[openstack-dev] [Neutron] Question about service subnets spec
John.Davidge at rackspace.com
Tue Jun 7 13:56:48 UTC 2016
Resurrecting this thread from last week.
On 5/31/16, 10:11 PM, "Brian Haley" <brian.haley at hpe.com> wrote:
>> At this point the enumeration values map simply to device owners. For
>> router_ports -> "network:router_gateway"
>> dvr_fip_ports -> "network:floatingip_agent_gateway"
>> It was at this point that I questioned the need for the abstraction at
>> all. Hence the proposal to use the device owners directly.
>I would agree, think having another name to refer to a device_owner makes
>more confusing. Using it directly let's us be flexible for deployers,
>allows for using additional owners values if/when they are added.
I agree that a further abstraction is probably not desirable here. If this
is only going to be exposed to admins then using the existing device_owner
values shouldn¹t cause confusion for users.
>> Armando expressed some concern about using the device owner as a
>> security issue. We have the following policy on device_owner:
>> "not rule:network_device or rule:context_is_advsvc or
>> At the moment, I don't see this as much of an issue. Do you?
>I don't, since only admins should be able to set device_owner to these
>(that's the policy we're talking about here, right?).
>To be honest, I think Armando's other comment - "Do we want to expose
>device_owner via tha API or leave it an implementation detail?" is
>well. Even though I think an admin should know this level of neutron
>will they really? It's hard to answer that question being so close to
Seeing as device_owner is already exposed by the port API I don¹t think
this is an issue. And if we agree that a further abstraction isn¹t a good
idea then I don¹t see how we would get around exposing it in this context.
More information about the OpenStack-dev