yahoo-eng-team team mailing list archive

Thread
Date

[Bug 2060916] [NEW] [RFE] Add 'trusted_vif' field to the port attributes

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Slawek Kaplonski <2060916@xxxxxxxxxxxxxxxxxx>
Date: Thu, 11 Apr 2024 07:22:57 -0000
Reply-to: Bug 2060916 <2060916@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Public bug reported:

Currently 'trusted=true' can be passed to Neutron by admin user through
the port's "binding:profile" field but this field originally was
intended to be used only for the machine-machine communication, and not
to be used by any cloud user. There is even info about that in the api-
ref:

"A dictionary that enables the application running on the specific host
to pass and receive vif port information specific to the networking
back-end. This field is only meant for machine-machine communication for
compute services like Nova, Ironic or Zun to pass information to a
Neutron back-end. It should not be used by multiple services
concurrently or by cloud end users. The existing counterexamples
(capabilities: [switchdev] for Open vSwitch hardware offload and
trusted=true for Trusted Virtual Functions) are due to be cleaned up.
The networking API does not define a specific format of this field. ..."


This will be even worst with the new S-RBAC policies where "binding:profile" field is allowed to be changed only for the SERVICE role users, not even for admins.

So this small RFE is proposal to add new API extension which will add
field, like "trusted_vif" to the port object. This field would be then
accesible for ADMIN role users in the Secure-RBAC policies.

** Affects: neutron
     Importance: Wishlist
     Assignee: Slawek Kaplonski (slaweq)
         Status: New


** Tags: rfe

** Changed in: neutron
   Importance: Undecided => Wishlist

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2060916

Title:
  [RFE] Add 'trusted_vif' field to the port attributes

Status in neutron:
  New

Bug description:
  Currently 'trusted=true' can be passed to Neutron by admin user
  through the port's "binding:profile" field but this field originally
  was intended to be used only for the machine-machine communication,
  and not to be used by any cloud user. There is even info about that in
  the api-ref:

  "A dictionary that enables the application running on the specific
  host to pass and receive vif port information specific to the
  networking back-end. This field is only meant for machine-machine
  communication for compute services like Nova, Ironic or Zun to pass
  information to a Neutron back-end. It should not be used by multiple
  services concurrently or by cloud end users. The existing
  counterexamples (capabilities: [switchdev] for Open vSwitch hardware
  offload and trusted=true for Trusted Virtual Functions) are due to be
  cleaned up. The networking API does not define a specific format of
  this field. ..."

  
  This will be even worst with the new S-RBAC policies where "binding:profile" field is allowed to be changed only for the SERVICE role users, not even for admins.

  So this small RFE is proposal to add new API extension which will add
  field, like "trusted_vif" to the port object. This field would be then
  accesible for ADMIN role users in the Secure-RBAC policies.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2060916/+subscriptions

Follow ups

[Bug 2060916] Re: [RFE] Add 'trusted_vif' field to the port attributes
From: OpenStack Infra, 2024-09-06