The code has changed the naming of some Group Based Policy constructs. Update the specication to match the latest code patches. Change-Id: Ie283403f962fa5d081f62c16dc35da25a640ceae
37 KiB
Group-based Policy Abstractions for Neutron
Launchpad blueprint:
https://blueprints.launchpad.net/neutron/+spec/group-based-policy-abstraction
This blueprint proposes an extension to the Neutron API with a declarative policy driven connectivity model that presents simplified application-oriented interfaces to the user.
Problem description
The current Neutron model of networks, ports, subnets, routers, and security groups provides the necessary building blocks to build a logical network topology for connectivity. However, it does not provide the right level of abstraction for an application administrator who understands the application's details (like application port numbers), but not the infrastructure details likes networks and routes. Not only that, the current abstraction puts the burden of maintaining the consistency of the network topology on the user. The lack of application developer/administrator focussed abstractions supported by a declarative model make it hard for those users to consume Neutron as a connectivity layer.
Proposed change
The policy framework described in this blueprint complements the current Neutron model with the notion of policies that can be applied between groups of endpoints. As users look beyond basic connectivity, richer network services with diverse implementations and network properties are naturally expressed as policies. Examples include service chaining, QoS, path properties, access control, etc.
This proposal suggests a model that allows application administrators to express their networking requirements using group and policy abstractions, with the specifics of policy enforcement and implementation left to the underlying policy driver. The main advantage of the extensions described in this blueprint is that they allow for an application-centric interface to Neutron that complements the existing network-centric interface.
More specifically the new abstractions will achieve the following:
- Show clear separation of concerns between application and
infrastructure administrator.
- The application administrator can then deal with a higher level abstraction that does not concern itself with networking specifics like networks/routers/etc.
- The infrastructure administrator will deal with infrastructure specific policy abstractions and not have to understand application specific concerns like specific ports that have been opened or which of them expect to be limited to secure or insecure traffic. The infrastructure admin will also have ability to direct which technologies and approaches used in rendering. For example, if VLAN or VxLAN is used.
- Allow the infrastructure admin to introduce connectivity constraints without the application administrator having to be aware of it (e.g. audit all traffic between two application tiers).
- Allow for independent provider/consumer model with late binding and n-to-m relationships between them.
- Allow for automatic orchestration that can respond to changes in policy or infrastructure without requiring human interaction to translate intent to specific actions.
- Complement the governance model proposed in the OpenStack Congress project by making Policy Labels available for enforcement.
The following new terminology is being introduced:
Endpoint (EP): An L2/L3 addressable entity.
Endpoint Group (EPG): A collection of endpoints.
Contract: It defines how the application services provided by an EPG can be accessed. In effect it specifies how an EPG communicates with other EPGs. A Contract consists of Policy Rules.
Policy Rule: These are individual rules used to define the communication criteria between EPGs. Each rule contains a Filter, Classifier, and Action.
Classifier: Characterizes the traffic that a particular Policy Rule acts on. Corresponding action is taken on traffic that satisfies this classification criteria.
Action: The action that is taken for a matching Policy Rule defined in a Contract.
Filter: Provides a way to tag a Policy Rule with Capability and Role labels.
Capability: It is a Policy Label that defines what part of a Contract a particular EPG provides.
Role: It is a Policy Label that defines what part of a Contract an EPG wants to consume.
Contract Scope: An EPG conveys its intent to provide or consume a Contract (or its part) by defining a Contract Scope which references the target Contract.
Selector: A Contract Scope can define additional constraints around choosing the matching provider or consumer EPGs for a Contract via a Selector.
Policy Labels: These are labels contained within a namespace hierarchy and used to define Capability and Role tags used in Filters.
Bridge Domain: Used to define a L2 boundary and impose additional constraints (such as no broadcast) within that L2 boundary.
Routing Domain: Used to define a non-overlapping IP address space.
