share servicechain objects
implements blueprint share-servicechain-objects Change-Id: Ie63dd4813a9c1bec857b5c5ba363c5c0abad94b7
This commit is contained in:
parent
de694f7164
commit
e24fb015a6
@ -8,9 +8,10 @@
|
|||||||
Introduce globally shared resources
|
Introduce globally shared resources
|
||||||
===================================
|
===================================
|
||||||
|
|
||||||
Launchpad blueprint:
|
Launchpad blueprints:
|
||||||
|
|
||||||
https://blueprints.launchpad.net/group-based-policy/+spec/introduce-shared-attribute
|
https://blueprints.launchpad.net/group-based-policy/+spec/introduce-shared-attribute
|
||||||
|
https://blueprints.launchpad.net/group-based-policy/+spec/share-servicechain-objects
|
||||||
|
|
||||||
Today, it's not possible to create shared GBP resources.
|
Today, it's not possible to create shared GBP resources.
|
||||||
This is especially useful in order to avoid duplication of policies
|
This is especially useful in order to avoid duplication of policies
|
||||||
@ -41,8 +42,10 @@ following GBP resources:
|
|||||||
- L3 Policies;
|
- L3 Policies;
|
||||||
- Network Service policies;
|
- Network Service policies;
|
||||||
- Policy Rules;
|
- Policy Rules;
|
||||||
- Policy Classifiers.
|
- Policy Classifiers;
|
||||||
- Policy Actions.
|
- Policy Actions;
|
||||||
|
- Service Chain Nodes;
|
||||||
|
- Service Chain Specs.
|
||||||
|
|
||||||
The behavior will be consistent with Neutron's already existing
|
The behavior will be consistent with Neutron's already existing
|
||||||
sharing policy. Which means that a given resource can be either
|
sharing policy. Which means that a given resource can be either
|
||||||
@ -74,47 +77,89 @@ The proposed default policy.json follows::
|
|||||||
"admin_only": "rule:context_is_admin",
|
"admin_only": "rule:context_is_admin",
|
||||||
"regular_user": "",
|
"regular_user": "",
|
||||||
"default": "rule:admin_or_owner",
|
"default": "rule:admin_or_owner",
|
||||||
"gbp_shared": "field:policy_target_groups:shared=True",
|
"shared_ptg": "field:policy_target_groups:shared=True",
|
||||||
|
"shared_pt": "field:policy_targets:shared=True",
|
||||||
|
"shared_prs": "field:policy_rule_sets:shared=True",
|
||||||
|
"shared_l3p": "field:l3_policies:shared=True",
|
||||||
|
"shared_l2p": "field:l2_policies:shared=True",
|
||||||
|
"shared_es": "field:external_segments:shared=True",
|
||||||
|
"shared_ep": "field:external_policies:shared=True",
|
||||||
|
"shared_pc": "field:policy_classifiers:shared=True",
|
||||||
|
"shared_pa": "field:policy_actions:shared=True",
|
||||||
|
"shared_pr": "field:policy_rules:shared=True",
|
||||||
|
"shared_np": "field:nat_pools:shared=True",
|
||||||
|
"shared_nsp": "field:network_service_policies:shared=True",
|
||||||
|
"shared_scn": "field:servicechain_nodes:shared=True",
|
||||||
|
"shared_scs": "field:servicechain_specs:shared=True",
|
||||||
|
|
||||||
"create_policy_target_group": "",
|
"create_policy_target_group": "",
|
||||||
"create_policy_target_group:shared": "rule:admin_only",
|
"create_policy_target_group:shared": "rule:admin_only",
|
||||||
"get_policy_target_group": "rule:admin_or_owner or rule:gbp_shared",
|
"get_policy_target_group": "rule:admin_or_owner or rule:shared_ptg",
|
||||||
"update_policy_target_group:shared": "rule:admin_only",
|
"update_policy_target_group:shared": "rule:admin_only",
|
||||||
|
|
||||||
"create_l2_policy": "",
|
"create_l2_policy": "",
|
||||||
"create_l2_policy:shared": "rule:admin_only",
|
"create_l2_policy:shared": "rule:admin_only",
|
||||||
"get_l2_policy": "rule:admin_or_owner or rule:gbp_shared",
|
"get_l2_policy": "rule:admin_or_owner or rule:shared_l2p",
|
||||||
"update_l2_policy:shared": "rule:admin_only",
|
"update_l2_policy:shared": "rule:admin_only",
|
||||||
|
|
||||||
"create_l3_policy": "",
|
"create_l3_policy": "",
|
||||||
"create_l3_policy:shared": "rule:admin_only",
|
"create_l3_policy:shared": "rule:admin_only",
|
||||||
"get_l3_policy": "rule:admin_or_owner or rule:gbp_shared",
|
"get_l3_policy": "rule:admin_or_owner or rule:shared_l3p",
|
||||||
"update_l3_policy:shared": "rule:admin_only",
|
"update_l3_policy:shared": "rule:admin_only",
|
||||||
|
|
||||||
"create_policy_classifier": "",
|
"create_policy_classifier": "",
|
||||||
"create_policy_classifier:shared": "rule:admin_only",
|
"create_policy_classifier:shared": "rule:admin_only",
|
||||||
"get_policy_classifier": "rule:admin_or_owner or rule:gbp_shared",
|
"get_policy_classifier": "rule:admin_or_owner or rule:shared_pc",
