Merge "Introduce globally shared resources"
This commit is contained in:
commit
4d96f6c967
236
specs/juno/introduce-shared-attribute.rst
Normal file
236
specs/juno/introduce-shared-attribute.rst
Normal file
@ -0,0 +1,236 @@
|
|||||||
|
..
|
||||||
|
This work is licensed under a Creative Commons Attribution 3.0 Unported
|
||||||
|
License.
|
||||||
|
|
||||||
|
http://creativecommons.org/licenses/by/3.0/legalcode
|
||||||
|
|
||||||
|
===================================
|
||||||
|
Introduce globally shared resources
|
||||||
|
===================================
|
||||||
|
|
||||||
|
Launchpad blueprint:
|
||||||
|
|
||||||
|
https://blueprints.launchpad.net/group-based-policy/+spec/introduce-shared-attribute
|
||||||
|
|
||||||
|
Today, it's not possible to create shared GBP resources.
|
||||||
|
This is especially useful in order to avoid duplication of policies
|
||||||
|
among tenants.
|
||||||
|
|
||||||
|
This blueprint introduces a "shared" attribute to certain GBP resources.
|
||||||
|
|
||||||
|
Problem description
|
||||||
|
===================
|
||||||
|
|
||||||
|
In the context of concerns separation, it's very important that a user
|
||||||
|
(e.g. the admin) shares some of the resources he created in order for
|
||||||
|
different kind of users to be able to consume them.
|
||||||
|
|
||||||
|
To achieve this, the API should be able to offer a way to specify
|
||||||
|
whether a resource is shared or not. This behavior doesn't exist
|
||||||
|
in our current Group Based Policy implementation.
|
||||||
|
|
||||||
|
Proposed change
|
||||||
|
===============
|
||||||
|
|
||||||
|
This change proposes the introduction of a "shared" attribute for the
|
||||||
|
following GBP resources:
|
||||||
|
|
||||||
|
- Policy Rule Sets;
|
||||||
|
- Policy Target Groups;
|
||||||
|
- L2 Policies;
|
||||||
|
- L3 Policies;
|
||||||
|
- Network Service policies;
|
||||||
|
- Policy Rules;
|
||||||
|
- Policy Classifiers.
|
||||||
|
- Policy Actions.
|
||||||
|
|
||||||
|
The behavior will be consistent with Neutron's already existing
|
||||||
|
sharing policy. Which means that a given resource can be either
|
||||||
|
consumable by a single tenant or shared globally.
|
||||||
|
Shared resources will be modifiable only by the owner or the
|
||||||
|
admin when applied.
|
||||||
|
The Policy Target resource has been excluded from the list above
|
||||||
|
since it is intrinsically something that the user creates and
|
||||||
|
consumes for himself.
|
||||||
|
|
||||||
|
The sharing constraints are the following:
|
||||||
|
|
||||||
|
- A shared resource can only be associated with other shared
|
||||||
|
resources. For example, a shared L2_Policy can only exist on
|
||||||
|
a shared L3_Policy;
|
||||||
|
- A shared resource can be CRUD based on the
|
||||||
|
rules described by the policy.json file;
|
||||||
|
- A shared resource can't be reverted to non shared if being
|
||||||
|
used by either shared or other tenants' resources.
|
||||||
|
- Although the model provides as much flexibility as possible
|
||||||
|
(constrained by the above rules) each driver should limit
|
||||||
|
the sharing capabilities based on their own implementations.
|
||||||
|
|
||||||
|
The proposed default policy.json follows::
|
||||||
|
|
||||||
|
{
|
||||||
|
"context_is_admin": "role:admin",
|
||||||
|
"admin_or_owner": "rule:context_is_admin or tenant_id:%(tenant_id)s",
|
||||||
|
"admin_only": "rule:context_is_admin",
|
||||||
|
"regular_user": "",
|
||||||
|
"default": "rule:admin_or_owner",
|
||||||
|
"gbp_shared": "field:policy_target_groups:shared=True",
|
||||||
|
|
||||||
|
"create_policy_target_group": "",
|
||||||
|
"create_policy_target_group:shared": "rule:admin_only",
|
||||||
|
"get_policy_target_group": "rule:admin_or_owner or rule:gbp_shared",
|
||||||
|
"update_policy_target_group:shared": "rule:admin_only",
|
||||||
|
|
||||||
|
"create_l2_policy": "",
|
||||||
|
"create_l2_policy:shared": "rule:admin_only",
|
||||||
|
"get_l2_policy": "rule:admin_or_owner or rule:gbp_shared",
|
||||||
|
"update_l2_policy:shared": "rule:admin_only",
|
||||||
|
|
||||||
|
"create_l3_policy": "",
|
||||||
|
"create_l3_policy:shared": "rule:admin_only",
|
||||||
|
"get_l3_policy": "rule:admin_or_owner or rule:gbp_shared",
|
||||||
|
"update_l3_policy:shared": "rule:admin_only",
|
||||||
|
|
||||||
|
"create_policy_classifier": "",
|
||||||
|
"create_policy_classifier:shared": "rule:admin_only",
|
||||||
|
"get_policy_classifier": "rule:admin_or_owner or rule:gbp_shared",
|
||||||
|
"update_policy_classifier:shared": "rule:admin_only",
|
||||||
|
|
||||||
|
"create_policy_action": "",
|
||||||
|
"create_policy_action:shared": "rule:admin_only",
|
||||||
|
"get_policy_action": "rule:admin_or_owner or rule:gbp_shared",
|
||||||
|
"update_policy_action:shared": "rule:admin_only",
|
||||||
|
|
||||||
|
"create_policy_rule": "",
|
||||||
|
"create_policy_rule:shared": "rule:admin_only",
|
||||||
|
"get_policy_rule": "rule:admin_or_owner or rule:gbp_shared",
|
||||||
|
"update_policy_rule:shared": "rule:admin_only",
|
||||||
|
|
||||||
|
"create_policy_rule_set": "",
|
||||||
|
"create_policy_rule_set:shared": "rule:admin_only",
|
||||||
|
"get_policy_rule_set": "rule:admin_or_owner or rule:gbp_shared",
|
||||||
|
"update_policy_rule_set:shared": "rule:admin_only",
|
||||||
|
|
||||||
|
"create_network_service_policy": "",
|
||||||
|
"create_network_service_policy:shared": "rule:admin_only",
|
||||||
|
"get_network_service_policy": "rule:admin_or_owner or rule:gbp_shared",
|
||||||
|
"update_network_service_policy:shared": "rule:admin_only"
|
||||||
|
}
|
||||||
|
|
||||||
|
Any datapath impact caused by a shared resource has to be
|
||||||
|
defined by the driver itself.