Here is an example of how a three tier application would look like:
+–––––––––+ +–––––––+ +–––––––+ +–––––––+
| | | Web | | App | |DB |
| Outside | | EPG | | EPG | |EPG |
| Public | +––––––––+ +––+ | +––––––––+ +––+ | +––––––––+ +––+ |
| Network +–+Web | |VM| +–+App | |VM| +–+DB | |VM| |
| EPG | |Contract| +––+ | |Contract| +––+ | |Contract| +––+ |
| | +––––––––+ | +––––––––+ | +––––––––+ |
| | | +––+ | | +––+ | | +––+ |
| | | |VM| | | |VM| | | |VM| |
| | | +––+ | | +––+ | | +––+ |
+–––––––––+ +–––––––+ +–––––––+ +–––––––+
Example CLI:
(exmaple only shows access to the Web Server Tier from the Outside Network)
Create Classifier
neutron classifier-create Insecure-Web-Access --port 80 --protocol TCP
--direction IN
Create Contract using the Classifier
neutron contract-create Web-Server-Contract --classifier Insecure-Web-Access
--action ALLOW
Create EPG providing the Contract
neutron epg-create Web-Server-EPG --provides-contract Web-Server-Contract
Create Endpoint in EPG
neutron ep-create --epg Web-Server-EPG
Launch Web Server VM using Endpoint in EPG
nova boot --image cirros --flavor m1.nano --nic port-id=<EP-NAME> Web-Server
Specify connectivity of Outside world VMs to Web Server
neutron epg-create Outside-EPG --consumes-contract Web-Server-Contract
Note that the Contract Provider/Consuming Scopes are not explicitly shown in the above diagram but define each providing and consuming relation between an EPG and a Contract as shown below:
+––––––––––+
|Web |
|Contract |
|Consuming |
|Scope |
+–––+––––––+
+–––––––––+ | +––––––––––+
| | | | Web |
| Outside | | | EPG |
| Public | | +––––––––+ | +––+ |
| Network +–+–+Web +––+–+ |VM|EP |
| EPG | |Contract| | | +––+ |
| | +––––––––+ | | |
| | | | +––+ |
| | | | |VM|EP |
| | | | +––+ |
+–––––––––+ | | |
| +––––––––––+
+
+––––+–––––+
|Web |
|Contract |
|Providing |
|Scope |
+––––––––––+
Alternatives
Since a new level of abstraction is being proposed here, a direct alternate does not exist in the current model.
Data model impact
New Database Objects to support Group Policy:
+–––––––––––––+ +–––––––––––––––+ +–––––––––––+
| | | Contract | |Contracts |
| Endpoint | | Providing/ | | |
| Groups +–––––+ Consuming +––––––+ |
| | | Scopes | +–––––+–––––+
+––––––+––––––+ +–––––––––––––––+ |
| +–––––+–––––+
| |Policy |
+––––––+––––––+ |Rules |
| | | |
| Endpoints | +–––––+––––––+––––+––––––––+
| | | | |
+–––––––––––––+ | | |
| | |
+–––––+––+ +––––––+–––––+ +–––––+––+
|Filters | |Classifiers | |Actions |
| | | | | |
+––––––––+ +––––––––––––+ +––––––––+
- All objects have the following common attributes:
-
- id - standard object uuid
- name - optional name
- description - optional annotation
- Endpoint
-
- epg_id - UUID of the EndpointGroup (EPG) that this Endpoint (EP) belongs to
- EndpointGroup
-
- endpoints - list of endpoint uuids
- contract_providing_scopes - list of ContractProvidingScope uuids
- contract_consuming_scopes - list of ContractConsumingScope uuids
- Contract
-
- policy_rules - ordered list of PolicyRule uuids
- contract_providing_scopes - list of ContractProvidingScope uuids
- contract_consuming_scopes - list of ContractConsumingScope uuids
- child_contracts - ordered list of Contract uuids
- ContractProvidingScope
-
- contract_id - uuid of the Contract that is being provided by the EPG
- selectors - list of Selectors uuids
