EP, EPG, and Contract renaming and other cleanup
The following resources are being renamed as follows: Endpoints -> Policy Targets Endpoint Groups -> Policy Target Groups Contracts -> Policy Rule Sets Also fixing other inconsistencies in the spec. Change-Id: Id483805141d8face46f1502f1fb8089d8af4d4eb
This commit is contained in:
parent
7b9c5e2c3b
commit
ea8adf50f1
@ -4,47 +4,47 @@
|
||||
|
||||
http://creativecommons.org/licenses/by/3.0/legalcode
|
||||
|
||||
===========================================
|
||||
Group-based Policy Abstractions for Neutron
|
||||
===========================================
|
||||
==============================================
|
||||
Group-based Policy Abstractions for Networking
|
||||
==============================================
|
||||
|
||||
Launchpad blueprint:
|
||||
|
||||
https://blueprints.launchpad.net/group-based-policy/+spec/group-based-policy-abstraction
|
||||
|
||||
This blueprint proposes an extension to the Neutron API with a declarative
|
||||
policy driven connectivity model that presents simplified application-oriented
|
||||
This blueprint proposes a networking API with a declarative policy driven
|
||||
connectivity model that presents simplified application-oriented
|
||||
interfaces to the user.
|
||||
|
||||
Problem description
|
||||
===================
|
||||
|
||||
The current Neutron model of networks, ports, subnets, routers, and security
|
||||
groups provides the necessary building blocks to build a logical network
|
||||
topology for connectivity. However, it does not provide the right level
|
||||
The current OpenStack networking model of networks, ports, subnets, routers,
|
||||
and security groups provides the necessary building blocks to build a logical
|
||||
network topology for connectivity. However, it does not provide the right level
|
||||
of abstraction for an application administrator who understands the
|
||||
application's details (like application port numbers), but not the
|
||||
infrastructure details likes networks and routes. Not only that, the current
|
||||
abstraction puts the burden of maintaining the consistency of the network
|
||||
topology on the user. The lack of application developer/administrator focussed
|
||||
abstractions supported by a declarative model make it hard for those users
|
||||
to consume Neutron as a connectivity layer.
|
||||
to consume the existing connectivity layer.
|
||||
|
||||
Proposed change
|
||||
===============
|
||||
|
||||
The policy framework described in this blueprint complements the current
|
||||
Neutron model with the notion of policies that can be applied between groups of
|
||||
endpoints. As users look beyond basic connectivity, richer network services
|
||||
with diverse implementations and network properties are naturally expressed as
|
||||
policies. Examples include service chaining, QoS, path properties, access
|
||||
control, etc.
|
||||
OpenStack networking model with the notion of policies that can be applied
|
||||
between groups of network endpoints. As users look beyond basic connectivity,
|
||||
richer network services with diverse implementations and network properties are
|
||||
naturally expressed as policies. Examples include service chaining, QoS, path
|
||||
properties, access control, etc.
|
||||
|
||||
This proposal suggests a model that allows application administrators to
|
||||
express their networking requirements using group and policy abstractions, with
|
||||
the specifics of policy enforcement and implementation left to the underlying
|
||||
policy driver. The main advantage of the extensions described in this blueprint
|
||||
is that they allow for an application-centric interface to Neutron that
|
||||
is that they allow for an application-centric interface to OpenStack networking that
|
||||
complements the existing network-centric interface.
|
||||
|
||||
More specifically the new abstractions will achieve the following:
|
||||
@ -75,53 +75,54 @@ More specifically the new abstractions will achieve the following:
|
||||
specific actions.
|
||||
|
||||
* Complement the governance model proposed in the OpenStack Congress project by
|
||||
making Policy Labels available for enforcement.
|
||||
making Policy Tags available for enforcement.
|
||||
|
||||
The following new terminology is being introduced:
|
||||
|
||||
**Endpoint (EP):** An L2/L3 addressable entity.
|
||||
**Policy Target (PT):** It is the smallest unit of resource abstraction at
|
||||
which policy can be applied.
