[Openstack] What is the difference between provider network and tenant network?

James Denton james.denton at rackspace.com
Fri Oct 3 13:27:05 UTC 2014


Hi Danny,

I can’t really say. It may be that the help doesn’t differentiate between a user with admin rights or a regular user. Also, if you *don’t* specify those attributes as an admin user, then the network that’s created is bound to the same “limitations" as a non-admin user (ie. What ever is defined in tenant_network_type).

James

From: "Danny Choi (dannchoi)" <dannchoi at cisco.com<mailto:dannchoi at cisco.com>>
Date: Friday, October 3, 2014 at 8:16 AM
To: James Denton <james.denton at rackspace.com<mailto:james.denton at rackspace.com>>, "openstack at lists.openstack.org<mailto:openstack at lists.openstack.org>" <openstack at lists.openstack.org<mailto:openstack at lists.openstack.org>>
Cc: "bxb-openstack-dev(mailer list)" <bxb-openstack-dev at cisco.com<mailto:bxb-openstack-dev at cisco.com>>
Subject: Re: [Openstack] What is the difference between provider network and tenant network?

Hi James,

Thanks for the explanation.

Another question.  As user admin, I do not see these attributes shown in the help text of “neutron net-create”.  Why?

  *   provider:network_type
  *   provider:physical_network
  *   provider:segmentation_id
  *   router:external

ubuntu at trusty1:~/devstack$ source openrc admin admin

ubuntu at trusty1:~/devstack$ neutron help net-create

usage: neutron net-create [-h] [-f {shell,table,value}] [-c COLUMN]

                          [--max-width <integer>] [--prefix PREFIX]

                          [--request-format {json,xml}]

                          [--tenant-id TENANT_ID] [--admin-state-down]

                          [--shared]

                          NAME


Create a network for a given tenant.


positional arguments:

  NAME                  Name of network to create.


optional arguments:

  -h, --help            show this help message and exit

  --request-format {json,xml}

                        The XML or JSON request format.

  --tenant-id TENANT_ID

                        The owner tenant ID.

  --admin-state-down    Set admin state up to false.

  --shared              Set the network as shared.


output formatters:

  output formatter options


  -f {shell,table,value}, --format {shell,table,value}

                        the output format, defaults to table

  -c COLUMN, --column COLUMN

                        specify the column(s) to include, can be repeated


table formatter:

  --max-width <integer>

                        Maximum display width, 0 to disable


shell formatter:

  a format a UNIX shell can parse (variable="value")


  --prefix PREFIX       add a prefix to all variable names

Thanks,
Danny

From: James Denton <james.denton at rackspace.com<mailto:james.denton at rackspace.com>>
Date: Thursday, October 2, 2014 at 11:06 PM
To: Danny Choi <dannchoi at cisco.com<mailto:dannchoi at cisco.com>>, "openstack at lists.openstack.org<mailto:openstack at lists.openstack.org>" <openstack at lists.openstack.org<mailto:openstack at lists.openstack.org>>
Cc: "bxb-openstack-dev(mailer list)" <bxb-openstack-dev at cisco.com<mailto:bxb-openstack-dev at cisco.com>>
Subject: RE: [Openstack] What is the difference between provider network and tenant network?

Hi Danny,

When 'admin' creates a network they are able to specify the following attributes:

- provider:network_type (ie. vxlan, gre, vlan, flat, local)
- provider:segmentation_id (ie. 802.1q tag, gre key, vxlan vni)
- provider:physical_network (ie. provider label of the physical interface - physnet1, ph-eth1, etc)

The following attribute that allows the network to be used as an external network of a router:
- router:external (ie. true/false)

The following attribute that allows the network to be shared amongst tenants:
- shared (ie. true/false)

A tenant does not have the ability to specify any of those attributes. If they try, they will be rejected. Tenants should have no visibility into the 'type' of networks they create, and are in fact limited to particular network types and IDs that are specified in the plugin configuration file or ml2_conf.ini.  I believe the configuration options are 'tenant_network_type' and 'network_vlan_ranges'. That is why you do not see the provider attributes as the tenant, even though they technically exist for ALL networks, regardless of who created them.

