[RFE]Role-based access control for neutron fwaas policies
Bug #1524231 reported by
zhaobo
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Won't Fix
|
Wishlist
|
Unassigned |
Bug Description
[Existing problem]
Now, fwaas just contain the 'shared' field, when it is True, it can be fetched by all tenants. But there is more requirements now, the enterprise who have the strong fw(more legitimate fw-rules/policies) want to share / sell its fw service to some tenants through our cloud system.
[Proposal]
Now neutron can not fulfill this task until import rbac policies in L release. I think we could base on the existing rbac policies mechanism to extend more resources which may have this application scene. We could control the fw shared like existing network shared or maybe more cover.
[What is the enhancement?]
Share FW more sophisticated to other specified tenants
Changed in neutron: | |
assignee: | nobody → zhaobo (zhaobo6) |
tags: | added: fwaas |
tags: | added: access-control |
Changed in neutron: | |
status: | New → Confirmed |
summary: |
- [RFE]neutron fwaas should be support share fw to specify tenant + [RFE]Role-based access control for neutron fwaas policies |
tags: | added: rfe |
Changed in neutron: | |
importance: | Undecided → Wishlist |
To post a comment you must log in.
I fail to see the importance of this request, for two reasons:
1) FWaaS 1.0 API is experimental and is going to be replaced by the FWaaS 2.0 API. New features should be targeted at FWaaS 2.0. See the FWaaS 2.0 API spec.
2) The FWaaS 1.0 API has a "shared" attribute on firewall rules and firewall policies. I also see the "shared" attribute on the firewall, but that makes no sense to me and glancing at the code it does not seem like "shared" is populated in the firewall table. For firewall rules and firewall policies, "shared" allows a policy or a rule to be reused in a different tenant's firewall. The actual instantiation and enforcement is always in the context of the firewall's tenant, regardless of the firewall policy's tenant and the firewall rule's tenant, i.e. the contents of the firewall policy will be replicated for each tenant due to separate firewalls per tenant. This is different from network RBAC, where one tenant can actually connect to another tenant's network.