|
||||
|
||||
**Endpoint Group (EPG):** A collection of endpoints.
|
||||
**Policy Target Group (PTG):** A collection of policy targets.
|
||||
|
||||
**Contract:** It defines how the application services provided by an EPG can be
|
||||
accessed. In effect it specifies how an EPG communicates with other EPGs. A
|
||||
Contract consists of Policy Rules.
|
||||
**Policy Rule Set (PRS):** It defines how the application services provided by
|
||||
a PTG can be accessed. In effect it specifies how a PTG communicates with other
|
||||
PTGs. A Policy Rule Set consists of Policy Rules.
|
||||
|
||||
**Policy Rule:** These are individual rules used to define the communication
|
||||
criteria between EPGs. Each rule contains a Filter, Classifier, and Action.
|
||||
**Policy Rule (PR):** These are individual rules used to define the communication
|
||||
criteria between PTGs. Each rule contains a Filter, Classifier, and Action.
|
||||
|
||||
**Classifier:** Characterizes the traffic that a particular Policy Rule acts on.
|
||||
Corresponding action is taken on traffic that satisfies this classification
|
||||
criteria.
|
||||
|
||||
**Action:** The action that is taken for a matching Policy Rule defined in a
|
||||
Contract.
|
||||
Policy Rule Set.
|
||||
|
||||
**Filter:** Provides a way to tag a Policy Rule with Capability and Role labels.
|
||||
**Filter:** Provides a way to tag a Policy Rule with Capability and Role tags.
|
||||
|
||||
**Capability:** It is a Policy Label that defines what part of a Contract a
|
||||
particular EPG provides.
|
||||
**Capability:** It is a Policy Label that defines what part of a Policy Rule Set a
|
||||
particular PTG provides.
|
||||
|
||||
**Role:** It is a Policy Label that defines what part of a Contract an EPG wants
|
||||
**Role:** It is a Policy Label that defines what part of a Policy Rule Set a PTG wants
|
||||
to consume.
|
||||
|
||||
**Contract Scope:** An EPG conveys its intent to provide or consume a Contract
|
||||
(or its part) by defining a Contract Scope which references the target
|
||||
Contract.
|
||||
**Policy Rule Set Scope:** An PTG conveys its intent to provide or consume a Policy Rule Set
|
||||
(or its part) by defining a Policy Rule Set Scope which references the target
|
||||
Policy Rule Set.
|
||||
|
||||
**Selector:** A Contract Scope can define additional constraints around choosing
|
||||
the matching provider or consumer EPGs for a Contract via a Selector.
|
||||
**Selector:** A Policy Rule Set Scope can define additional constraints around choosing
|
||||
the matching provider or consumer PTGs for a Policy Rule Set via a Selector.
|
||||
|
||||
**Policy Tags:** These are labels contained within a namespace hierarchy and
|
||||
used to define Capability and Role tags used in Filters.
|
||||
|
||||
**L2 Policy:** Used to define a L2 boundary and impose additional
|
||||
**L2 Policy (L2P):** Used to define a L2 boundary and impose additional
|
||||
constraints (such as no broadcast) within that L2 boundary.
|
||||
|
||||
**L3 Policy:** Used to define a non-overlapping IP address space.
|
||||
**L3 Policy (L3P):** Used to define a non-overlapping IP address space.
|
||||
|
||||
**Network Service Policy:** Used to define policies that are used for assigning
|
||||
resources in an EPG to be consumed by network services.
|
||||
**Network Service Policy (NSP):** Used to define policies that are used for
|
||||
assigning resources in a PTG to be consumed by network services.