- capabilites - list of PolicyLabel uuids
- providing_epg - EndpointGroup uuid
- ContractConsumingScope
-
- contract_id - uuid of the Contract that is being consumed by the EPG
- selectors - list of Selectors uuids
- roles - list of PolicyLabels
- consuming_epg - EndpointGroup uuid
- Selector
-
- scope - enum: GLOBAL, TENANT, EPG
- value - None for GLOBAL, or uuid of tenant/EPG
- PolicyLabel
-
- namespace - string, a namespace identifier for policy labels
- name - string, not optional
- PolicyRule
-
- filter - uuid of Filter
- classifier - uuid of Classifier
- actions - list of Action uuids
- Filter
-
- provider_capablilities - list of PolicyLabel uuids
- consumer_roles - list of PolicyLabel uuids
- Classifier
-
- protocol - enum: TCP, IP, ICMP
- port_range - single port number or range (as used in FWaaS firewall_rule)
- direction - enum: IN, OUT, BI
- Action
-
- type - enum: ALLOW, REDIRECT, QOS, LOG, MARK, COPY
- value - uuid of a resource that performs the action, for example in the case of REDIRECT, its the uuid of the ServiceWrapper
- ServiceWrapper
-
- neutron_service - uuid of service or service_chain
- L2Policy
-
- endpoint_groups - list of EndpointGroup uuids
- l3_policy_id - uuid of the l3_policy
- L3Policy
-
- l2_policies - list of L2Policy uuids
- ip_version - enum, v4 or v6
- ip_pool - string, IPSubnet with mask, used to pull subnets from if the user creates an EPG without specifying a subnet
- default_subnet_prefix_length - int, used as the default subnet length if the user creates an EPG without a subnet
The way ip_pool and default_subnet_prefix_length work is as follows: When creating L3Policy a default ip_pool and default_subnet_prefix_length are created. If a user creates an EPG, a subnet will be pulled from ip_pool using default_subnet_prefix_length.
Objects to support Mapping to existing Neutron resources
- EndpointPortBinding (extends Endpoint)
-
- neutron_port_id - uuid of Neutron Port that this EP maps to
- EndpointGroupNetworkBinding (extends EndpointGroup)
-
- neutron_subnets - list of Neutron Subnet uuids
- L2PolicyBinding (extends l2_policy)
-
- neutron_network_id - reference to a Neutron network
- L3PolicyBinding (extends l3_policy)
-
- neutron_routers - list of Neutron Router uuids
Appropriate foreign key constraints will be added to maintain the referential integrity of the model.
Database migrations: New tables are being added to the schema, however the existing schema remains unchanged.
REST API impact
The following new resources are being introduced:
= [None, 'ALLOW', 'REDIRECT']
gp_supported_actions = [None, 'IN', 'OUT', 'BI']
gp_supported_directions = [None, 'TCP', 'UDP', 'ICMP']
gp_supported_protocols = [None, 'GLOBAL', 'TENANT', 'EPG']
gp_supported_scopes
= 'endpoints'
ENDPOINTS = 'endpoint_groups'
ENDPOINT_GROUPS = 'contracts'
CONTRACTS = 'contract_providing_scopes'
CONTRACT_PROVIDING_SCOPES = 'contract_consuming_scopes'
CONTRACT_CONSUMING_SCOPES = 'policy_rules'
POLICY_RULES = 'filters'
FILTERS = 'classifiers'
CLASSIFIERS = 'actions'
ACTIONS = 'selectors'
SELECTORS = 'policy_labels'
POLICY_LABELS = 'l2_policies'
L2_POLICIES = 'l3_policies'
L3_POLICIES
= {
RESOURCE_ATTRIBUTE_MAP
ENDPOINTS: {'id': {'allow_post': False, 'allow_put': False,
'validate': {'type:uuid': None}, 'is_visible': True,
'primary_key': True},
