Open Stack

Hello,

Context:
- openstack liberty
- ubuntu trusty
- neutron networking with vxlan tunnels

we have been running Openstack with a single external network so far.

Now we have a specific VLAN in our datacenter with some hardware boxes
that need a connection to a specific tenant network.

To make this possible I changed the configuration of the network node
to support multiple external networks. I am able to create a router
and set as external network the new physnet where the boxes are.

Everything looks nice except that all the projects can benefit from
this new external network. In any tenant I can create a router, and
set the external network and connect to the boxes. I cannot restrict
it to a specific tenant.

I found this piece of documentation:

https://wiki.openstack.org/wiki/Neutron/sharing-model-for-external-networks

So it looks like it is impossible to have a flat external network
reserved for 1 specific tenant.

I also tried to follow this documentation:
http://docs.openstack.org/liberty/networking-guide/adv-config-network-rbac.html

But it does not specify if it is possible to specify a policy for an
external network to limit the sharing.

It did not work for me so I guess this does not work when the secret
network I want to create is external.

There is an action --action access_as_external that is not clear to me.

Also look like this feature is evolving in Newton:
http://docs.openstack.org/draft/networking-guide/config-rbac.html

Anyone has tried similar setups ? What is the minimum openstack
version to get this done ?

thank you

Saverio