|
||||
|
||||
Here is an example of how a three tier application would look like:
|
||||
|
||||
@ -129,10 +130,10 @@ Here is an example of how a three tier application would look like:
|
||||
|
||||
+–––––––––+ +–––––––+ +–––––––+ +–––––––+
|
||||
| | | Web | | App | |DB |
|
||||
| Outside | | EPG | | EPG | |EPG |
|
||||
| Outside | | PTG | | PTG | |PTG |
|
||||
| Public | +––––––––+ +––+ | +––––––––+ +––+ | +––––––––+ +––+ |
|
||||
| Network +–+Web | |VM| +–+App | |VM| +–+DB | |VM| |
|
||||
| EPG | |Contract| +––+ | |Contract| +––+ | |Contract| +––+ |
|
||||
| PTG | |PRS | +––+ | |PRS | +––+ | |PRS | +––+ |
|
||||
| | +––––––––+ | +––––––––+ | +––––––––+ |
|
||||
| | | +––+ | | +––+ | | +––+ |
|
||||
| | | |VM| | | |VM| | | |VM| |
|
||||
@ -150,65 +151,65 @@ Create Classifier
|
||||
neutron classifier-create Insecure-Web-Access --port 80 --protocol TCP
|
||||
--direction IN
|
||||
|
||||
Create Contract using the Classifier
|
||||
Create Policy Rule Set using the Classifier
|
||||
|
||||
::
|
||||
|
||||
neutron contract-create Web-Server-Contract --classifier Insecure-Web-Access
|
||||
neutron policy-rule-set-create Web-Server-PRS --classifier Insecure-Web-Access
|
||||
--action ALLOW
|
||||
|
||||
Create EPG providing the Contract
|
||||
Create PTG providing the Policy Rule Set
|
||||
|
||||
::
|
||||
|
||||
neutron epg-create Web-Server-EPG --provides-contract Web-Server-Contract
|
||||
neutron ptg-create Web-Server-PTG --provides-policy-rule-set Web-Server-PRS
|
||||
|
||||
Create Endpoint in EPG
|
||||
Create PT in PTG
|
||||
|
||||
::
|
||||
|
||||
neutron ep-create --epg Web-Server-EPG
|
||||
neutron pt-create --epg Web-Server-PTG
|
||||
|
||||
Launch Web Server VM using Endpoint in EPG
|
||||
Launch Web Server VM using PT in PTG
|
||||
|
||||
::
|
||||
|
||||
nova boot --image cirros --flavor m1.nano --nic port-id=<EP-NAME> Web-Server
|
||||
nova boot --image cirros --flavor m1.nano --nic port-id=<PT-NAME> Web-Server
|
||||
|
||||
Specify connectivity of Outside world VMs to Web Server
|
||||
|
||||
::
|
||||
|
||||
neutron epg-create Outside-EPG --consumes-contract Web-Server-Contract
|
||||
neutron ptg-create Outside-PTG --consumes-policy-rule-set Web-Server-PRS
|
||||
|
||||
Note that the Contract Provider/Consuming Scopes are not explicitly shown in
|
||||
Note that the Policy Rule Set Provider/Consuming Scopes are not explicitly shown in
|
||||
the above diagram but define each providing and consuming relation between an
|
||||
EPG and a Contract as shown below:
|
||||
PTG and a Policy Rule Set as shown below:
|
||||
|
||||
::
|
||||
|
||||
+––––––––––+
|
||||
|Web |
|
||||
|Contract |
|
||||
|PRS |
|
||||
|Consuming |
|
||||
|Scope |
|
||||
+–––+––––––+
|
||||
+–––––––––+ | +––––––––––+
|
||||
| | | | Web |
|
||||
| Outside | | | EPG |
|
||||
| Outside | | | PTG |
|
||||
| Public | | +––––––––+ | +––+ |
|
||||
| Network +–+–+Web +––+–+ |VM|EP |
|
||||
| EPG | |Contract| | | +––+ |
|
||||
| Network +–+–+Web +––+–+ |VM|PT |
|
||||
| PTG | |PRS | | | +––+ |
|
||||
| | +––––––––+ | | |
|
||||
| | | | +––+ |
|
||||
| | | | |VM|EP |
|
||||
| | | | |VM|PT |
|
||||
| | | | +––+ |
|
||||
+–––––––––+ | | |
|
||||
| +––––––––––+
|
||||
+
|
||||
+––––+–––––+
|
||||
|Web |
|
||||
|Contract |
|
||||
|PRS |
|
||||
|Providing |
|