'name': {'allow_post': True, 'allow_put': True,
'validate': {'type:string': None}, 'default': '',
'is_visible': True},
'description': {'allow_post': True, 'allow_put': True,
'validate': {'type:string': None},
'is_visible': True, 'default': ''},
'tenant_id': {'allow_post': True, 'allow_put': False,
'validate': {'type:string': None},
'required_by_policy': True, 'is_visible': True},
'endpointgroup_id': {'allow_post': True, 'allow_put': True,
'validate': {'type:uuid__or_none': None},
'required': True, 'is_visible': True},
},
ENDPOINT_GROUPS: {'id': {'allow_post': False, 'allow_put': False,
'validate': {'type:uuid': None}, 'is_visible': True,
'primary_key': True},
'name': {'allow_post': True, 'allow_put': True,
'validate': {'type:string': None},
'default': '', 'is_visible': True},
'description': {'allow_post': True, 'allow_put': True,
'validate': {'type:string': None},
'is_visible': True, 'default': ''},
'tenant_id': {'allow_post': True, 'allow_put': False,
'validate': {'type:string': None},
'required_by_policy': True, 'is_visible': True},
'endpoints': {'allow_post': False, 'allow_put': False,
'validate': {'type:uuid_list': None},
'convert_to': attr.convert_none_to_empty_list,
'default': None, 'is_visible': True},
'bridge_domain_id': {'allow_post': True, 'allow_put': True,
'validate': {'type:uuid_or_none': None},
'default': None, 'is_visible': True},
'provided_contract_scopes': {'allow_post': True, 'allow_put': True,
'validate': {'type:uuid_list': None},
'convert_to':
attr.convert_none_to_empty_list,'default': None, 'is_visible': True},
'consumed_contract_scopes': {'allow_post': True, 'allow_put': True,
'validate': {'type:uuid_list': None},
'convert_to':
attr.convert_none_to_empty_list,'default': None, 'is_visible': True},
},
CONTRACTS: {'id': {'allow_post': False, 'allow_put': False,
'validate': {'type:uuid': None},
'is_visible': True,
'primary_key': True},
'name': {'allow_post': True, 'allow_put': True,
'validate': {'type:string': None},
'default': '',
'is_visible': True},
'description': {'allow_post': True, 'allow_put': True,
'validate': {'type:string': None},
'is_visible': True, 'default': ''},
'tenant_id': {'allow_post': True, 'allow_put': False,
'validate': {'type:string': None},
'required_by_policy': True,
'is_visible': True},
'child_contracts': {'allow_post': True, 'allow_put': True,
'default': None,
'validate': {'type:uuid_list': None},
'convert_to': attr.convert_none_to_empty_list,
'required': True, 'is_visible': True},
'policy_rules': {'allow_post': True, 'allow_put': True,
'default': None,
'validate': {'type:uuid_list': None},
'convert_to': attr.convert_none_to_empty_list,
'required': True, 'is_visible': True},
},
CONTRACT_PROVIDING_SCOPES: {'id': {'allow_post': False, 'allow_put': False,
'validate': {'type:uuid': None},
'is_visible': True,
'primary_key': True},
'name': {'allow_post': True, 'allow_put': True,
'validate': {'type:string': None},
'default': '',
'is_visible': True},
'description': {'allow_post': True, 'allow_put': True,
'validate': {'type:string': None},
'is_visible': True, 'default': ''},
'tenant_id': {'allow_post': True, 'allow_put': False,
'validate': {'type:string': None},
'required_by_policy': True,
'is_visible': True},
'endpointgroup_id': {'allow_post': True, 'allow_put': True,
'validate': {'type:uuid': None},
'required': True, 'is_visible': True},
