vmware-nsx-tempest-plugin/vmware_nsx_tempest_plugin/doc/README-AdminPolicy.rst
Boden R 802164f2a2 refactor top-level pkg to vmware_nsx_tempest_plugin
This patch refactors the source and supporting files to use the top
level package name of vmware_nsx_tempest_plugin. This better matches
the project name as well as the name we plan to publish to PYPI with
as per the discussion in [1].

A sample release has been published to the test pypi repo [2] to
ensure this works.

[1] https://review.openstack.org/#/c/584498/
[2] https://test.pypi.org/project/vmware-nsx-tempest-plugin/

Change-Id: I4cd89f49562c780754ebfb7e93c38b4e6556e314
2018-07-31 12:48:38 -06:00

3.4 KiB

Admin Policy

Admin policy, neutron extension secuirty-group-policy provides organization to enforce traffic forwarding utilizing NSX security policy.

The "Admin Policy" feature is admin priviledge, normal project/tenant is not able to create security-group-policy.

This feature can be enabled from devstack or manually.

Enable security-group-policy extention at bring up devstack

You can enable security-group-policy when starting up devstack. However, if the policy-id does not exist, starting will fail.

To enable it, add the following tokens to local.conf:

NSXV_USE_NSX_POLICIES=True NSXV_DEFAULT_POLICY_ID=policy-11 NSXV_ALLOW_TENANT_RULES_WITH_POLICY=True

Change values according to your needs though.

Enable security-group-policy extention manually

Instruction is from the view of devstack

  1. Add following items to /etc/neutron/policy.json:

    "create_security_group:logging": "rule:admin_only",
    "update_security_group:logging": "rule:admin_only",
    "get_security_group:logging": "rule:admin_only",
    "create_security_group:provider": "rule:admin_only",
    "create_port:provider_security_groups": "rule:admin_only",
    "create_security_group:policy": "rule:admin_only",
    "update_security_group:policy": "rule:admin_only",
  2. Add following key=value pair to session [nsxv] of /etc/neutron/plugin/vmware/nsx.ini:

    use_nsx_policies = True
    default_policy_id = policy-11
    allow_tenant_rules_with_policy = False
    
    # NOTE: For automation, set allow_tenant_rules_with_policy to True

tempest.conf

At session [nsxv] add the following 3 key=value pair:

default_policy_id = policy-11 alt_policy_id = policy-22 allow_tenant_rules_with_policy = False

# NOTE: default_policy_id and allow_tenant_rules_with_policy need to match nsx.ini

default_policy_id and alt_policy_id:

For API tests, both must exist at NSX.

For scenario tests, please refer to nsxv/scenario/test_admin_policy_basic_ops.py

In short:

policy-11 (policy-AA at script & test-plan) firewall rules::

action-1: dhcp-in/any/policy-security-groups/dhcp/Allow action-2: dhcp-out/policy-security-groups/dhcp/Allow action-3: ping-in/any/policy-security-groups/ICMP/Allow action-4: ping-out/policy-security-groups/any/ICMP/Allow/ action-5: ssh-in/any/policy-security-groups/SSH/Allow/ action-6: ssh-in/any/policy-security-groups/SSH/Allow/ action-7: http-ok/any/policy-security-groups/HTTP,HTTPS/Allow/ action-8: sorry-nothing-allowed/any/policy-security-groups/Any/Reject

You can import policy-AA to NSX using the admin-policy-AA.blueprint

policy-22 (policy-BB at script & test-plan) firewall rules::

action-1: dhcp-in/any/policy-security-groups/dhcp/Allow action-2: dhcp-out/policy-security-groups/dhcp/Allow action-3: group-ping/policy-security-groups/policy-security-groups/ICMP/Allow/ action-4: ssh-in/any/policy-security-groups/SSH/Allow/ action-5: ssh-in/any/policy-security-groups/SSH/Allow/ action-6: http-ok/any/policy-security-groups/HTTP,HTTPS/Allow/ pction-7: sorry-nothing-allowed/any/policy-security-groups/Any/Reject

NOTE on ping: same as policy-11 but only allowed from policy-security-groups You can import policy-BB to NSX using the admin-policy-BB.blueprint