Today the Advanced Services e.g. DBaaS, DNSaaS, etc. need to be able to create/delete and update ports on a tenant's network. Today they can do this by being a Global Neutron Admin. We need to create a policy/role/etc. that will allow a tenant to be admin for a resource.
We need this feature to allow our Advanced services to share a "Neutron Provider Network" that allow them to forward logs down to the Centralized logging system.
"shared" on a Network will allow all tenant to access the network. The keystone hierarchical tenants will not be ready any time soon.
By implementing this feature, we are defining a new user role (advsvc), which will allow for the equivalent of admin rights when defined for specific resources. This is an easy way to add this functionality into the policy framework in Neutron and allow granular control of access to resources with this new role.
Chatted with Mark and Kyle and I am now filling this bug.
Fix proposed to branch: master /review. openstack. org/101281
Review: https:/