[RFE] Role-based Access Control for QoS policies
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Fix Released
|
Wishlist
|
Haim Daniel |
Bug Description
The cloud admin needs to have the ability to share Neutron QoS policies between subsets of tenants instead of the all-or-nothing choice he has now.
For example, there is no way for a cloud admin to define a "platinum" policy (e.g. guaranteed BW, low latency) and making it possible only for certain tenants (the ones who actually paid for it) applying it to their ports/networks.
In a similar context, a cloud administrator may want to apply a pre-created default policy (e.g. rate limit) for newly created networks/VM's .
This feature will add more more flexibility for network management workflows and provide the admin with support for real use cases encountered in enterprise/
Suggested workflows for setting these permissions:
=======
White listing for allowed tenants
=======
-------
Sharing a policy via the new RBAC API
-------
# 1. admin creates qos-policy
* neutron qos-policy-create golden-policy [--description policy-description]
# 2. admin creates the rbac to allow only tenant-uuid1 of using it.
* neutron rbac-create golden-policy --type policy --target-tenant tenant-uuid1 --action access_as_shared
# 3. admin decides to share the qos policy with an additional (paying) tenant-uuid2
* neutron rbac-update golden-policy --target-tenant tenant-uuid2
From the perspective of a tenant2 that has a qos-policy shared to it, the policy will show up as 'shared' just like a globally shared policy would after aforementioned step 3.
-------
Stopping from a policy being shared
-------
* Note: deleting a qos policy rbac shall succeed as long as it's not bound to any ports/networks.
* neutron rbac-delete <rbac-from-
-------
Globally sharing the policy
-------
The new API preserves the legacy manner of globally sharing a qos-policy in either way:
# 1. Legacy API preserved: --shared switch
* neutron qos-policy-create --shared <policy-name>
# 2. New RBAC API way
* neutron qos-policy-create <policy-name>
* neutron rbac-create --type policy --action access_as_shared --target-tenant * <policy-
=======
# Black listing tenants
=======
As RBAC single allowed action is 'access_as_shared' at this time, there's no way of excluding tenants however, the sample flow is easy to come up with.
summary: |
- Need Role-based Access Control for QoS policies + Role-based Access Control for QoS policies |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
Changed in neutron: | |
importance: | Medium → Wishlist |
tags: | added: access-control |
summary: |
- Role-based Access Control for QoS policies + [RFE] Role-based Access Control for QoS policies |
Changed in neutron: | |
status: | In Progress → Triaged |
description: | updated |
Changed in neutron: | |
milestone: | none → mitaka-2 |
Changed in neutron: | |
milestone: | mitaka-2 → mitaka-3 |
Changed in neutron: | |
status: | Triaged → Fix Committed |
Changed in neutron: | |
status: | Fix Committed → Fix Released |
Seems very reasonable. I'd like Ihar and Miguel to have a peek here, adding them to the bug.