blob: 7cb2e001570dc0ae0542214dc6c80765c4069cae (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
|
.. This work is licensed under a Creative Commons Attribution 4.0 International License.
.. http://creativecommons.org/licenses/by/4.0
Programmable Provisioning of Provider Networks
----------------------------------------------
Description
~~~~~~~~~~~
In a NFV environment the VNFMs (Virtual Network Function Manager) are consumers
of the OpenStack IaaS API. They are often deployed without administrative rights
on top of the NFVI platform. Furthermore, in the telco domain provider networks
are often used. However, when a provider network is created administrative
rights are needed what in the case of a VNFM without administrative rights
requires additional manual configuration work. It shall be possible to
configure provider networks without administrative rights. It should be
possible to assign the capability to create provider networks to any roles.
The following figure (:numref:`api-users`) shows the possible users of an
OpenStack API and the relation of OpenStack and ETSI NFV components. Boxes with
solid line are the ETSI NFV components while the boxes with broken line are the
OpenStack components.
.. figure:: images/api-users.png
:name: api-users
:width: 50%
Requirements
~~~~~~~~~~~~
- Authorize the possibility of provider network creation based on policy
- There should be a new entry in :code:`policy.json` which controls the
provider network creation
- Default policy of this new entry should be :code:`rule:admin_or_owner`.
- This policy should be respected by the Neutron API
Northbound API / Workflow
+++++++++++++++++++++++++
- No changes in the API
Data model objects
++++++++++++++++++
- No changes in the data model
Current implementation
~~~~~~~~~~~~~~~~~~~~~~
Only admin users can manage provider networks [OS-NETWORKING-GUIDE-ML2]_.
Potential implementation
~~~~~~~~~~~~~~~~~~~~~~~~
- Policy engine shall be able to handle a new provider network creation and
modification related policy.
- When a provider network is created or modified neutron should check the
authority with the policy engine instead of requesting administrative
rights.
Solution in upstream community
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
A bug report has been submitted to the upstream OpenStack community to highlight
this gap:
https://bugs.launchpad.net/neutron/+bug/1630880
This bug report revealed that this use case has already been addressed in the
upstream community. Specifically, it is possible to specify the roles (e.g.,
admin, regular user) in the Neutron policy.json file which are able to create
and update provider networks.
However, the OpenStack user guide wrongly stated that **only** administrators
can create and update provider type networks. Hence, a correction has been
submitted to the OpenStack documentation repository, clarifying the possibility
to change this behavior based on policies:
https://review.openstack.org/#/c/390359/
In conclusion, this use case has been retired as the corresponding gaps have been
closed in the upstream community.
|
