neutron

[rfe] Add RBAC support for BGPVPNs

Bug #1931100 reported by Vadim Ponomarev on 2021-06-07

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	neutron	In Progress	Wishlist	Unassigned	neutron next

Bug Description

Currently, RBAC for BGPVPNs (https://docs.openstack.org/networking-bgpvpn/latest/) is missing in Neutron but it will valuable feature for cloud administrators.

With RBACs the administrators will be able to share specific bgpvpns to the users and provide them full control of Neutron interconnections. This is a valuable feature for private clouds where some users have experience managing interconnections but cannot be cloud administrators.

Tags:

Brian Haley (brian-haley) on 2021-06-07

tags:	added: rfe
Changed in neutron:
importance:	Undecided → Wishlist

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-06-08: Fix proposed to neutron-lib (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron-lib/+/795423

Changed in neutron:
status:	New → In Progress

Revision history for this message

Slawek Kaplonski (slaweq) wrote on 2021-06-10:

Let's discuss this on our next drivers meeting: http://eavesdrop.openstack.org/#Neutron_drivers_Meeting

tags:

added: rfe-triaged
removed: rfe

Revision history for this message

Akihiro Motoki (amotoki) wrote on 2021-06-15:

Generally it sounds a straight-forward proposal.

One question for clarfication.
What kind of operations will be allowed by a target project who is shared a BGPVPN resource to?
Can a target project associate the BGPVPN resource with network/router/port?

Perhaps all associations by a target project are expected as association with any of these resources is the only operation for a BGPVPN resource but it is nice to clarify it.

In the last drivers meeting, it is the only unclear point. Your reply would be appreciated. Thanks.

Revision history for this message

Vadim Ponomarev (velizarx) wrote on 2021-06-17 (last edit on 2021-06-17):

The end-user should be able only to associate router/network to exist BGPVPN (created by admin and shared to the project). The end-user will not be able to manage BGPVPN or other resources related to it. As I understand port association can break BGPVPN (via incorrect option --bgpvpn-route) and that's why we cannot provide it for the end-user.

Revision history for this message

Slawek Kaplonski (slaweq) wrote on 2021-06-18:

On the today's drivers meeting we agreed to approve that rfe. Please now follow up with the implementation patch(es) for that.

tags:	added: rfe-approved removed: rfe-triaged
Changed in neutron:
milestone:	none → xena-3

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-06-25: Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron/+/798156

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-07-06: Fix merged to neutron-lib (master)

Reviewed: https://review.opendev.org/c/openstack/neutron-lib/+/795423
Committed: https://opendev.org/openstack/neutron-lib/commit/2cfe12c2ece452882b0646036fc01fd021cf727a
Submitter: "Zuul (22348)"
Branch: master

commit 2cfe12c2ece452882b0646036fc01fd021cf727a
Author: Vadim Ponomarev <email address hidden>
Date: Wed Jun 9 00:46:41 2021 +0300

Introduce rbac-bgpvpn api extension

This extension makes it possible to add bgpvpn to RBAC policies.

Partial-Bug: #1931100
Change-Id: Ibee622ef47ca6d738ca53f6482cad88b2441503e

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-08-15: Change abandoned on neutron (master)

Change abandoned by "Slawek Kaplonski <email address hidden>" on branch: master
Review: https://review.opendev.org/c/openstack/neutron/+/798156
Reason: This review is > 4 weeks without comment, and failed Zuul jobs the last time it was checked. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and leaving a 'recheck' comment to get fresh test results.

Slawek Kaplonski (slaweq) on 2021-08-31

Changed in neutron:
milestone:	xena-3 → next

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.