract-create --poilcy-rule rule contract
neutron grouppolicy-endpoint-group-update --provides-contract contract
neutron grouppolicy-endpoint-group-update --consumes-contract contract


> One major difference between GP and current neutron (other than
> security groups) is in your last statement about tying things to
> networks.  Like security groups, groups in GP can have ports that
> span networks.
> So are you saying that group policy doesn't allow us to do different
> enforcement points on the same network as we do today?

That was not my intent.  I was only trying to point out that these groups
(like security groups) are not scoped by networks.

>  Unlike security groups, GP allows more rich policy than just allow.
> Right - I can see that GP does provide an allow/deny construct,
> though as you pointed out we can extend the current security group
> concept in neutron to provide allow/deny semantics to achieve the
> same thing no?

My only comments is that GP has been in the pipeline longer that the BP I
cite below...

> That of course begs the question of extending security groups (think
> this blueprint https://review.openstack.org/#/c/93112/ ) but that
> approach may have its own issues.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140806/ab81db98/attachment.html>

More information about the OpenStack-dev mailing list