||||
|Scope |
|
||||
+––––––––––+
|
||||
@ -227,16 +228,16 @@ New Database Objects to support Group Policy:
|
||||
::
|
||||
|
||||
+–––––––––––––+ +–––––––––––––––+ +–––––––––––+
|
||||
| | | Contract | |Contracts |
|
||||
| Endpoint | | Providing/ | | |
|
||||
| Groups +–––––+ Consuming +––––––+ |
|
||||
| Policy | | PRS | | Policy |
|
||||
| Target | | Providing/ | | Rule |
|
||||
| Groups +–––––+ Consuming +––––––+ Sets(PRS)|
|
||||
| | | Scopes | +–––––+–––––+
|
||||
+––––––+––––––+ +–––––––––––––––+ |
|
||||
| +–––––+–––––+
|
||||
| |Policy |
|
||||
+––––––+––––––+ |Rules |
|
||||
| | | |
|
||||
| Endpoints | +–––––+––––––+––––+––––––––+
|
||||
| | Policy |
|
||||
+––––––+––––––+ | Rules |
|
||||
| Policy | | |
|
||||
| Targets | +–––––+––––––+––––+––––––––+
|
||||
| | | | |
|
||||
+–––––––––––––+ | | |
|
||||
| | |
|
||||
@ -250,39 +251,39 @@ All objects have the following common attributes:
|
||||
* name - optional name
|
||||
* description - optional annotation
|
||||
|
||||
Endpoint
|
||||
* epg_id - UUID of the EndpointGroup (EPG) that this Endpoint (EP) belongs to
|
||||
PolicyTarget
|
||||
* ptg_id - UUID of the PolicyTargetGroup (PTG) that this PolicyTarget (PT) belongs to
|
||||
* policy_tags - a list of PolicyTag uuids
|
||||
|
||||
EndpointGroup
|
||||
* endpoints - list of endpoint uuids
|
||||
* contract_providing_scopes - list of ContractProvidingScope uuids
|
||||
* contract_consuming_scopes - list of ContractConsumingScope uuids
|
||||
PolicyTargetGroup
|
||||
* policy_targets - list of PolicyTarget uuids
|
||||
* policy_rule_set_providing_scopes - list of PolicyRuleSetProvidingScope uuids
|
||||
* policy_rule_set_consuming_scopes - list of PolicyRuleSetConsumingScope uuids
|
||||
|
||||
Contract
|
||||
PolicyRuleSet
|
||||
* policy_rules - ordered list of PolicyRule uuids
|
||||
* contract_providing_scopes - list of ContractProvidingScope uuids
|
||||
* contract_consuming_scopes - list of ContractConsumingScope uuids
|
||||
* child_contracts - ordered list of Contract uuids
|
||||
* policy_rule_set_providing_scopes - list of PolicyRuleSetProvidingScope uuids
|
||||
* policy_rule_set_consuming_scopes - list of PolicyRuleSetConsumingScope uuids
|
||||
* child_policy_rule_sets - ordered list of PolicyRuleSet uuids
|
||||
|
||||
ContractProvidingScope
|
||||
* contract_id - uuid of the Contract that is being provided by the EPG
|
||||
PolicyRuleSetProvidingScope
|
||||
* policy_rule_set_id - uuid of the PolicyRuleSet that is being provided by the PTG
|
||||
* selectors - list of Selectors uuids
|
||||
* capabilites - list of PolicyTag uuids
|
||||
* providing_epg - EndpointGroup uuid
|
||||
* providing_ptg - PolicyTargetGroup uuid
|
||||
|
||||
ContractConsumingScope
|
||||
* contract_id - uuid of the Contract that is being consumed by the EPG
|
||||
PolicyRuleSetConsumingScope
|
||||
* policy_rule_set_id - uuid of the PolicyRuleSet that is being consumed by the PTG
|
||||
* selectors - list of Selectors uuids
|
||||
* roles - list of PolicyTags
|
||||
* consuming_epg - EndpointGroup uuid
|
||||
* consuming_ptg - PolicyTargetGroup uuid
|
||||
|
||||
Selector
|
||||
* scope - enum: GLOBAL, TENANT, EPG
|
||||
* value - None for GLOBAL, or uuid of tenant/EPG
|
||||
* scope - enum: GLOBAL, TENANT, PTG
|
||||
