[Openstack] [neutron] Fine grained access control on external networks

Fri, 21 Nov 2014 01:47:58 -0800 

Hi all,

I'm running a Juno testbed with Neutron, ml2 and ovs. We have use
cases where we would like to create a shared vlan network and directly
attach a VM on this network. This is not hard to do, and I've
described how I did at this page:
http://www.s3it.uzh.ch/blog/openstack-neutron-vlan/

However, there are a few issues with this implementation:

1) *any* tenant can attach VM directly to this network. I would like
   to be able to only allow specific tenants to do it. Can I update
   the policy.json rule "network:attach_external_network" with
   something like:

       "network:attach_external_network": "project_name:'Project1' or
project_name:'Project2'"

   will it work?

2) *any* external/shared network will share the same permissions,
   while I would like to have a few "special" vlan networks as
   described before, and a "standard" external network to be used for
   floating IPs.

   Ideally, I would like to update the previous policy rule with something
   like:

       "admin_api or (network_name: 'vlan842' and project_name:'project1')"

   but I don't know which "variables" can be used inside the
   policy.json file.

3) I don't know if this is a bug or was caused by my changes, but
   after the change I've made in `network:attach_external_network` an
   unprivileged user on a demo tenant can also see a tenant network
   (not external) created by admin *without* `--shared` on the `admin`
   tenant. The user cannot, however, see the details of the network,
   nor attach any interface to it (either router or VM interface).

Is there a way to do it? What variables can be used in the policy.json
file, apart from the standard "project_id" and "user_id"?

Thank you in advance for your precious help

Cheers,
Antonio

-- 
antonio.s.mess...@gmail.com
antonio.mess...@uzh.ch                     +41 (0)44 635 42 22
S3IT: Service and Support for Science IT   http://www.s3it.uzh.ch/
University of Zurich
Winterthurerstrasse 190
CH-8057 Zurich Switzerland

_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to     : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Reply via email to