[openstack-dev] [Neutron] Question about service subnets spec

Carl Baldwin carl at ecbaldwin.net
Wed Jun 8 20:26:02 UTC 2016

Thanks, John for your comments.  I've added a few comments inline.

In summary, I'm inclined to move forward with this as an admin-only
operation to begin with.  I'll give another day or two for someone new
to take notice.


On Tue, Jun 7, 2016 at 7:56 AM, John Davidge <John.Davidge at rackspace.com> wrote:
> Resurrecting this thread from last week.
> On 5/31/16, 10:11 PM, "Brian Haley" <brian.haley at hpe.com> wrote:
>>> At this point the enumeration values map simply to device owners.  For
>>>    router_ports -> "network:router_gateway"
>>>    dvr_fip_ports -> "network:floatingip_agent_gateway"
>>> It was at this point that I questioned the need for the abstraction at
>>> all.  Hence the proposal to use the device owners directly.
>>I would agree, think having another name to refer to a device_owner makes
>>more confusing.  Using it directly let's us be flexible for deployers,
>>allows for using additional owners values if/when they are added.
> I agree that a further abstraction is probably not desirable here. If this
> is only going to be exposed to admins then using the existing device_owner
> values shouldn¹t cause confusion for users.

Given the lack of opposing opinions, I'm inclined to move forward
unless someone speaks up soon.  We are getting to the point where we
need to converge on this and put the implementation up for review in
order to make Newton.

>>> Armando expressed some concern about using the device owner as a
>>> security issue.  We have the following policy on device_owner:
>>>    "not rule:network_device or rule:context_is_advsvc or
>>> rule:admin_or_network_owner"
>>> At the moment, I don't see this as much of an issue.  Do you?
>>I don't, since only admins should be able to set device_owner to these
>>(that's the policy we're talking about here, right?).
>>To be honest, I think Armando's other comment - "Do we want to expose
>>device_owner via tha API or leave it an implementation detail?" is
>>important as
>>well.  Even though I think an admin should know this level of neutron
>>will they really?  It's hard to answer that question being so close to
>>the code
> Seeing as device_owner is already exposed by the port API I don¹t think
> this is an issue. And if we agree that a further abstraction isn¹t a good
> idea then I don¹t see how we would get around exposing it in this context.

This is how I thought about it.

> https://review.openstack.org/#/c/300207

More information about the OpenStack-dev mailing list