blob: 963451dcf8b3b4e301a57c113f0049bfc46c2caf (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
|
.. This work is licensed under a Creative Commons Attribution 4.0 International License.
.. http://creativecommons.org/licenses/by/4.0
Programmable Provisioning of Provider Networks
----------------------------------------------
Description
~~~~~~~~~~~
In a NFV environment the VNFMs (Virtual Network Function Manager) are consumers
of the OpenStack IaaS API. They are often deployed without administrative rights
on top of the NFVI platform. Furthermore, in the telco domain provider networks
are often used. However, when a provider network is created administrative
rights are needed what in the case of a VNFM without administrative rights
requires additional manual configuration work. It shall be possible to
configure provider networks without administrative rights. It should be
possible to assign the capability to create provider networks to any roles.
The following figure (:numref:`api-users`) shows the possible users of an
OpenStack API and the relation of OpenStack and ETSI NFV components. Boxes with
solid line are the ETSI NFV components while the boxes with broken line are the
OpenStack components.
.. figure:: images/api-users.png
:name: api-users
:width: 50%
Derived Requirements
~~~~~~~~~~~~~~~~~~~~~
- Authorize the possibility of provider network creation based on policy
- There should be a new entry in :code:`policy.json` which controls the provider network creation
- Default policy of this new entry should be :code:`rule:admin_or_owner`.
- This policy should be respected by the Neutron API
Northbound API / Workflow
+++++++++++++++++++++++++
- No changes in the API
Data model objects
++++++++++++++++++
- No changes in the data model
Current implementation
~~~~~~~~~~~~~~~~~~~~~~
Only admin users can manage provider networks [OS-NETWORKING-GUIDE-ML2]_.
Potential implementation
~~~~~~~~~~~~~~~~~~~~~~~~
- Policy engine shall be able to handle a new provider network creation and
modification related policy.
- When a provider network is created or modified neutron should check the
authority with the policy engine instead of requesting administrative
rights.
|