Admin users are not restricted by the options in the config file, and can create a network using any network type or segmentation ID that they choose.

In Horizon, you will likely only see networks owned by the tenant when you go to the 'Project' tab. In the 'Admin' tab, you would see all networks.

Hope that helps,
James

________________________________
From: Danny Choi (dannchoi) [dannchoi at cisco.com<mailto:dannchoi at cisco.com>]
Sent: Thursday, October 02, 2014 8:14 PM
To: openstack at lists.openstack.org<mailto:openstack at lists.openstack.org>
Cc: bxb-openstack-dev(mailer list)
Subject: [Openstack] What is the difference between provider network and tenant network?

Hi,

I used devstack to deploy Juno OpenStack.

By default, devstack created 2 users: admin (with role “admin”) and demo.


ubuntu at trusty1:~/devstack$ source openrc admin admin

ubuntu at trusty1:~/devstack$ keystone user-list

+----------------------------------+---------+---------+------------------+

|                id                |   name  | enabled |      email       |

+----------------------------------+---------+---------+------------------+

| 3f09f4a2e2e5476681f7726d1bd7a238 |  admin  |   True  |                  |   <<<<<

| f9b63fc02a2c41c4a99508215d34698e |  cinder |   True  |                  |

| b31235476f904c968a48a6ed13a4423d |   demo  |   True  | demo at example.com<mailto:demo at example.com> |   <<<<<

| 1379192fe5f7427db0b9550f31ae3c8d |  glance |   True  |                  |

| 349ef723ec7e40c6bd4b8d8284696a04 |   heat  |   True  |                  |

| db2c4d82c9154d4eb58b3308041e8280 | neutron |   True  |                  |

| 87becace86e2459493a5e692b47374a8 |   nova  |   True  |                  |

+----------------------------------+---------+---------+—————————+

ubuntu at trusty1:~/devstack$ keystone user-role-list --user admin --tenant admin

+----------------------------------+------------------+----------------------------------+----------------------------------+

|                id                |       name       |             user_id              |            tenant_id             |

+----------------------------------+------------------+----------------------------------+----------------------------------+

| 9fe2ff9ee4384b1894a90878d3e92bab |     _member_     | 3f09f4a2e2e5476681f7726d1bd7a238 | db81f81239f54d5d89293dacc7a284d2 |

| 2c9362c08a224154bdcaeee35d740ddc |      admin       | 3f09f4a2e2e5476681f7726d1bd7a238 | db81f81239f54d5d89293dacc7a284d2 |   <<<<<

| b2419a321cae46ab9d11d2e126502271 | heat_stack_owner | 3f09f4a2e2e5476681f7726d1bd7a238 | db81f81239f54d5d89293dacc7a284d2 |

+----------------------------------+------------------+----------------------------------+----------------------------------+

ubuntu at trusty1:~/devstack$ keystone user-role-list --user demo --tenant demo

+----------------------------------+------------------+----------------------------------+----------------------------------+

|                id                |       name       |             user_id              |            tenant_id             |

+----------------------------------+------------------+----------------------------------+----------------------------------+

| 12ff05c09c5d4d1a8cf15d35f84f7a75 |      Member      | b31235476f904c968a48a6ed13a4423d | 181003e05ad44b688925372d97b985c0 |

| 9fe2ff9ee4384b1894a90878d3e92bab |     _member_     | b31235476f904c968a48a6ed13a4423d | 181003e05ad44b688925372d97b985c0 |

| 21fcd6d7847f44e6a3b9ad777a27f811 |   anotherrole    | b31235476f904c968a48a6ed13a4423d | 181003e05ad44b688925372d97b985c0 |

| b2419a321cae46ab9d11d2e126502271 | heat_stack_owner | b31235476f904c968a48a6ed13a4423d | 181003e05ad44b688925372d97b985c0 |