'contract_id': {'allow_post': True, 'allow_put': True,
'validate': {'type:uuid': None},
'required': True, 'is_visible': True},
'selector_id': {'allow_post': True, 'allow_put': True,
'validate': {'type:uuid_or_none': None},
'required': True, 'is_visible': True},
'capabilities': {'allow_post': True, 'allow_put': True,
'default': None,
'validate': {'type:uuid_list': None},
'convert_to': attr.convert_none_to_empty_list,
'required': True, 'is_visible': True},
},
CONTRACT_CONSUMING_SCOPES: {'id': {'allow_post': False, 'allow_put': False,
'validate': {'type:uuid': None},
'is_visible': True, 'primary_key': True},
'name': {'allow_post': True, 'allow_put': True,
'validate': {'type:string': None},
'default': '',
'is_visible': True},
'description': {'allow_post': True, 'allow_put': True,
'validate': {'type:string': None},
'is_visible': True, 'default': ''},
'tenant_id': {'allow_post': True, 'allow_put': False,
'validate': {'type:string': None},
'required_by_policy': True,
'is_visible': True},
'endpointgroup_id': {'allow_post': True, 'allow_put': True,
'validate': {'type:uuid': None},
'required': True, 'is_visible': True},
'contract_id': {'allow_post': True, 'allow_put': True,
'validate': {'type:uuid': None},
'required': True, 'is_visible': True},
'selector_id': {'allow_post': True, 'allow_put': True,
'validate': {'type:uuid_or_none': None},
'required': True, 'is_visible': True},
'roles': {'allow_post': True, 'allow_put': True,
'default': None,
'validate': {'type:uuid_list': None},
'convert_to': attr.convert_none_to_empty_list,
'required': True, 'is_visible': True},
},
POLICY_RULES: {'id': {'allow_post': False, 'allow_put': False,
'validate': {'type:uuid': None},
'is_visible': True, 'primary_key': True},
'name': {'allow_post': True, 'allow_put': True,
'validate': {'type:string': None},
'default': '', 'is_visible': True},
'description': {'allow_post': True, 'allow_put': True,
'validate': {'type:string': None},
'is_visible': True, 'default': ''},
'tenant_id': {'allow_post': True, 'allow_put': False,
'validate': {'type:string': None},
'required_by_policy': True,
'is_visible': True},
'enabled': {'allow_post': True, 'allow_put': True,
'default': True, 'convert_to': attr.convert_to_boolean,
'is_visible': True},
'filter_id': {'allow_post': True, 'allow_put': True,
'validate': {'type:uuid_or_none': None},
'required': True, 'is_visible': True},
'classifier_id': {'allow_post': True, 'allow_put': True,
'validate': {'type:uuid': None},
'required': True, 'is_visible': True},
'actions': {'allow_post': True, 'allow_put': True,
'default': None,
'validate': {'type:uuid_list': None},
'convert_to': attr.convert_none_to_empty_list,
'required': True, 'is_visible': True},
},
FILTERS: {'id': {'allow_post': False, 'allow_put': False,
'validate': {'type:uuid': None},
'is_visible': True, 'primary_key': True},
'name': {'allow_post': True, 'allow_put': True,
'validate': {'type:string': None},
'default': '', 'is_visible': True},
'description': {'allow_post': True, 'allow_put': True,
'validate': {'type:string': None},
'is_visible': True, 'default': ''},
'tenant_id': {'allow_post': True, 'allow_put': False,
'validate': {'type:string': None},
'required_by_policy': True,
'is_visible': True},
'provider_capabilities': {'allow_post': True, 'allow_put': True,
'validate': {'type:uuid_list': None},
'convert_to':
