[openstack-dev] [Neutron] Separate floating IP pools?
Carl Baldwin
carl at ecbaldwin.net
Fri Sep 18 15:18:37 UTC 2015
On Fri, Sep 18, 2015 at 4:55 AM, Clark, Robert Graham
<robert.clark at hp.com> wrote:
> Is it possible to have separate floating-IP pools and grant a tenant access
> to only some of them?
It is possible to have multiple floating IP pools by creating multiple
external networks. However, it is not currently possible to have
multiple pools on a single external network. This is a modeling
limitation. Also, it is not possible to do any kind of RBAC on
multiple pools. Currently the semantics of floating ips are that all
tenants have access to them implicitly. Essentially, marking a
network as external makes that network visible to any tenant wishing
to attach a router and allows them to also allocate floating IPs.
> Thought popped into my head while looking at the rbac-network spec here:
> https://review.openstack.org/#/c/132661/4/specs/liberty/rbac-networks.rst
This could be a possible future direction after this RBAC work is
completed and released. However, there are no concrete plans around
this yet.
> Creating individual pools, allowing only some tenants access and having
> off-cloud network ACLs would get part way to satisfying the use cases that
> drive the above spec (I’m thinking of this as a more short term solution,
> certainly not a direct alternative).
Maybe you could tell us more about the use case you're after so that
we can understand the motivation behind it. For example, are you
thinking about multiple pools on the same external network or
different external networks? Help us understand what you're trying to
enable and why.
> I’m sure this is answered elsewhere but I couldn’t find any direct
> information so I’m assuming no, it isn’t supported but I wonder how much
> effort would be required to make it work?
>
> -Rob
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
More information about the OpenStack-dev
mailing list