yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1566191] [NEW] Allow multiple networks with FIP range to be associated with Tenant router

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Irena Berezovsky <1566191@xxxxxxxxxxxxxxxxxx>
Date: Tue, 05 Apr 2016 08:30:17 -0000
Reply-to: Bug 1566191 <1566191@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

This requirement came out during Manila-Neutron integration discussion to provide solution for multi-tenant environment to work with File Share store.
The way to solve it is as following:
A dedicated NAT based network connection should be established between a tenant's private network (where his VMs reside) and a data center local storage network. Sticking to IP based authorization, as used by Manila, the NAT assigned floating IPs in the storage network are used to check authorization in the storage backend, as well as to deal with possible overlapping IP ranges in the private networks of different tenants. A dedicated NAT and not the public FIP is suggested since public FIPs are usually limited resources.
In order to be able to orchestrate the above use case, it should be possible to associate more than one subnet with 'FIP' range with the router (via router interface)  and enable NAT based on the destination subnet. 
This behaviour was possible in Mitaka and worked for MidoNet plugin, but due to the https://bugs.launchpad.net/neutron/+bug/1556884 it won't be possible any more. 

Related bug for security use case that can benefit from the proposed
behavior is described here
https://bugs.launchpad.net/neutron/+bug/1250105

** Affects: neutron
     Importance: Undecided
         Status: Confirmed


** Tags: rfe

** Tags added: rfe

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1566191

Title:
  Allow multiple networks with FIP range to be associated with Tenant
  router

Status in neutron:
  Confirmed

Bug description:
  This requirement came out during Manila-Neutron integration discussion to provide solution for multi-tenant environment to work with File Share store.
  The way to solve it is as following:
  A dedicated NAT based network connection should be established between a tenant's private network (where his VMs reside) and a data center local storage network. Sticking to IP based authorization, as used by Manila, the NAT assigned floating IPs in the storage network are used to check authorization in the storage backend, as well as to deal with possible overlapping IP ranges in the private networks of different tenants. A dedicated NAT and not the public FIP is suggested since public FIPs are usually limited resources.
  In order to be able to orchestrate the above use case, it should be possible to associate more than one subnet with 'FIP' range with the router (via router interface)  and enable NAT based on the destination subnet. 
  This behaviour was possible in Mitaka and worked for MidoNet plugin, but due to the https://bugs.launchpad.net/neutron/+bug/1556884 it won't be possible any more. 

  Related bug for security use case that can benefit from the proposed
  behavior is described here
  https://bugs.launchpad.net/neutron/+bug/1250105

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1566191/+subscriptions

Follow ups

[Bug 1566191] Re: [RFE] Allow multiple networks with FIP range to be associated with Tenant router
From: Carl Baldwin, 2016-06-09