* value - None for GLOBAL, or uuid of tenant/PTG
|
||||
|
||||
PolicyTag
|
||||
* namespace - string, a namespace identifier for policy labels
|
||||
* namespace - string, a namespace identifier for policy tags
|
||||
* name - string, not optional
|
||||
* values - list of PolicyValue uuids
|
||||
|
||||
@ -309,24 +310,24 @@ Action
|
||||
case of REDIRECT, its the uuid of the Service Chain
|
||||
|
||||
L2Policy
|
||||
* endpoint_groups - list of EndpointGroup uuids
|
||||
* policy_target_groups - list of PolicyTargetGroup uuids
|
||||
* l3_policy_id - uuid of the l3_policy
|
||||
|
||||
L3Policy
|
||||
* l2_policies - list of L2Policy uuids
|
||||
* ip_version - enum, v4 or v6
|
||||
* ip_pool - string, IPSubnet with mask, used to pull subnets from if the
|
||||
user creates an EPG without specifying a subnet
|
||||
* default_subnet_prefix_length - int, used as the default subnet length if
|
||||
the user creates an EPG without a subnet
|
||||
user creates a PTG without specifying a subnet
|
||||
* subnet_prefix_length - int, used as the default subnet length if
|
||||
the user creates a PTG without a subnet
|
||||
|
||||
The way ip_pool and default_subnet_prefix_length work is as follows: When
|
||||
The way ip_pool and subnet_prefix_length work is as follows: When
|
||||
creating L3Policy a default ip_pool and default_subnet_prefix_length are
|
||||
created. If a user creates an EPG, a subnet will be pulled from ip_pool using
|
||||
created. If a user creates a PTG, a subnet will be pulled from ip_pool using
|
||||
default_subnet_prefix_length.
|
||||
|
||||
NetworkServicePolicy
|
||||
* endpoint_groups - list of EndpointGroup uuids
|
||||
* policy_target_groups - list of PolicyTargetGroup uuids
|
||||
* network_service_params - list of ServiceArgument uuids
|
||||
|
||||
NetworkServiceParams
|
||||
@ -341,18 +342,18 @@ NetworkServiceParams
|
||||
The supported values are: self_subnet and external_subnet,
|
||||
but the values are not validated when the tpye is 'string'.
|
||||
Valid combinations are:
|
||||
ip_single, self_subnet: Allocate a single IP addr from epg subnet,
|
||||
ip_single, self_subnet: Allocate a single IP addr from ptg subnet,
|
||||
e.g. VIP (in the private network)
|
||||
ip_single, external_subnet: Allocate a single floating-ip addr,
|
||||
e.g. Public address for the VIP
|
||||
ip_pool, external_subnet: Allocate a floating-ip for every EP in EPG
|
||||
ip_pool, external_subnet: Allocate a floating-ip for every PT in PTG
|
||||
|
||||
Objects to support Mapping to existing Neutron resources
|
||||
|
||||
EndpointPortBinding (extends Endpoint)
|
||||
* neutron_port_id - uuid of Neutron Port that this EP maps to
|
||||
PolicyTargetPortBinding (extends PolicyTarget)
|
||||
* neutron_port_id - uuid of Neutron Port that this PT maps to
|
||||
|
||||
EndpointGroupNetworkBinding (extends EndpointGroup)
|
||||
PolicyTargetGroupNetworkBinding (extends PolicyTargetGroup)
|
||||
* neutron_subnets - list of Neutron Subnet uuids
|
||||
|
||||
L2PolicyBinding (extends l2_policy)
|
||||
@ -378,13 +379,13 @@ The following new resources are being introduced:
|
||||
gp_supported_actions = [None, 'ALLOW', 'REDIRECT']
|
||||
gp_supported_directions = [None, 'IN', 'OUT', 'BI']
|
||||
gp_supported_protocols = [None, 'TCP', 'UDP', 'ICMP']
