OpenStack Networking (Neutron)
49b4dd3478
This allows access to external networks to be controlled via the RBAC framework added during Liberty with a new 'access_as_external' action. A migration adds all current external networks to the RBAC policies table with a wildcard indicating that all tenants can access the network as RBAC. Unlike the conversion of shared networks to RBAC, the external table is left in the DB to avoid invasive changes throughout the codebase to calculate the flag relative to the caller. So the current 'external' flag is used throughout the code base as it previously was for wiring up floating IPs, router gateway ports, etc. Then the RBAC entries are only referenced when determining what networks to show the tenants. API Behavior: * Marking a network as 'external' will automatically create a wildcard entry that allows that network to be accessed by all tenants. * An external network may have all of its RBAC entries deleted and then only an admin will be able to attach to it. * An RBAC 'access_as_external' entry cannot be deleted if it is required for a tenant that currently has a router attached to that network. * Creating an 'access_as_external' RBAC entry will automatically convert the network into an external network. (This is to enable a workflow where a private external network is never visible to everyone.) * The default policy.json will prevent a non-admin from creating wildcard 'access_as_external' RBAC entries to align with the current default policy we have on setting the 'external' field on the network to prevent poluting everyone else's network lists. * The default policy.json will allow a tenant to create an 'access_as_external' RBAC entry to allow specific tenants (including itself) the ability to use its network as an external network. Closes-Bug: #1547985 DocImpact: External networks can now have access restricted to small subsets of tenants APIImpact: 'access_as_external' will be allowed as an action in the RBAC API for networks Change-Id: I4d8ee78a9763c58884e4fd3d7b40133da659cd61 |
||
|---|---|---|
| bin | ||
| devstack | ||
| doc | ||
| etc | ||
| neutron | ||
| rally-jobs | ||
| releasenotes | ||
| tools | ||
| .coveragerc | ||
| .gitignore | ||
| .gitreview | ||
| .mailmap | ||
| .pylintrc | ||
| .testr.conf | ||
| babel.cfg | ||
| CONTRIBUTING.rst | ||
| HACKING.rst | ||
| LICENSE | ||
| MANIFEST.in | ||
| openstack-common.conf | ||
| README.rst | ||
| requirements.txt | ||
| run_tests.sh | ||
| setup.cfg | ||
| setup.py | ||
| test-requirements.txt | ||
| TESTING.rst | ||
| tox.ini | ||
Welcome!
You have come across a cloud computing network fabric controller. It has identified itself as "Neutron." It aims to tame your (cloud) networking!
External Resources:
The homepage for Neutron is: http://launchpad.net/neutron. Use this site for asking for help, and filing bugs. Code is available on git.openstack.org at <http://git.openstack.org/cgit/openstack/neutron>.
The latest and most in-depth documentation on how to use Neutron is available at: <http://docs.openstack.org>. This includes:
- Neutron Administrator Guide
- Networking Guide
- Neutron API Reference:
-
http://docs.openstack.org/api/openstack-network/2.0/content/
- Current Neutron developer documentation is available at:
For help on usage and hacking of Neutron, please send mail to <mailto:openstack-dev@lists.openstack.org>.
For information on how to contribute to Neutron, please see the contents of the CONTRIBUTING.rst file.