attr.convert_none_to_empty_list,'required': True, 'is_visible': True},
'consumer_roles': {'allow_post': True, 'allow_put': True,
'validate': {'type:uuid_list': None},
'convert_to': attr.convert_none_to_empty_list,
'required': True, 'is_visible': True},
},
CLASSIFIERS: {'id': {'allow_post': False, 'allow_put': False,
'validate': {'type:uuid': None},
'is_visible': True, 'primary_key': True},
'name': {'allow_post': True, 'allow_put': True,
'validate': {'type:string': None},
'default': '', 'is_visible': True},
'description': {'allow_post': True, 'allow_put': True,
'validate': {'type:string': None},
'is_visible': True, 'default': ''},
'tenant_id': {'allow_post': True, 'allow_put': False,
'validate': {'type:string': None},
'required_by_policy': True,
'is_visible': True},
'protocol': {'allow_post': True, 'allow_put': True,
'is_visible': True, 'default': None,
'convert_to': convert_protocol,
'validate': {'type:values': gp_supported_protocols}},
'port_range': {'allow_post': True, 'allow_put': True,
'validate': {'type:port_range': None},
'convert_to': convert_port_to_string,
'default': None, 'is_visible': True},
'direction': {'allow_post': True, 'allow_put': True,
'validate': {'type:string': gp_supported_directions},
'default': None, 'is_visible': True},
},
ACTIONS: {'id': {'allow_post': False, 'allow_put': False,
'validate': {'type:uuid': None},
'is_visible': True,
'primary_key': True},
'name': {'allow_post': True, 'allow_put': True,
'validate': {'type:string': None},
'default': '', 'is_visible': True},
'description': {'allow_post': True, 'allow_put': True,
'validate': {'type:string': None},
'is_visible': True, 'default': ''},
'tenant_id': {'allow_post': True, 'allow_put': False,
'validate': {'type:string': None},
'required_by_policy': True,
'is_visible': True},
'action_type': {'allow_post': True, 'allow_put': True,
'convert_to': convert_action_to_case_insensitive,
'validate': {'type:values': gp_supported_actions},
'is_visible': True, 'default': 'allow'},
'action_value': {'allow_post': True, 'allow_put': True,
'validate': {'type:uuid_or_none': None},
'is_visible': True},
},
SELECTORS: {'id': {'allow_post': False, 'allow_put': False,
'validate': {'type:uuid': None},
'is_visible': True,
'primary_key': True},
'name': {'allow_post': True, 'allow_put': True,
'validate': {'type:string': None},
'default': '', 'is_visible': True},
'description': {'allow_post': True, 'allow_put': True,
'validate': {'type:string': None},
'is_visible': True, 'default': ''},
'tenant_id': {'allow_post': True, 'allow_put': False,
'validate': {'type:string': None},
'required_by_policy': True,
'is_visible': True},
'scope': {'allow_post': True, 'allow_put': True,
'convert_to': convert_scope_to_case_insensitive,
'validate': {'type:values': gp_supported_scopes},
'is_visible': True, 'default': 'tenant'},
'value': {'allow_post': True, 'allow_put': True,
'validate': {'type:uuid_or_none': None},
'is_visible': True},
},
POLICY_LABELS: {'id': {'allow_post': False, 'allow_put': False,
'validate': {'type:uuid': None},
'is_visible': True,
'primary_key': True},
'name': {'allow_post': True, 'allow_put': True,
'validate': {'type:string': None},
'default': '', 'is_visible': True},
'description': {'allow_post': True, 'allow_put': True,
'validate': {'type:string': None},
'is_visible': True, 'default': ''},
'tenant_id': {'allow_post': True, 'allow_put': False,
'validate': {'type:string': None},
'required_by_policy': True,
'is_visible': True},
'namespace': {'allow_post': True, 'allow_put': True,
'validate': {'type:string': None},
'is_visible': True, 'default': ''},
'name': {'allow_post': True, 'allow_put': True,
'validate': {'type:string': None},
'is_visible': True, 'required': True},
},
L2_POLICIES: {'id': {'allow_post': False, 'allow_put': False,
'validate': {'type:uuid': None}, 'is_visible': True,
'primary_key': True},
'name': {'allow_post': True, 'allow_put': True,
'validate': {'type:string': None},
'default': '', 'is_visible': True},
'description': {'allow_post': True, 'allow_put': True,
'validate': {'type:string': None},
'is_visible': True, 'default': ''},
'tenant_id': {'allow_post': True, 'allow_put': False,
'validate': {'type:string': None},
'required_by_policy': True, 'is_visible': True},
'endpoint_groups': {'allow_post': False, 'allow_put': False,
'validate': {'type:uuid_list': None},
'convert_to': attr.convert_none_to_empty_list,
'default': None, 'is_visible': True},
'routing_domain_id': {'allow_post': True, 'allow_put': True,
'validate': {'type:uuid_or_none': None},
'default': None, 'is_visible': True,
'required': True},
},
L3_POLICIES: {'id': {'allow_post': False, 'allow_put': False,
'validate': {'type:uuid': None}, 'is_visible': True,
'primary_key': True},