|
||||
gp_supported_scopes = [None, 'GLOBAL', 'TENANT', 'EPG']
|
||||
gp_supported_scopes = [None, 'GLOBAL', 'TENANT', 'PTG']
|
||||
|
||||
ENDPOINTS = 'endpoints'
|
||||
ENDPOINT_GROUPS = 'endpoint_groups'
|
||||
CONTRACTS = 'contracts'
|
||||
CONTRACT_PROVIDING_SCOPES = 'contract_providing_scopes'
|
||||
CONTRACT_CONSUMING_SCOPES = 'contract_consuming_scopes'
|
||||
POLICY_TARGETS = 'policy_targets'
|
||||
POLICY_TARGET_GROUPS = 'policy_target_groups'
|
||||
POLICY_RULE_SETS = 'policy_rule_sets'
|
||||
POLICY_RULE_SET_PROVIDING_SCOPES = 'policy_rule_set_providing_scopes'
|
||||
POLICY_RULE_SET_CONSUMING_SCOPES = 'policy_rule_set_consuming_scopes'
|
||||
POLICY_RULES = 'policy_rules'
|
||||
FILTERS = 'filters'
|
||||
CLASSIFIERS = 'classifiers'
|
||||
@ -396,7 +397,7 @@ The following new resources are being introduced:
|
||||
NETWORK_SERVICE_POLICIES = 'network_service_policies'
|
||||
|
||||
RESOURCE_ATTRIBUTE_MAP = {
|
||||
ENDPOINTS: {
|
||||
POLICY_TARGETS: {
|
||||
'id': {'allow_post': False, 'allow_put': False,
|
||||
'validate': {'type:uuid': None}, 'is_visible': True,
|
||||
'primary_key': True},
|
||||
@ -409,11 +410,11 @@ The following new resources are being introduced:
|
||||
'tenant_id': {'allow_post': True, 'allow_put': False,
|
||||
'validate': {'type:string': None},
|
||||
'required_by_policy': True, 'is_visible': True},
|
||||
'endpointgroup_id': {'allow_post': True, 'allow_put': True,
|
||||
'policy_target_group_id': {'allow_post': True, 'allow_put': True,
|
||||
'validate': {'type:uuid__or_none': None},
|
||||
'required': True, 'is_visible': True},
|
||||
},
|
||||
ENDPOINT_GROUPS: {
|
||||
POLICY_TARGET_GROUPS: {
|
||||
'id': {'allow_post': False, 'allow_put': False,
|
||||
'validate': {'type:uuid': None}, 'is_visible': True,
|
||||
'primary_key': True},
|
||||
@ -426,7 +427,7 @@ The following new resources are being introduced:
|
||||
'tenant_id': {'allow_post': True, 'allow_put': False,
|
||||
'validate': {'type:string': None},
|
||||
'required_by_policy': True, 'is_visible': True},
|
||||
'endpoints': {'allow_post': False, 'allow_put': False,
|
||||
'policy_targets': {'allow_post': False, 'allow_put': False,
|
||||
'validate': {'type:uuid_list': None},
|
||||
'convert_to': attr.convert_none_to_empty_list,
|
||||
'default': None, 'is_visible': True},
|
||||
@ -436,18 +437,18 @@ The following new resources are being introduced:
|
||||
'network_service_policy_id': {'allow_post': True, 'allow_put': True,
|
||||
'validate': {'type:uuid_or_none': None},
|
||||
'default': None, 'is_visible': True},
|
||||
'provided_contract_scopes': {'allow_post': True, 'allow_put': True,
|
||||
'provided_policy_rule_set_scopes': {'allow_post': True, 'allow_put': True,
|
||||
'validate': {'type:uuid_list': None},
|
||||
'convert_to':
|
||||
attr.convert_none_to_empty_list,
|
||||
'default': None, 'is_visible': True},
|
||||
'consumed_contract_scopes': {'allow_post': True, 'allow_put': True,
|
||||
'consumed_policy_rule_set_scopes': {'allow_post': True, 'allow_put': True,
|
||||
'validate': {'type:uuid_list': None},
|
||||
'convert_to':
|
||||
attr.convert_none_to_empty_list,
|
||||
'default': None, 'is_visible': True},
|
||||
},
|
||||
CONTRACTS: {
|
||||
POLICY_RULE_SETS: {
|
||||
'id': {'allow_post': False, 'allow_put': False,
