neutron

Advanced Services need to be able to list all networks and create/update/delete ports on other tenants's networks.

Bug #1331836 reported by Susanne Balle
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
Medium
Kyle Mestery
neutron 2015.1.0 "kilo"

Bug Description

Today the Advanced Services e.g. DBaaS, DNSaaS, etc. need to be able to create/delete and update ports on a tenant's network. Today they can do this by being a Global Neutron Admin. We need to create a policy/role/etc. that will allow a tenant to be admin for a resource.

We need this feature to allow our Advanced services to share a "Neutron Provider Network" that allow them to forward logs down to the Centralized logging system.

"shared" on a Network will allow all tenant to access the network. The keystone hierarchical tenants will not be ready any time soon.

By implementing this feature, we are defining a new user role (advsvc), which will allow for the equivalent of admin rights when defined for specific resources. This is an easy way to add this functionality into the policy framework in Neutron and allow granular control of access to resources with this new role.

Chatted with Mark and Kyle and I am now filling this bug.

See original description
Tags: policy
Kyle Mestery (mestery)
Changed in neutron:
assignee: nobody → Kyle Mestery (mestery)
status: New → In Progress
importance: Undecided → Medium
milestone: none → juno-2
tags: added: policy
Dustin Lundquist (dlundquist)
description: updated
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/101281

Kyle Mestery (mestery)
description: updated
Kyle Mestery (mestery)
Changed in neutron:
milestone: juno-2 → juno-3
Thierry Carrez (ttx)
Changed in neutron:
milestone: juno-3 → juno-rc1
Revision history for this message
Kyle Mestery (mestery) wrote :

Moving medium priority bug out of Juno-RC1.

Changed in neutron:
milestone: juno-rc1 → kilo-1
Revision history for this message
Kyle Mestery (mestery) wrote :

Per my own confusion, moving back to Juno-RC1.

Changed in neutron:
milestone: kilo-1 → juno-rc1
Kyle Mestery (mestery)
Changed in neutron:
milestone: juno-rc1 → kilo-1
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.openstack.org/101281
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=d4f00659eb18c6a5df2ce6d35202b0a4a9409f70
Submitter: Jenkins
Branch: master

commit d4f00659eb18c6a5df2ce6d35202b0a4a9409f70
Author: Kyle Mestery <email address hidden>
Date: Wed Jun 18 11:04:52 2014 +0000

    Add advsvc role to neutron policy file

    Add in a default "advsvc" user and the logic in the Neutron policy
    infrastructure which will allow this user to create/get/update/delete
    ports on other tenants networks, as well as view other tenants
    networks. This is for the use case of letting advanced services have
    a user to put ports on other tenants networks. By default, we do not
    define any roles for the policy "context_is_advsvc", but rely on
    operators to specify the likely value of "role advsvc".

    DocImpact

    Closes-Bug: #1331836

    Change-Id: I94cb3383eb1fed793934719603f888dbbdbbd85a
    Co-Authored-By: Susanne Balle <email address hidden>

Changed in neutron:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/juno)

Fix proposed to branch: stable/juno
Review: https://review.openstack.org/131561

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on neutron (stable/juno)

Change abandoned by Kyle Mestery (<email address hidden>) on branch: stable/juno
Review: https://review.openstack.org/131561

Thierry Carrez (ttx)
Changed in neutron:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in neutron:
milestone: kilo-1 → 2015.1.0
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.