I believe you can actually do this in Liberty.. http://docs.openstack.org/liberty/networking-guide/adv-config-network-rbac.html On Mon, Oct 3, 2016 at 1:00 AM, Kevin Benton <kevin at benton.pub> wrote: > You will need mitaka to get an external network that is only available to > specific tenants. That is what the 'access_as_external' you identified does. > > Search for the section "Allowing a network to be used as an external > network" in http://docs.openstack.org/mitaka/networking-guide/ > config-rbac.html. > > On Thu, Sep 29, 2016 at 5:01 AM, Saverio Proto <zioproto at gmail.com> wrote: > >> Hello, >> >> Context: >> - openstack liberty >> - ubuntu trusty >> - neutron networking with vxlan tunnels >> >> we have been running Openstack with a single external network so far. >> >> Now we have a specific VLAN in our datacenter with some hardware boxes >> that need a connection to a specific tenant network. >> >> To make this possible I changed the configuration of the network node >> to support multiple external networks. I am able to create a router >> and set as external network the new physnet where the boxes are. >> >> Everything looks nice except that all the projects can benefit from >> this new external network. In any tenant I can create a router, and >> set the external network and connect to the boxes. I cannot restrict >> it to a specific tenant. >> >> I found this piece of documentation: >> >> https://wiki.openstack.org/wiki/Neutron/sharing-model-for- >> external-networks >> >> So it looks like it is impossible to have a flat external network >> reserved for 1 specific tenant. >> >> I also tried to follow this documentation: >> http://docs.openstack.org/liberty/networking-guide/adv-confi >> g-network-rbac.html >> >> But it does not specify if it is possible to specify a policy for an >> external network to limit the sharing. >> >> It did not work for me so I guess this does not work when the secret >> network I want to create is external. >> >> There is an action --action access_as_external that is not clear to me. >> >> Also look like this feature is evolving in Newton: >> http://docs.openstack.org/draft/networking-guide/config-rbac.html >> >> Anyone has tried similar setups ? What is the minimum openstack >> version to get this done ? >> >> thank you >> >> Saverio >> >> _______________________________________________ >> OpenStack-operators mailing list >> OpenStack-operators at lists.openstack.org >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators >> > > > _______________________________________________ > OpenStack-operators mailing list > OpenStack-operators at lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators > > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20161005/01b88771/attachment.html>