+----------------------------------+------------------+----------------------------------+----------------------------------+

There are 2 networks created, public (tenant = admin) and private (tenant = demo).


ubuntu at trusty1:~/devstack$ keystone tenant-list

+----------------------------------+--------------------+---------+

|                id                |        name        | enabled |

+----------------------------------+--------------------+---------+

| db81f81239f54d5d89293dacc7a284d2 |       admin        |   True  |   <<<<<

| 181003e05ad44b688925372d97b985c0 |        demo        |   True  |   <<<<<

| f170d762ab2c471d9a9f522116f8a178 | invisible_to_admin |   True  |

| d500c4a4ec3d459abfe665bfb886a881 |      service       |   True  |

+----------------------------------+--------------------+---------+


ubuntu at trusty1:~/devstack$ neutron net-list

+--------------------------------------+---------+----------------------------------------------------+

| id                                   | name    | subnets                                            |

+--------------------------------------+---------+----------------------------------------------------+

| 5e05170c-ae6c-4b60-8f59-8a6988705ff2 | public  | 3eb289a4-9686-4a94-a928-8d5ae23b1dd6 172.24.4.0/24 |

| b18a4a3f-7167-4c61-87f5-b21f87118160 | private | 3f5b84c5-937e-44ae-b645-64758386a501 10.0.0.0/24   |

+--------------------------------------+---------+----------------------------------------------------+

ubuntu at trusty1:~/devstack$ neutron net-show public

+---------------------------+--------------------------------------+

| Field                     | Value                                |

+---------------------------+--------------------------------------+

| admin_state_up            | True                                 |

| id                        | 5e05170c-ae6c-4b60-8f59-8a6988705ff2 |

| name                      | public                               |

| provider:network_type     | vlan                                 |

| provider:physical_network | physnet1                             |

| provider:segmentation_id  | 391                                  |

| router:external           | True                                 |

| shared                    | False                                |

| status                    | ACTIVE                               |

| subnets                   | 3eb289a4-9686-4a94-a928-8d5ae23b1dd6 |

| tenant_id                 | db81f81239f54d5d89293dacc7a284d2     |   <<<<<

+---------------------------+--------------------------------------+

ubuntu at trusty1:~/devstack$ neutron net-show private

+---------------------------+--------------------------------------+

| Field                     | Value                                |

+---------------------------+--------------------------------------+

| admin_state_up            | True                                 |

| id                        | b18a4a3f-7167-4c61-87f5-b21f87118160 |

| name                      | private                              |

| provider:network_type     | vlan                                 |

| provider:physical_network | physnet1                             |

| provider:segmentation_id  | 390                                  |

| router:external           | False                                |

| shared                    | False                                |

| status                    | ACTIVE                               |

| subnets                   | 3f5b84c5-937e-44ae-b645-64758386a501 |

| tenant_id                 | 181003e05ad44b688925372d97b985c0     |   <<<<<

+---------------------------+--------------------------------------+

Notice both networks contain the provider info:

  *   provider:network_type
  *   provider:physical_network
  *   provider:segmentation_id

However, if I change the credentials to demo, these provider info disappear.


ubuntu at trusty1:~/devstack$ source openrc demo demo

ubuntu at trusty1:~/devstack$ neutron net-list

+--------------------------------------+---------+--------------------------------------------------+

| id                                   | name    | subnets                                          |

+--------------------------------------+---------+--------------------------------------------------+

| 5e05170c-ae6c-4b60-8f59-8a6988705ff2 | public  | 3eb289a4-9686-4a94-a928-8d5ae23b1dd6             |

| b18a4a3f-7167-4c61-87f5-b21f87118160 | private | 3f5b84c5-937e-44ae-b645-64758386a501 10.0.0.0/24 |