|
||||
'validate': {'type:uuid': None},
|
||||
'is_visible': True,
|
||||
@ -463,7 +464,7 @@ The following new resources are being introduced:
|
||||
'validate': {'type:string': None},
|
||||
'required_by_policy': True,
|
||||
'is_visible': True},
|
||||
'child_contracts': {'allow_post': True, 'allow_put': True,
|
||||
'child_policy_rule_sets': {'allow_post': True, 'allow_put': True,
|
||||
'default': None,
|
||||
'validate': {'type:uuid_list': None},
|
||||
'convert_to': attr.convert_none_to_empty_list,
|
||||
@ -474,7 +475,7 @@ The following new resources are being introduced:
|
||||
'convert_to': attr.convert_none_to_empty_list,
|
||||
'required': True, 'is_visible': True},
|
||||
},
|
||||
CONTRACT_PROVIDING_SCOPES: {
|
||||
POLICY_RULE_SET_PROVIDING_SCOPES: {
|
||||
'id': {'allow_post': False, 'allow_put': False,
|
||||
'validate': {'type:uuid': None},
|
||||
'is_visible': True,
|
||||
@ -490,10 +491,10 @@ The following new resources are being introduced:
|
||||
'validate': {'type:string': None},
|
||||
'required_by_policy': True,
|
||||
'is_visible': True},
|
||||
'endpointgroup_id': {'allow_post': True, 'allow_put': True,
|
||||
'policy_target_group_id': {'allow_post': True, 'allow_put': True,
|
||||
'validate': {'type:uuid': None},
|
||||
'required': True, 'is_visible': True},
|
||||
'contract_id': {'allow_post': True, 'allow_put': True,
|
||||
'policy_rule_set_id': {'allow_post': True, 'allow_put': True,
|
||||
'validate': {'type:uuid': None},
|
||||
'required': True, 'is_visible': True},
|
||||
'selector_id': {'allow_post': True, 'allow_put': True,
|
||||
@ -505,7 +506,7 @@ The following new resources are being introduced:
|
||||
'convert_to': attr.convert_none_to_empty_list,
|
||||
'required': True, 'is_visible': True},
|
||||
},
|
||||
CONTRACT_CONSUMING_SCOPES: {
|
||||
POLICY_RULE_SET_CONSUMING_SCOPES: {
|
||||
'id': {'allow_post': False, 'allow_put': False,
|
||||
'validate': {'type:uuid': None},
|
||||
'is_visible': True, 'primary_key': True},
|
||||
@ -520,10 +521,10 @@ The following new resources are being introduced:
|
||||
'validate': {'type:string': None},
|
||||
'required_by_policy': True,
|
||||
'is_visible': True},
|
||||
'endpointgroup_id': {'allow_post': True, 'allow_put': True,
|
||||
'policy_target_group_id': {'allow_post': True, 'allow_put': True,
|
||||
'validate': {'type:uuid': None},
|
||||
'required': True, 'is_visible': True},
|
||||
'contract_id': {'allow_post': True, 'allow_put': True,
|
||||
'policy_rule_set_id': {'allow_post': True, 'allow_put': True,
|
||||
'validate': {'type:uuid': None},
|
||||
'required': True, 'is_visible': True},
|
||||
'selector_id': {'allow_post': True, 'allow_put': True,
|
||||
@ -697,7 +698,7 @@ The following new resources are being introduced:
|
||||
'tenant_id': {'allow_post': True, 'allow_put': False,
|
||||
'validate': {'type:string': None},
|
||||
'required_by_policy': True, 'is_visible': True},
|
||||
'endpoint_groups': {'allow_post': False, 'allow_put': False,
|
||||
'policy_target_groups': {'allow_post': False, 'allow_put': False,
|
||||
'validate': {'type:uuid_list': None},
|
||||
'convert_to': attr.convert_none_to_empty_list,
|
||||
'default': None, 'is_visible': True},
|
||||
@ -726,15 +727,14 @@ The following new resources are being introduced:
