** Changed in: neutron
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1512587
Title:
[RFE] Role-based Access Control for QoS policies
Status in neutron:
Fix Released
Bug description:
The cloud admin needs to have the ability to share Neutron QoS
policies between subsets of tenants instead of the all-or-nothing
choice he has now.
For example, there is no way for a cloud admin to define a "platinum"
policy (e.g. guaranteed BW, low latency) and making it possible only
for certain tenants (the ones who actually paid for it) applying it to
their ports/networks.
In a similar context, a cloud administrator may want to apply a pre-
created default policy (e.g. rate limit) for newly created
networks/VM's .
This feature will add more more flexibility for network management
workflows and provide the admin with support for real use cases
encountered in enterprise/private-cloud deployments.
Suggested workflows for setting these permissions:
=================================
White listing for allowed tenants
=================================
-------------------------------------
Sharing a policy via the new RBAC API
-------------------------------------
# 1. admin creates qos-policy
* neutron qos-policy-create golden-policy [--description policy-description]
# 2. admin creates the rbac to allow only tenant-uuid1 of using it.
* neutron rbac-create golden-policy --type policy --target-tenant
tenant-uuid1 --action access_as_shared
# 3. admin decides to share the qos policy with an additional (paying)
tenant-uuid2
* neutron rbac-update golden-policy --target-tenant tenant-uuid2
From the perspective of a tenant2 that has a qos-policy shared to it, the
policy will show up as 'shared' just like a globally shared policy would after
aforementioned step 3.
------------------------------------
Stopping from a policy being shared
------------------------------------
* Note: deleting a qos policy rbac shall succeed as long as it's not bound to
any ports/networks.
* neutron rbac-delete <rbac-from-step-3-uuid->
---------------------------
Globally sharing the policy
---------------------------
The new API preserves the legacy manner of globally sharing a qos-policy in
either way:
# 1. Legacy API preserved: --shared switch
* neutron qos-policy-create --shared <policy-name>
# 2. New RBAC API way
* neutron qos-policy-create <policy-name>
* neutron rbac-create --type policy --action access_as_shared --target-tenant
* <policy-name-or-uuid>
=======================
# Black listing tenants
=======================
As RBAC single allowed action is 'access_as_shared' at this time, there's no
way of excluding tenants however, the sample flow is easy to come up with.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1512587/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
