Updated Gluon Documentation for Pike Release

Updated documentation includes:
- doc/source/devref
  * Update on Gluon Authentication and Authorization
  * Version Management in Gluon API Specification and updated examples
  * Updated examples for Proton Version Management
  * Updated repo structure
- doc/source/installation
  * Updated installation guide for etcd and gluon
- doc/source/usage.rst
  * Updated user guide
- releasenotes/source
  * Updated release notes

Change-Id: I836690ccb5c538031e624f5f547b5f2c594ca4ad
Signed-off-by: Bin Hu <bh526r@att.com>
This commit is contained in:
Bin Hu 2017-08-28 21:39:08 -07:00
parent ee99e05e3c
commit 0e99426b9e
12 changed files with 1162 additions and 646 deletions

View File

@ -0,0 +1,47 @@
{
"COMMENT": "This file is no longer needed, but for historical record !!!",
"COMMENT": "The policy.json file in /etc/proton directory should contain",
"COMMENT": "empty json object: {}",
"COMMENT": "This first part is moved to code in gluon/policies/base.py",
"context_is_admin": "role:admin",
"owner": "tenant_id:%(tenant_id)s",
"admin_or_owner": "rule:context_is_admin or rule:owner",
"context_is_advsvc": "role:advsvc",
"admin_or_network_owner": "rule:context_is_admin or tenant_id:%(network:tenant_id)s",
"admin_owner_or_network_owner": "rule:owner or rule:admin_or_network_owner",
"admin_only": "rule:context_is_admin",
"regular_user": "",
"default": "rule:admin_or_owner",
"COMMENT": "The rest of policies are defined in gluon/models/base/base.yaml file",
"create_port": "rule:admin_or_network_owner",
"list_ports": "rule:admin",
"get_port": "rule:admin_or_owner",
"update_port": "rule:admin_or_network_owner",
"delete_port": "rule:admin_or_network_owner",
"create_interface": "rule:admin_or_network_owner",
"list_interfaces": "rule:admin",
"get_interface": "rule:admin_or_owner",
"update_interface": "rule:admin_or_network_owner",
"delete_interface": "rule:admin_or_network_owner",
"create_vpn": "rule:admin_or_network_owner",
"list_vpns": "rule:admin",
"get_vpns": "rule:admin_or_owner",
"update_vpn": "rule:admin_or_network_owner",
"delete_vpn": "rule:admin_or_network_owner",
"create_vpnbinding": "rule:admin_or_network_owner",
"list_vpnbindings": "rule:admin",
"get_vpnbinding": "rule:admin_or_owner",
"update_vpnbinding": "rule:admin_or_network_owner",
"delete_vpnbinding": "rule:admin_or_network_owner",
"create_vpnafconfig": "rule:admin_or_network_owner",
"list_vpnafconfigs": "rule:admin",
"get_vpnafconfig": "rule:admin_or_owner",
"update_vpnafconfig": "rule:admin_or_network_owner",
"delete_vpnafconfig": "rule:admin_or_network_owner",
}

