specification for securitygroup extension support for nuage plugin
Change-Id: I68c6db2eb6c874ee36eb84387cdc3b67f80f02dd
This commit is contained in:
ronak
114
specs/juno/securitygroup-ext-for-nuage-plugin.rst
Normal file
114
specs/juno/securitygroup-ext-for-nuage-plugin.rst
Normal file
@@ -0,0 +1,114 @@
|
||||
|
||||
=================================================
|
||||
SecurityGroup Extension support for Nuage Plugin
|
||||
=================================================
|
||||
|
||||
https://blueprints.launchpad.net/neutron/+spec/securitygroup-ext-for-nuage-plugin
|
||||
|
||||
Adding securitygroup extension support to existing nuage networks' Plugin
|
||||
|
||||
|
||||
Problem description
|
||||
===================
|
||||
Current Nuage Plugin does not support Neutron's securitygroup extension.
|
||||
Nuage's VSP supports this feature and the support for extension needs
|
||||
to be added in the plugin code.
|
||||
|
||||
Proposed change
|
||||
===============
|
||||
Adding extension support code in Nuage plugin.
|
||||
|
||||
Alternatives
|
||||
------------
|
||||
None
|
||||
|
||||
Data model impact
|
||||
-----------------
|
||||
Existing securitygroup tables in neutron will be supported.
|
||||
|
||||
REST API impact
|
||||
---------------
|
||||
None
|
||||
|
||||
Security impact
|
||||
---------------
|
||||
None
|
||||
|
||||
Notifications impact
|
||||
--------------------
|
||||
None
|
||||
|
||||
Other end user impact
|
||||
---------------------
|
||||
None
|
||||
|
||||
Performance Impact
|
||||
------------------
|
||||
None
|
||||
|
||||
Other deployer impact
|
||||
---------------------
|
||||
None
|
||||
|
||||
Developer impact
|
||||
----------------
|
||||
None
|
||||
|
||||
Implementation
|
||||
==============
|
||||
VSP's securitygroup equivalent object's scope is either per router or per subnet.
|
||||
Where Neutron's is per tenant. Because of this, the mapping between
|
||||
neutron and VSP resource always happens at the port create or update time; such
|
||||
that port's router/subnet is known and thus sg attachment point in VSP is known.
|
||||
Following workflow can be imagined:
|
||||
1) neutron security-group-create sg1
|
||||
No-op from VSP point of view
|
||||
2) neutron security-group-rule-create --direction ingress --protocol tcp --port_range_min 80 --port_range_max 80 <sg-id>
|
||||
No-op from VSP point of view
|
||||
3a) neutron port-create 9d0b9f4a-1a72-4c17-a538-06ee7501d185 --name sub1 --security-group 8eb7ee8e-6d15-4a0d-b13a-0affeba438ae
|
||||
3b) neutron port-update 71083f7d-1450-4bee-9c40-728b7ffd2876 --security-group c6c08246-bad7-4d82-a0ad-4a42327c9516
|
||||
If this is the first port getting attached to that security-group,
|
||||
this is where corresponding vport-tag (for sg) and rules (for sg-rules) are created on VSP.
|
||||
Subsequent port-create/update for this sg will simply increment counter and add value to vport to vporttag
|
||||
mapping.
|
||||
|
||||
Similarly, when the last port attached to this group is deleted, the vport-tag(sg) and the rules(vptag rules)
|
||||
will be deleted.
|
||||
|
||||
CRUD operation on securitygroup will be supported in normal fashion.
|
||||
|
||||
Assignee(s)
|
||||
-----------
|
||||
Ronak Shah
|
||||
|
||||
|
||||
Primary assignee:
|
||||
ronak-malav-shah
|
||||
|
||||
Other contributors:
|
||||
divya.hc
|
||||
|
||||
Work Items
|
||||
----------
|
||||
Extension code in Nuage plugin
|
||||
Nuage Unit tests addition
|
||||
Nuage CI coverage addition
|
||||
|
||||
|
||||
Dependencies
|
||||
============
|
||||
None
|
||||
|
||||
Testing
|
||||
=======
|
||||
Unit Test coverage for security-group extension within Nuage unit test
|
||||
Nuage CI will be modified to start supporting this extension tests
|
||||
|
||||
|
||||
Documentation Impact
|
||||
====================
|
||||
None
|
||||
|
||||
References
|
||||
==========
|
||||
None
|
||||
Reference in New Issue
Block a user