Public bug reported:
Currently 'trusted=true' can be passed to Neutron by admin user through
the port's "binding:profile" field but this field originally was
intended to be used only for the machine-machine communication, and not
to be used by any cloud user. There is even info about that in the api-
ref:
"A dictionary that enables the application running on the specific host
to pass and receive vif port information specific to the networking
back-end. This field is only meant for machine-machine communication for
compute services like Nova, Ironic or Zun to pass information to a
Neutron back-end. It should not be used by multiple services
concurrently or by cloud end users. The existing counterexamples
(capabilities: [switchdev] for Open vSwitch hardware offload and
trusted=true for Trusted Virtual Functions) are due to be cleaned up.
The networking API does not define a specific format of this field. ..."
This will be even worst with the new S-RBAC policies where "binding:profile"
field is allowed to be changed only for the SERVICE role users, not even for
admins.
So this small RFE is proposal to add new API extension which will add
field, like "trusted_vif" to the port object. This field would be then
accesible for ADMIN role users in the Secure-RBAC policies.
** Affects: neutron
Importance: Wishlist
Assignee: Slawek Kaplonski (slaweq)
Status: New
** Tags: rfe
** Changed in: neutron
Importance: Undecided => Wishlist
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2060916
Title:
[RFE] Add 'trusted_vif' field to the port attributes
Status in neutron:
New
Bug description:
Currently 'trusted=true' can be passed to Neutron by admin user
through the port's "binding:profile" field but this field originally
was intended to be used only for the machine-machine communication,
and not to be used by any cloud user. There is even info about that in
the api-ref:
"A dictionary that enables the application running on the specific
host to pass and receive vif port information specific to the
networking back-end. This field is only meant for machine-machine
communication for compute services like Nova, Ironic or Zun to pass
information to a Neutron back-end. It should not be used by multiple
services concurrently or by cloud end users. The existing
counterexamples (capabilities: [switchdev] for Open vSwitch hardware
offload and trusted=true for Trusted Virtual Functions) are due to be
cleaned up. The networking API does not define a specific format of
this field. ..."
This will be even worst with the new S-RBAC policies where "binding:profile"
field is allowed to be changed only for the SERVICE role users, not even for
admins.
So this small RFE is proposal to add new API extension which will add
field, like "trusted_vif" to the port object. This field would be then
accesible for ADMIN role users in the Secure-RBAC policies.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2060916/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
