[RFE] Add 'trusted_vif' field to the port attributes

Bug #2060916 reported by Slawek Kaplonski
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Slawek Kaplonski

Bug Description

Currently 'trusted=true' can be passed to Neutron by admin user through the port's "binding:profile" field but this field originally was intended to be used only for the machine-machine communication, and not to be used by any cloud user. There is even info about that in the api-ref:

"A dictionary that enables the application running on the specific host to pass and receive vif port information specific to the networking back-end. This field is only meant for machine-machine communication for compute services like Nova, Ironic or Zun to pass information to a Neutron back-end. It should not be used by multiple services concurrently or by cloud end users. The existing counterexamples (capabilities: [switchdev] for Open vSwitch hardware offload and trusted=true for Trusted Virtual Functions) are due to be cleaned up. The networking API does not define a specific format of this field. ..."

This will be even worst with the new S-RBAC policies where "binding:profile" field is allowed to be changed only for the SERVICE role users, not even for admins.

So this small RFE is proposal to add new API extension which will add field, like "trusted_vif" to the port object. This field would be then accesible for ADMIN role users in the Secure-RBAC policies.

Changed in neutron:
importance: Undecided → Wishlist
Revision history for this message
Liu Xie (liushy) wrote :

Hi, does this RFE aim to specify that the 'trusted_vif' field and 'port_security' are set to false for the port?

tags: added: rfe-triaged
tags: added: rfe-confirmed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.