|
||||||
"update_policy_classifier:shared": "rule:admin_only",
|
"update_policy_classifier:shared": "rule:admin_only",
|
||||||
|
|
||||||
"create_policy_action": "",
|
"create_policy_action": "",
|
||||||
"create_policy_action:shared": "rule:admin_only",
|
"create_policy_action:shared": "rule:admin_only",
|
||||||
"get_policy_action": "rule:admin_or_owner or rule:gbp_shared",
|
"get_policy_action": "rule:admin_or_owner or rule:shared_pa",
|
||||||
"update_policy_action:shared": "rule:admin_only",
|
"update_policy_action:shared": "rule:admin_only",
|
||||||
|
|
||||||
"create_policy_rule": "",
|
"create_policy_rule": "",
|
||||||
"create_policy_rule:shared": "rule:admin_only",
|
"create_policy_rule:shared": "rule:admin_only",
|
||||||
"get_policy_rule": "rule:admin_or_owner or rule:gbp_shared",
|
"get_policy_rule": "rule:admin_or_owner or rule:shared_pr",
|
||||||
"update_policy_rule:shared": "rule:admin_only",
|
"update_policy_rule:shared": "rule:admin_only",
|
||||||
|
|
||||||
"create_policy_rule_set": "",
|
"create_policy_rule_set": "",
|
||||||
"create_policy_rule_set:shared": "rule:admin_only",
|
"create_policy_rule_set:shared": "rule:admin_only",
|
||||||
"get_policy_rule_set": "rule:admin_or_owner or rule:gbp_shared",
|
"get_policy_rule_set": "rule:admin_or_owner or rule:shared_prs",
|
||||||
"update_policy_rule_set:shared": "rule:admin_only",
|
"update_policy_rule_set:shared": "rule:admin_only",
|
||||||
|
|
||||||
"create_network_service_policy": "",
|
"create_network_service_policy": "",
|
||||||
"create_network_service_policy:shared": "rule:admin_only",
|
"create_network_service_policy:shared": "rule:admin_only",
|
||||||
"get_network_service_policy": "rule:admin_or_owner or rule:gbp_shared",
|
"get_network_service_policy": "rule:admin_or_owner or rule:shared_nsp",
|
||||||
"update_network_service_policy:shared": "rule:admin_only"
|
"update_network_service_policy:shared": "rule:admin_only",
|
||||||
|
|
||||||
|
"create_external_segment": "",
|
||||||
|
"create_external_segment:shared": "rule:admin_only",
|
||||||
|
"get_external_segment": "rule:admin_or_owner or rule:shared_es",
|
||||||
|
"update_external_segment:shared": "rule:admin_only",
|
||||||
|
|
||||||
|
"create_external_policy": "",
|
||||||
|
"create_external_policy:shared": "rule:admin_only",
|
||||||
|
"get_external_policy": "rule:admin_or_owner or rule:shared_ep",
|
||||||
|
"update_external_policy:shared": "rule:admin_only",
|
||||||
|
|
||||||
|
"create_nat_pool": "",
|
||||||
|
"create_nat_pool:shared": "rule:admin_only",
|
||||||
|
"get_nat_pool": "rule:admin_or_owner or rule:shared_np",
|
||||||
|
"update_nat_pool:shared": "rule:admin_only",
|
||||||
|
|
||||||
|
"create_servicechain_node": "",
|
||||||
|
"create_servicechain_node:shared": "rule:admin_only",
|
||||||
|
"get_servicechain_node": "rule:admin_or_owner or rule:shared_scn",
|
||||||
|
"update_servicechain_node:shared": "rule:admin_only",
|
||||||
|
|
||||||
|
"create_servicechain_spec": "",
|
||||||
|
"create_servicechain_spec:shared": "rule:admin_only",
|
||||||
|
"get_servicechain_spec": "rule:admin_or_owner or rule:shared_scs",
|
||||||
|
"update_servicechain_spec:shared": "rule:admin_only",
|
||||||
|
|
||||||
|
"create_servicechain_instance": "",
|
||||||
|
"get_servicechain_instance": "rule:admin_or_owner",
|
||||||
|
"update_servicechain_instance:shared": "rule:admin_only"
|
||||||
}
|
}
|
||||||
|
|
||||||
Any datapath impact caused by a shared resource has to be
|
Any datapath impact caused by a shared resource has to be
|
||||||
@ -128,7 +173,9 @@ following resources:
|
|||||||
- PTG: usable by any tenant when shared for PT placement;
|
- PTG: usable by any tenant when shared for PT placement;
|
||||||
- Policy Classifiers: usable by any tenant when shared;
|
- Policy Classifiers: usable by any tenant when shared;
|
||||||
- Policy Actions: usable by any tenant when shared;
|
- Policy Actions: usable by any tenant when shared;
|
||||||
- Policy Rules: usable by any tenant when shared.
|
- Policy Rules: usable by any tenant when shared;
|
||||||
|
- Service Chain Specs: usable by any tenant when shared;
|
||||||
|
- Service Chain Nodes: usable by any tenant when shared.
|
||||||
|
|
||||||
L3 and L2 policies need to be sharable to allow PTG sharing.
|
L3 and L2 policies need to be sharable to allow PTG sharing.
|
||||||
However, no external tenant could use them because there's no
|
However, no external tenant could use them because there's no
|
||||||
|
Loading…
Reference in New Issue
Block a user