[rfe] Add RBAC support for BGPVPNs

Bug #1931100 reported by Vadim Ponomarev
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
neutron
Wishlist
Unassigned

Bug Description

Currently, RBAC for BGPVPNs (https://docs.openstack.org/networking-bgpvpn/latest/) is missing in Neutron but it will valuable feature for cloud administrators.

With RBACs the administrators will be able to share specific bgpvpns to the users and provide them full control of Neutron interconnections. This is a valuable feature for private clouds where some users have experience managing interconnections but cannot be cloud administrators.

tags: added: rfe
Changed in neutron:
importance: Undecided → Wishlist
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron-lib (master)
Changed in neutron:
status: New → In Progress
Revision history for this message
Slawek Kaplonski (slaweq) wrote :

Let's discuss this on our next drivers meeting: http://eavesdrop.openstack.org/#Neutron_drivers_Meeting

tags: added: rfe-triaged
removed: rfe
Revision history for this message
Akihiro Motoki (amotoki) wrote :

Generally it sounds a straight-forward proposal.

One question for clarfication.
What kind of operations will be allowed by a target project who is shared a BGPVPN resource to?
Can a target project associate the BGPVPN resource with network/router/port?

Perhaps all associations by a target project are expected as association with any of these resources is the only operation for a BGPVPN resource but it is nice to clarify it.

In the last drivers meeting, it is the only unclear point. Your reply would be appreciated. Thanks.

Revision history for this message
Vadim Ponomarev (velizarx) wrote (last edit ):

The end-user should be able only to associate router/network to exist BGPVPN (created by admin and shared to the project). The end-user will not be able to manage BGPVPN or other resources related to it. As I understand port association can break BGPVPN (via incorrect option --bgpvpn-route) and that's why we cannot provide it for the end-user.

Revision history for this message
Slawek Kaplonski (slaweq) wrote :

On the today's drivers meeting we agreed to approve that rfe. Please now follow up with the implementation patch(es) for that.

tags: added: rfe-approved
removed: rfe-triaged
Changed in neutron:
milestone: none → xena-3
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron/+/798156

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron-lib (master)

Reviewed: https://review.opendev.org/c/openstack/neutron-lib/+/795423
Committed: https://opendev.org/openstack/neutron-lib/commit/2cfe12c2ece452882b0646036fc01fd021cf727a
Submitter: "Zuul (22348)"
Branch: master

commit 2cfe12c2ece452882b0646036fc01fd021cf727a
Author: Vadim Ponomarev <email address hidden>
Date: Wed Jun 9 00:46:41 2021 +0300

    Introduce rbac-bgpvpn api extension

    This extension makes it possible to add bgpvpn to RBAC policies.

    Partial-Bug: #1931100
    Change-Id: Ibee622ef47ca6d738ca53f6482cad88b2441503e

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on neutron (master)

Change abandoned by "Slawek Kaplonski <email address hidden>" on branch: master
Review: https://review.opendev.org/c/openstack/neutron/+/798156
Reason: This review is > 4 weeks without comment, and failed Zuul jobs the last time it was checked. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and leaving a 'recheck' comment to get fresh test results.

Changed in neutron:
milestone: xena-3 → next
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers