yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1512587] Re: [RFE] Role-based Access Control for QoS policies

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Armando Migliaccio <1512587@xxxxxxxxxxxxxxxxxx>
Date: Thu, 03 Mar 2016 21:00:16 -0000
Reply-to: Bug 1512587 <1512587@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: neutron
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1512587

Title:
  [RFE] Role-based Access Control for QoS policies

Status in neutron:
  Fix Released

Bug description:
  The cloud admin needs to have the ability to share Neutron QoS
  policies between subsets of tenants instead of the all-or-nothing
  choice he has now.

  For example, there is no way for a cloud admin to define a  "platinum"
  policy (e.g. guaranteed BW, low latency) and making  it possible only
  for certain tenants (the ones who actually paid for it) applying it to
  their ports/networks.

  In a similar context, a cloud administrator may want to apply a pre-
  created default policy (e.g. rate limit) for newly created
  networks/VM's .

  This feature will add more more flexibility for network management
  workflows and provide the admin with support for real use cases
  encountered in enterprise/private-cloud deployments.

  Suggested workflows for setting these permissions:

  =================================
  White listing for allowed tenants
  =================================

  -------------------------------------
  Sharing a policy via the new RBAC API
  -------------------------------------

  # 1. admin creates qos-policy
  * neutron qos-policy-create golden-policy [--description policy-description]

  # 2. admin creates the rbac to allow only tenant-uuid1 of using it.
  * neutron rbac-create golden-policy --type policy --target-tenant tenant-uuid1 --action access_as_shared

  # 3. admin decides to share the qos policy with an additional (paying) tenant-uuid2
  * neutron rbac-update golden-policy --target-tenant tenant-uuid2

  
  From the perspective of a tenant2 that has a qos-policy shared to it, the policy will show up as 'shared' just like a globally shared policy would after aforementioned step 3.

  ------------------------------------
  Stopping from a policy being shared
  ------------------------------------
  * Note: deleting a qos policy rbac shall succeed as long as it's not bound to any ports/networks.

  * neutron rbac-delete <rbac-from-step-3-uuid->

  
  ---------------------------
  Globally sharing the policy
  ---------------------------
  The new API preserves the legacy manner of globally sharing a qos-policy in either way:

  # 1. Legacy API preserved: --shared switch
  * neutron qos-policy-create --shared <policy-name>

  # 2. New RBAC API way

  * neutron qos-policy-create <policy-name>
  * neutron rbac-create --type policy --action access_as_shared --target-tenant *  <policy-name-or-uuid>

  
  =======================
  # Black listing tenants
  =======================
  As RBAC single allowed action is 'access_as_shared' at this time, there's no way of excluding tenants however, the sample flow is easy to come up with.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1512587/+subscriptions

References

[Bug 1512587] [NEW] Role-based Access Control for QoS policies
From: Haim Daniel, 2015-11-03