|
||||
'ip_pool': {'allow_post': True, 'allow_put': False,
|
||||
'validate': {'type:subnet': None},
|
||||
'default': '10.0.0.0/8', 'is_visible': True},
|
||||
'default_subnet_prefix_length': {'allow_post': True, 'allow_put': True,
|
||||
'subnet_prefix_length': {'allow_post': True, 'allow_put': True,
|
||||
'convert_to': attr.convert_to_int,
|
||||
'validate': {
|
||||
# ipv4 specific validation is
|
||||
# performed in the plugin code.
|
||||
'type:values': range(1, 127)},
|
||||
# for ipv4 legal values are 2 to 30
|
||||
# for ipv6 legal values are 2 to 127
|
||||
'default': 24, 'is_visible': True},
|
||||
'l2_policies': {'allow_post': False, 'allow_put': False,
|
||||
'validate': {'type:uuid_list': None},
|
||||
validate': {'type:uuid_list': None},
|
||||
'convert_to': attr.convert_none_to_empty_list,
|
||||
'default': None, 'is_visible': True},
|
||||
},
|
||||
@ -751,7 +751,7 @@ The following new resources are being introduced:
|
||||
'tenant_id': {'allow_post': True, 'allow_put': False,
|
||||
'validate': {'type:string': None},
|
||||
'required_by_policy': True, 'is_visible': True},
|
||||
'endpoint_groups': {'allow_post': False, 'allow_put': False,
|
||||
'policy_target_groups': {'allow_post': False, 'allow_put': False,
|
||||
'validate': {'type:uuid_list': None},
|
||||
'convert_to': attr.convert_none_to_empty_list,
|
||||
'default': None, 'is_visible': True},
|
||||
@ -773,12 +773,12 @@ using attribute extension:
|
||||
.. code-block:: python
|
||||
|
||||
EXTENDED_ATTRIBUTES_2_0 = {
|
||||
gpolicy.ENDPOINTS: {
|
||||
gpolicy.POLICY_TARGETS: {
|
||||
'neutron_port_id': {'allow_post': True, 'allow_put': False,
|
||||
'validate': {'type:uuid_or_none': None},
|
||||
'is_visible': True, 'default': None},
|
||||
},
|
||||
gpolicy.ENDPOINT_GROUPS: {
|
||||
gpolicy.POLICY_TARGET_GROUPS: {
|
||||
'neutron_subnets': {'allow_post': True, 'allow_put': True,
|
||||
'validate': {'type:uuid_list': None},
|
||||
'convert_to': attr.convert_none_to_empty_list,
|
||||
@ -801,7 +801,7 @@ Security impact
|
||||
---------------
|
||||
|
||||
The connectivity model used here is consistent with OpenStack/Neutron's current
|
||||
white list model - that is, there is no connectivity outside an EPG unless
|
||||
white list model - that is, there is no connectivity outside a PTG unless
|
||||
explicitly allowed.
|
||||
|
||||
The rendering of the proposed new abstractions happens via existing Security
|
||||
@ -890,6 +890,8 @@ Assignee(s)
|
||||
|
||||
Mandeep Dhami (mandeep-dhami)
|
||||
|
||||
Ivar Lazzaro (mmaleckk)
|
||||
|
||||
Mohammad Banikazemi (banix)
|
||||
|
||||
Stephen Wong (s3wong)
|
||||
@ -900,6 +902,8 @@ Assignee(s)
|
||||
|
||||
Subrahmanyam Ongole (osms69)
|
||||
|
||||
Magesh GV (magesh-gv)
|
||||
|
||||
Ronak Shah (ronak-malav-shah)
|
||||
|
||||
Rudra Rugge (rudrarugge)
|
||||
|
Loading…
Reference in New Issue
Block a user