'name': {'allow_post': True, 'allow_put': True,
'validate': {'type:string': None},
'default': '', 'is_visible': True},
'description': {'allow_post': True, 'allow_put': True,
'validate': {'type:string': None},
'is_visible': True, 'default': ''},
'tenant_id': {'allow_post': True, 'allow_put': False,
'validate': {'type:string': None},
'required_by_policy': True, 'is_visible': True},
'ip_version': {'allow_post': True, 'allow_put': False,
'convert_to': attr.convert_to_int,
'validate': {'type:values': [4, 6]},
'is_visible': True},
'ip_pool': {'allow_post': True, 'allow_put': False,
'validate': {'type:subnet': None},
'default': '10.0.0.0/8', 'is_visible': True},
'default_subnet_prefix_length': {'allow_post': True, 'allow_put': True,
'convert_to': attr.convert_to_int,
'validate': {
# ipv4 specific validation is
# performed in the plugin code.
'type:values': range(1, 127)},
'default': 24, 'is_visible': True},
'l2_policies': {'allow_post': False, 'allow_put': False,
'validate': {'type:uuid_list': None},
'convert_to': attr.convert_none_to_empty_list,
'default': None, 'is_visible': True},
}, }
The following defines the mapping to classical (existing) Neutron resources using attribute extension:
= {
EXTENDED_ATTRIBUTES_2_0
gpolicy.ENDPOINTS: {'neutron_port_id': {'allow_post': True, 'allow_put': False,
'validate': {'type:uuid_or_none': None},
'is_visible': True, 'default': None},
},
gpolicy.ENDPOINT_GROUPS: {'neutron_subnets': {'allow_post': True, 'allow_put': True,
'validate': {'type:uuid_list': None},
'convert_to': attr.convert_none_to_empty_list,
'default': None, 'is_visible': True},
},
gpolicy.L2_POLICIES: {'neutron_network_id': {'allow_post': True, 'allow_put': False,
'validate': {'type:uuid_or_none': None},
'is_visible': True, 'default': None},
},
gpolicy.L3_POLICIES: {'neutron_routers': {'allow_post': True, 'allow_put': True,
'validate': {'type:uuid_list': None},
'convert_to': attr.convert_none_to_empty_list,
'default': None, 'is_visible': True},
}, }
Security impact
The connectivity model used here is consistent with OpenStack/Neutron's current white list model - that is, there is no connectivity outside an EPG unless explicitly allowed.
The rendering of the proposed new abstractions happens via existing Security Groups and Firewall as a Service constructs. As such, no new constructs or implementation that will directly affect the current security framework are being introduced.
Does this change touch sensitive data such as tokens, keys, or user data?
No
Does this change alter the API in a way that may impact security, such as a new way to access sensitive information or a new way to login?
No
Does this change involve cryptography or hashing?
No
Does this change require the use of sudo or any elevated privileges?
No
Does this change involve using or parsing user-provided data? This could be directly at the API level or indirectly such as changes to a cache layer.
No
Can this change enable a resource exhaustion attack, such as allowing a single API interaction to consume significant server resources? Some examples of this include launching subprocesses for each connection, or entity expansion attacks in XML.
The exposed risk here is no different from the existing APIs and would largely depend on the Policy Driver implementation.
Notifications impact
None
Other end user impact
Integration with following projects will be required:
- python-neutronclient
- horizon
- heat
- devstack
Performance Impact
A new layer of abstraction is being introduced. All performance considerations that are relevant to existing Neutron will apply and be taken into consideration during the implementation. It should be noted though that the use of this new layer of abstraction/extensions is optional, and as such will not affect the performance of the existing implementation if the former is not used.
Other deployer impact
- Config additions
- Policy Plugin class
- Policy Plugin driver class
Developer impact
This will be a new API, and will not affect existing API.
Implementation
Assignee(s)
Sumit Naiksatam (snaiksat) - Launchpad blueprint assignee
Robert Kukura (rkukura)
Mandeep Dhami (mandeep-dhami)
Mohammad Banikazemi (banix)
Stephen Wong (s3wong)
Prasad Vellanki (prasad-vellanki)
Hemanth Ravi (hemanth-ravi)
Subrahmanyam Ongole (osms69)
Ronak Shah (ronak-malav-shah)
Rudra Rugge (rudrarugge)
Kanzhe Jiang (kanzhe-jiang)
Kevin Benton (kevinbenton)
Work Items
Policy Manager Policy Driver
Dependencies
None
Testing
Both, functional and, system tests will be added.
Documentation Impact
Both, API and, Admin guide will be updated.
References
- Weekly IRC meetings wherein this blueprint has been discussed since Nov 2013
- Group Policy Wiki - https://wiki.openstack.org/wiki/Neutron/GroupPolicy