+--------------------------------------+---------+--------------------------------------------------+

ubuntu at trusty1:~/devstack$ neutron net-show public

+-----------------+--------------------------------------+

| Field           | Value                                |

+-----------------+--------------------------------------+

| admin_state_up  | True                                 |

| id              | 5e05170c-ae6c-4b60-8f59-8a6988705ff2 |

| name            | public                               |

| router:external | True                                 |

| shared          | False                                |

| status          | ACTIVE                               |

| subnets         | 3eb289a4-9686-4a94-a928-8d5ae23b1dd6 |

| tenant_id       | db81f81239f54d5d89293dacc7a284d2     |

+-----------------+--------------------------------------+

ubuntu at trusty1:~/devstack$ neutron net-show private

+-----------------+--------------------------------------+

| Field           | Value                                |

+-----------------+--------------------------------------+

| admin_state_up  | True                                 |

| id              | b18a4a3f-7167-4c61-87f5-b21f87118160 |

| name            | private                              |

| router:external | False                                |

| shared          | False                                |

| status          | ACTIVE                               |

| subnets         | 3f5b84c5-937e-44ae-b645-64758386a501 |

| tenant_id       | 181003e05ad44b688925372d97b985c0     |

+-----------------+--------------------------------------+

Why the provider info does not exist?

Also, as user demo, I cannot create a network with the provider info specified, which is possible if it is user admin.  Why?


ubuntu at trusty1:~/devstack$ source openrc demo demo

ubuntu at trusty1:~/devstack$ neutron net-create demo_network --provider:network_type vlan --provider:physical_network physnet1 --provider:segmentation_id 399

Forbidden (HTTP 403) (Request-ID: req-fd2453a8-f82b-410c-9085-e487a4a29694)       <<<<<

ubuntu at trusty1:~/devstack$ source openrc admin admin

ubuntu at trusty1:~/devstack$ neutron net-create admin_network --provider:network_type vlan --provider:physical_network physnet1 --provider:segmentation_id 399

Created a new network:

+---------------------------+--------------------------------------+

| Field                     | Value                                |

+---------------------------+--------------------------------------+

| admin_state_up            | True                                 |

| id                        | df176962-8c61-4621-ac3a-e978a56b1933 |

| name                      | admin_network                        |

| provider:network_type     | vlan                                 |

| provider:physical_network | physnet1                             |

| provider:segmentation_id  | 399                                  |

| router:external           | False                                |

| shared                    | False                                |

| status                    | ACTIVE                               |

| subnets                   |                                      |

| tenant_id                 | db81f81239f54d5d89293dacc7a284d2     |

+---------------------------+--------------------------------------+

ubuntu at trusty1:~/devstack$ neutron net-show admin_network

+---------------------------+--------------------------------------+

| Field                     | Value                                |

+---------------------------+--------------------------------------+

| admin_state_up            | True                                 |

| id                        | df176962-8c61-4621-ac3a-e978a56b1933 |

| name                      | admin_network                        |

| provider:network_type     | vlan                                 |

| provider:physical_network | physnet1                             |

| provider:segmentation_id  | 399                                  |

| router:external           | False                                |

| shared                    | False                                |

| status                    | ACTIVE                               |

| subnets                   |                                      |

| tenant_id                 | db81f81239f54d5d89293dacc7a284d2     |

+---------------------------+--------------------------------------+


Is it true that to create a provider network, the user has to have the “admin” role?


###########

Also, in Horizon dashboard, I logged in as user admin.


>From the Projects pulldown, select admin.

At the left pane, Project->Network->Networks, only the “public" network is shown.

Admin->System->Networks, both “public” and “private” networks are shown.


>From the Projects pulldown, select demo.

At the left pane, Project->Network->Networks, only the “private" network is shown.

Admin->System->Networks, both “public” and “private” networks are shown.


Is this an expected behavior?



Thanks,

Danny
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20141003/18cae096/attachment.html>


More information about the Openstack mailing list