|
||||||
|
|
||||||
|
The Neutron mapping driver refactor will include sharing of the
|
||||||
|
following resources:
|
||||||
|
|
||||||
|
- L3_Policy: only usable by the same tenant;
|
||||||
|
- L2_Policy: only usable by the same tenant;
|
||||||
|
- PTG: usable by any tenant when shared for PT placement;
|
||||||
|
- Policy Classifiers: usable by any tenant when shared;
|
||||||
|
- Policy Actions: usable by any tenant when shared;
|
||||||
|
- Policy Rules: usable by any tenant when shared.
|
||||||
|
|
||||||
|
L3 and L2 policies need to be sharable to allow PTG sharing.
|
||||||
|
However, no external tenant could use them because there's no
|
||||||
|
way today in Neutron to share a Router.
|
||||||
|
Security groups are also not sharable in Neutron, therefore
|
||||||
|
PRS is not listed above.
|
||||||
|
|
||||||
|
One use case for sharing PTG is when the could admin provides a
|
||||||
|
common management PTG to all the tenants. They could then create
|
||||||
|
multi-homed VMs and use it according to the policies.
|
||||||
|
|
||||||
|
|
||||||
|
Alternatives
|
||||||
|
------------
|
||||||
|
|
||||||
|
At this time there's no alternative proposal.
|
||||||
|
|
||||||
|
Data model impact
|
||||||
|
-----------------
|
||||||
|
|
||||||
|
A "shared" field is added to the resources listed in
|
||||||
|
the "Proposed change" section.
|
||||||
|
|
||||||
|
REST API impact
|
||||||
|
---------------
|
||||||
|
|
||||||
|
The REST API will show the "shared" attribute for the
|
||||||
|
resource listed in the "Proposed change" section.
|
||||||
|
|
||||||
|
Security impact
|
||||||
|
---------------
|
||||||
|
|
||||||
|
This blueprint has no security impact.
|
||||||
|
|
||||||
|
Notifications impact
|
||||||
|
--------------------
|
||||||
|
|
||||||
|
This blueprint has no impact on notifications.
|
||||||
|
|
||||||
|
Other end user impact
|
||||||
|
---------------------
|
||||||
|
|
||||||
|
The end user will now be able to see and consume
|
||||||
|
shared resources.
|
||||||
|
|
||||||
|
Performance Impact
|
||||||
|
------------------
|
||||||
|
|
||||||
|
This blueprint does not have significant impact on performance.
|
||||||
|
|
||||||
|
Other deployer impact
|
||||||
|
---------------------
|
||||||
|
|
||||||
|
This blueprint does not have deployment impact
|
||||||
|
|
||||||
|
Developer impact
|
||||||
|
----------------
|
||||||
|
|
||||||
|
GBP driver's developers should now be aware that some
|
||||||
|
resources could be shared among tenants and therefore
|
||||||
|
should program accordingly.
|
||||||
|
|
||||||
|
Implementation
|
||||||
|
==============
|
||||||
|
|
||||||
|
Assignee(s)
|
||||||
|
-----------
|
||||||
|
|
||||||
|
Primary assignee:
|
||||||
|
mmaleckk
|
||||||
|
|
||||||
|
Other contributors:
|
||||||
|
None
|
||||||
|
|
||||||
|
Work Items
|
||||||
|
----------
|
||||||
|
|
||||||
|
* Add resource attribute to REST API;
|
||||||
|
|
||||||
|
* Add model fields to the proper resources;
|
||||||
|
|
||||||
|
* Refactor Neutron resource mapping driver to support shared resources.
|
||||||
|
|
||||||
|
Dependencies
|
||||||
|
============
|
||||||
|
|
||||||
|
None
|
||||||
|
|
||||||
|
Testing
|
||||||
|
=======
|
||||||
|
|
||||||
|
Unit tests will be added to verify the resource visibility
|
||||||
|
and usability.
|
||||||
|
|
||||||
|
Documentation Impact
|
||||||
|
====================
|
||||||
|
|
||||||
|
Eventual GBP documentation will need to provide explanations
|
||||||
|
on how the "shared" attribute works and examples on how to
|
||||||
|
use it.
|
||||||
|
|
||||||
|
References
|
||||||
|
==========
|
||||||
|
|
||||||
|
None
|
Loading…
Reference in New Issue
Block a user