[openstack-dev] [Neutron] Partially Shared Networks

Peter Balland pballand at vmware.com
Wed Jan 15 17:57:12 UTC 2014


----- Original Message -----
> From: "PAUL CARVER" <pc2929 at att.com>
> To: OpenStack-dev at lists.openstack.org
> Sent: Wednesday, January 15, 2014 6:52:32 AM
> Subject: [openstack-dev] [Neutron] Partially Shared Networks
> 
> <snip>
>
> The particular use case I have in mind concerns networks that could
> technically be created as admin and marked as shared and thus have only
> whatever network namespace considerations that apply to shared networks. The
> desire to make them "partially shared" has more to do with the UI (either
> Horizon or API access) not showing them to tenants who are not on the
> approved list and not permitting tenants who are not on the list to attach
> instances to them.
> 
> This is basically like the door list at a club. If you're not on the list you
> can't get into the club. But if you're on the list, once you're inside the
> club it's not really any different from a less exclusive club other than the
> fact that everybody inside was "on the list".
> 
> 
> --
> Paul Carver

This is one of the use cases we are considering for the "Congress" project (https://wiki.openstack.org/wiki/Congress).

Policy is well-suited for modeling this sort of scenario where the user wants to express intended behavior as a subset of the system's capabilities.  Decoupling policy from networking facilitates expressing this intent using inputs across multiple systems (e.g. Neutron, Nova, Active Directory, etc).

As an example, we have a demo modeling the following use case: "Every network connected to a VM must be either public or private and owned by someone in the same group as the VM's owner."  Congress is still in the early stages, however, and integration with Neutron is still TBD.  If this sounds interesting, please send me a note.

- Peter



More information about the OpenStack-dev mailing list