Merge "Introduce globally shared resources"
This commit is contained in:
commit
4d96f6c967
236
specs/juno/introduce-shared-attribute.rst
Normal file
236
specs/juno/introduce-shared-attribute.rst
Normal file
@ -0,0 +1,236 @@
|
||||
..
|
||||
This work is licensed under a Creative Commons Attribution 3.0 Unported
|
||||
License.
|
||||
|
||||
http://creativecommons.org/licenses/by/3.0/legalcode
|
||||
|
||||
===================================
|
||||
Introduce globally shared resources
|
||||
===================================
|
||||
|
||||
Launchpad blueprint:
|
||||
|
||||
https://blueprints.launchpad.net/group-based-policy/+spec/introduce-shared-attribute
|
||||
|
||||
Today, it's not possible to create shared GBP resources.
|
||||
This is especially useful in order to avoid duplication of policies
|
||||
among tenants.
|
||||
|
||||
This blueprint introduces a "shared" attribute to certain GBP resources.
|
||||
|
||||
Problem description
|
||||
===================
|
||||
|
||||
In the context of concerns separation, it's very important that a user
|
||||
(e.g. the admin) shares some of the resources he created in order for
|
||||
different kind of users to be able to consume them.
|
||||
|
||||
To achieve this, the API should be able to offer a way to specify
|
||||
whether a resource is shared or not. This behavior doesn't exist
|
||||
in our current Group Based Policy implementation.
|
||||
|
||||
Proposed change
|
||||
===============
|
||||
|
||||
This change proposes the introduction of a "shared" attribute for the
|
||||
following GBP resources:
|
||||
|
||||
- Policy Rule Sets;
|
||||
- Policy Target Groups;
|
||||
- L2 Policies;
|
||||
- L3 Policies;
|
||||
- Network Service policies;
|
||||
- Policy Rules;
|
||||
- Policy Classifiers.
|
||||
- Policy Actions.
|
||||
|
||||
The behavior will be consistent with Neutron's already existing
|
||||
sharing policy. Which means that a given resource can be either
|
||||
consumable by a single tenant or shared globally.
|
||||
Shared resources will be modifiable only by the owner or the
|
||||
admin when applied.
|
||||
The Policy Target resource has been excluded from the list above
|
||||
since it is intrinsically something that the user creates and
|
||||
consumes for himself.
|
||||
|
||||
The sharing constraints are the following:
|
||||
|
||||
- A shared resource can only be associated with other shared
|
||||
resources. For example, a shared L2_Policy can only exist on
|
||||
a shared L3_Policy;
|
||||
- A shared resource can be CRUD based on the
|
||||
rules described by the policy.json file;
|
||||
- A shared resource can't be reverted to non shared if being
|
||||
used by either shared or other tenants' resources.
|
||||
- Although the model provides as much flexibility as possible
|
||||
(constrained by the above rules) each driver should limit
|
||||
the sharing capabilities based on their own implementations.
|
||||
|
||||
The proposed default policy.json follows::
|
||||
|
||||
{
|
||||
"context_is_admin": "role:admin",
|
||||
"admin_or_owner": "rule:context_is_admin or tenant_id:%(tenant_id)s",
|
||||
"admin_only": "rule:context_is_admin",
|
||||
"regular_user": "",
|
||||
"default": "rule:admin_or_owner",
|
||||
"gbp_shared": "field:policy_target_groups:shared=True",
|
||||
|
||||
"create_policy_target_group": "",
|
||||
"create_policy_target_group:shared": "rule:admin_only",
|
||||
"get_policy_target_group": "rule:admin_or_owner or rule:gbp_shared",
|
||||
"update_policy_target_group:shared": "rule:admin_only",
|
||||
|
||||
"create_l2_policy": "",
|
||||
"create_l2_policy:shared": "rule:admin_only",
|
||||
"get_l2_policy": "rule:admin_or_owner or rule:gbp_shared",
|
||||
"update_l2_policy:shared": "rule:admin_only",
|
||||
|
||||
"create_l3_policy": "",
|
||||
"create_l3_policy:shared": "rule:admin_only",
|
||||
"get_l3_policy": "rule:admin_or_owner or rule:gbp_shared",
|
||||
"update_l3_policy:shared": "rule:admin_only",
|
||||
|
||||
"create_policy_classifier": "",
|
||||
"create_policy_classifier:shared": "rule:admin_only",
|
||||
"get_policy_classifier": "rule:admin_or_owner or rule:gbp_shared",
|
||||
"update_policy_classifier:shared": "rule:admin_only",
|
||||
|
||||
"create_policy_action": "",
|
||||
"create_policy_action:shared": "rule:admin_only",
|
||||
"get_policy_action": "rule:admin_or_owner or rule:gbp_shared",
|
||||
"update_policy_action:shared": "rule:admin_only",
|
||||
|
||||
"create_policy_rule": "",
|
||||
"create_policy_rule:shared": "rule:admin_only",
|
||||
"get_policy_rule": "rule:admin_or_owner or rule:gbp_shared",
|
||||
"update_policy_rule:shared": "rule:admin_only",
|
||||
|
||||
"create_policy_rule_set": "",
|
||||
"create_policy_rule_set:shared": "rule:admin_only",
|
||||
"get_policy_rule_set": "rule:admin_or_owner or rule:gbp_shared",
|
||||
"update_policy_rule_set:shared": "rule:admin_only",
|
||||
|
||||
"create_network_service_policy": "",
|
||||
"create_network_service_policy:shared": "rule:admin_only",
|
||||
"get_network_service_policy": "rule:admin_or_owner or rule:gbp_shared",
|
||||
"update_network_service_policy:shared": "rule:admin_only"
|
||||
}
|
||||
|
||||
Any datapath impact caused by a shared resource has to be
|
||||
defined by the driver itself.
