You will need mitaka to get an external network that is only available to specific tenants. That is what the 'access_as_external' you identified does. Search for the section "Allowing a network to be used as an external network" in http://docs.openstack.org/mitaka/networking-guide/config-rbac.html. On Thu, Sep 29, 2016 at 5:01 AM, Saverio Proto <zioproto at gmail.com> wrote: > Hello, > > Context: > - openstack liberty > - ubuntu trusty > - neutron networking with vxlan tunnels > > we have been running Openstack with a single external network so far. > > Now we have a specific VLAN in our datacenter with some hardware boxes > that need a connection to a specific tenant network. > > To make this possible I changed the configuration of the network node > to support multiple external networks. I am able to create a router > and set as external network the new physnet where the boxes are. > > Everything looks nice except that all the projects can benefit from > this new external network. In any tenant I can create a router, and > set the external network and connect to the boxes. I cannot restrict > it to a specific tenant. > > I found this piece of documentation: > > https://wiki.openstack.org/wiki/Neutron/sharing-model- > for-external-networks > > So it looks like it is impossible to have a flat external network > reserved for 1 specific tenant. > > I also tried to follow this documentation: > http://docs.openstack.org/liberty/networking-guide/adv- > config-network-rbac.html > > But it does not specify if it is possible to specify a policy for an > external network to limit the sharing. > > It did not work for me so I guess this does not work when the secret > network I want to create is external. > > There is an action --action access_as_external that is not clear to me. > > Also look like this feature is evolving in Newton: > http://docs.openstack.org/draft/networking-guide/config-rbac.html > > Anyone has tried similar setups ? What is the minimum openstack > version to get this done ? > > thank you > > Saverio > > _______________________________________________ > OpenStack-operators mailing list > OpenStack-operators at lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20161002/2266f621/attachment.html>