Reviewed: https://review.opendev.org/c/openstack/neutron/+/926068
Committed:
https://opendev.org/openstack/neutron/commit/104cbf9e60001329968bcab2e6d95ef38168cbc5
Submitter: "Zuul (22348)"
Branch: master
commit 104cbf9e60001329968bcab2e6d95ef38168cbc5
Author: Slawek Kaplonski <skapl...@redhat.com>
Date: Fri Aug 9 16:47:04 2024 +0200
Add trusted vif api extension for the port
This patch adds implementation of the "port_trusted_vif" API extension
as ml2 extension.
With this extension enabled, it is now possible for ADMIN users to set
port as trusted without modifying directly 'binding:profile' field
which is supposed to be just for machine to machine communication.
Value set in the 'trusted' attribute of the port is included in the
port's binding:profile so that it is still in the same place where e.g.
Nova expects it.
For now setting this flag directly in the port's binding:profile field
is not forbidden and only warning is generated in such case but in
future releases it should be forbiden and only allowed to be done using
this new attribute of the port resource.
This patch implements also definition of the new API extension directly
in Neutron. It is temporary and will be removed once patch [1] in
neutron-lib will be merged and released.
[1] https://review.opendev.org/c/openstack/neutron-lib/+/923860
Closes-Bug: #2060916
Change-Id: I69785c5d72a5dc659c5a2f27e043c686790b4d2b
** Changed in: neutron
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2060916
Title:
[RFE] Add 'trusted_vif' field to the port attributes
Status in neutron:
Fix Released
Bug description:
Currently 'trusted=true' can be passed to Neutron by admin user
through the port's "binding:profile" field but this field originally
was intended to be used only for the machine-machine communication,
and not to be used by any cloud user. There is even info about that in
the api-ref:
"A dictionary that enables the application running on the specific
host to pass and receive vif port information specific to the
networking back-end. This field is only meant for machine-machine
communication for compute services like Nova, Ironic or Zun to pass
information to a Neutron back-end. It should not be used by multiple
services concurrently or by cloud end users. The existing
counterexamples (capabilities: [switchdev] for Open vSwitch hardware
offload and trusted=true for Trusted Virtual Functions) are due to be
cleaned up. The networking API does not define a specific format of
this field. ..."
This will be even worst with the new S-RBAC policies where "binding:profile"
field is allowed to be changed only for the SERVICE role users, not even for
admins.
So this small RFE is proposal to add new API extension which will add
field, like "trusted_vif" to the port object. This field would be then
accesible for ADMIN role users in the Secure-RBAC policies.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2060916/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