|
||||
|
||||
The Neutron mapping driver refactor will include sharing of the
|
||||
following resources:
|
||||
|
||||
- L3_Policy: only usable by the same tenant;
|
||||
- L2_Policy: only usable by the same tenant;
|
||||
- PTG: usable by any tenant when shared for PT placement;
|
||||
- Policy Classifiers: usable by any tenant when shared;
|
||||
- Policy Actions: usable by any tenant when shared;
|
||||
- Policy Rules: usable by any tenant when shared.
|
||||
|
||||
L3 and L2 policies need to be sharable to allow PTG sharing.
|
||||
However, no external tenant could use them because there's no
|
||||
way today in Neutron to share a Router.
|
||||
Security groups are also not sharable in Neutron, therefore
|
||||
PRS is not listed above.
|
||||
|
||||
One use case for sharing PTG is when the could admin provides a
|
||||
common management PTG to all the tenants. They could then create
|
||||
multi-homed VMs and use it according to the policies.
|
||||
|
||||
|
||||
Alternatives
|
||||
------------
|
||||
|
||||
At this time there's no alternative proposal.
|
||||
|
||||
Data model impact
|
||||
-----------------
|
||||
|
||||
A "shared" field is added to the resources listed in
|
||||
the "Proposed change" section.
|
||||
|
||||
REST API impact
|
||||
---------------
|
||||
|
||||
The REST API will show the "shared" attribute for the
|
||||
resource listed in the "Proposed change" section.
|
||||
|
||||
Security impact
|
||||
---------------
|
||||
|
||||
This blueprint has no security impact.
|
||||
|
||||
Notifications impact
|
||||
--------------------
|
||||
|
||||
This blueprint has no impact on notifications.
|
||||
|
||||
Other end user impact
|
||||
---------------------
|
||||
|
||||
The end user will now be able to see and consume
|
||||
shared resources.
|
||||
|
||||
Performance Impact
|
||||
------------------
|
||||
|
||||
This blueprint does not have significant impact on performance.
|
||||
|
||||
Other deployer impact
|
||||
---------------------
|
||||
|
||||
This blueprint does not have deployment impact
|
||||
|
||||
Developer impact
|
||||
----------------
|
||||
|
||||
GBP driver's developers should now be aware that some
|
||||
resources could be shared among tenants and therefore
|
||||
should program accordingly.
|
||||
|
||||
Implementation
|
||||
==============
|
||||
|
||||
Assignee(s)
|
||||
-----------
|
||||
|
||||
Primary assignee:
|
||||
mmaleckk
|
||||
|
||||
Other contributors:
|
||||
None
|
||||
|
||||
Work Items
|
||||
----------
|
||||
|
||||
* Add resource attribute to REST API;
|
||||
|
||||
* Add model fields to the proper resources;
|
||||
|
||||
* Refactor Neutron resource mapping driver to support shared resources.
|
||||
|
||||
Dependencies
|
||||
============
|
||||
|
||||
None
|
||||
|
||||
Testing
|
||||
=======
|
||||
|
||||
Unit tests will be added to verify the resource visibility
|
||||
and usability.
|
||||
|
||||
Documentation Impact
|
||||
====================
|
||||
|
||||
Eventual GBP documentation will need to provide explanations
|
||||
on how the "shared" attribute works and examples on how to
|
||||
use it.
|
||||
|
||||
References
|
||||
==========
|
||||
|
||||
None
|
Loading…
Reference in New Issue
Block a user