View File

@ -1,20 +1,44 @@
====================================
Gluon Authentication & Authorization
====================================
..
Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with the License. You may obtain
a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
License for the specific language governing permissions and limitations
under the License.
Convention for heading levels in Gluon devref:
======= Heading 0 (reserved for the title in a document)
------- Heading 1
~~~~~~~ Heading 2
+++++++ Heading 3
''''''' Heading 4
(Avoid deeper levels because they do not render well.)
======================================
Gluon Authentication and Authorization
======================================
Summary
-------
This document explains the integration of Gluon with OpenStack identity service
or Keystone. When Keystone is enabled, users that submit requests to Gluon
This document explains the integration of Gluon with OpenStack Identity service
or Keystone. When Keystone is enabled, users that submit requests to Gluon NFV
networking service will have to provide an authentication token in X-Auth-Token
request header. The token is obtained by making a call to the Keystone authentication
request header. The token is obtained via making a call to the Keystone authentication
service by passing in username and password.
Assumptions
-----------
The document uses the proposed "port and service binding model"[1] to determine the
This document conforms to Identity concepts, and the mechanism of managing services,
projects, users, and roles described in "OpenStack Keystone Administrator Guide" [2]_.
The document uses the proposed "Port and Service Binding Model" [3]_ to determine the
policy actions (see section on Authorization).
Authentication
@ -28,167 +52,175 @@ If the token is valid, Keystone will retrieve additional information from token
such as user name, user id, project name, project id etc and send this information
to the OpenStack service. Otherwise, the request will be rejected.
Setting up
Setting Up
~~~~~~~~~~
Once Keystone is installed and running, services have to be configured to work with it.
This involves setting up projects, roles, users, and services. By default, OpenStack
already has several projects, roles and users created.
This involves setting up services, projects, and users, and assigning roles to
{ project, user } pair. After OpenStack is installed, when Identity (Keystone) is bootstrapped,
several services, projects, roles and users will be created by default.
Following is the normal process to add a service to Keystone.
Following is the normal process to add a service, and assign roles to
{ project, user } pairs in Keystone.
- Create a project
- Create a user for the service and add the user to the project
- Create an admin role and assign to the user
- Create service
- Create endpoint
- Create a **service**
- Create **endpoint** of that **service**
- Create a **project**
- Create a **user** that is expected to use the **service** under the **project**
- Assign an ``admin`` **role** to the { **project**, **user** } pair
For Gluon, we will add these objects.
For bootstrapping Gluon with Identity service, we will follow the procedure of:
- Create a new user called "gluon"
- Add "gluon" user to "service" project
- Add "service" role to "gluon" user in the "service" project
- Create a new service called "gluon"
- Create a new endpoint under the service "gluon"
* Step 1: Create a new "NFV Networking" **service** named ``gluon`` (or any name) with service type ``nfvnet``
.. code-block:: bash
$ openstack service create --name gluon --description "NFV Network Service" nfvnet
* Step 2: Create a new **endpoint** under the **service** ``gluon``
.. code-block:: bash
# Note: you need to change the IP address 10.0.2.7 to match your environment
$ openstack endpoint create --region RegionOne gluon public http://10.0.2.7:2705/proton/
$ openstack endpoint create --region RegionOne gluon admin http://10.0.2.7:2705/proton/
$ openstack endpoint create --region RegionOne gluon internal http://10.0.2.7:2705/proton/
* Step 3: Either reuse an existing **project** (e.g. a default project named ``service``) or create a new **project**
.. code-block:: bash
#
# We reuse "service" project here.
# If you want to create a new project:
# $ openstack project create --description <description of your new project> <new-project-name> --domain default
#
* Step 4: Create a new **user** named ``gluon`` (or any name)
.. code-block:: bash
$ openstack user create --password <password> gluon
* Step 5: Assign ``admin`` **role** to { ``service``, ``gluon`` } pair
.. code-block:: bash
$ openstack role add --project service --user gluon admin
Authorization
-------------
Each OpenSack service has its own role-based access policies to allow/disallow access to
specific actions. The policy.json is used to define the access control, which contains
each policy defined in the format "<action> : <rule>".
specific actions. The access control policy is defined in the format of ``<action> : <rule>``.
The <action> represents an API call like "create network" whereas <rule> determines
under which circumstances API call is permitted. As an example, consider following rule
The <action> represents an API call like "create a user" whereas <rule> determines
under which circumstances this API call is permitted. For example, consider following policy:
``"identity:create_user" : "role:admin"``
.. code-block:: bash
This rule allows admin role to create a new user in the identity service.
"identity:create_user" : "role:admin"
This policy allows ``admin`` **role** to create a new user in the Identity service.
Authorization Scope
~~~~~~~~~~~~~~~~~~~
It will be possible to specify authorization at object level. In the future, we may allow
setting access control at the attribute level.
Currently, Gluon supports the policy-based authorization at object level. In the future,
we may consider to support this role-based access control (RBAC) at the attribute level.
Defining authorization rules
Defining Authorization Rules
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The YAML model definitions will be enhanced to support authorization rules. We will add a new
section for policies.
In OpenStack, typically a ``policy.json`` file is used to store those RBAC policies,
for example, in ``/etc/nova/policy.json``. Because the APIs of those services (e.g.
``nova`` / ``compute``) are fixed, this policy.json mechanism provides flexibility
for defining policies for those services.
The "rules" will be defined at the system level and model authors can use the rules while
defining the actions.
On the other hand, Gluon provides a model-driven approach to generate
NFV Networking Service APIs (including objects, database schema, and
RESTful API endpoints) from a YAML file which models the Networking Service.
Thus it is natural to define the RBAC policies of a new service with its own YAML
model definitions in the same YAML file. Thus a new section for RBAC policies
is defined in the YAML of service model.
Following will be the default rules:
A set of default <rules> is defined at the system level (i.e. in ``gluon/policies/base.py``).
Model authors can then use those rules to define the actions, and thus the policies in YAML.
The default <rules> are defined in ``gluon/policies/base.py``:
.. code-block:: bash
"context_is_admin": "role:admin",
"owner": "tenant_id:%(tenant_id)s",
"admin_or_owner": "rule:context_is_admin or rule:owner",
"context_is_advsvc": "role:advsvc",
"admin_or_network_owner": "rule:context_is_admin or tenant_id:%(network:tenant_id)s",
"admin_owner_or_network_owner": "rule:owner or rule:admin_or_network_owner",
"admin_only": "rule:context_is_admin",
"regular_user": "",
"default": "rule:admin_or_owner",
The actions are defined within the "policies" section as shown below.
The default policies are defined at the system level too (i.e. within the ``policies`` section
in ``BaseObject`` definition and ``BaseServiceBinding`` definition in
``gluon/models/base/base.yaml`` file). Model authors can define own policies for those
service objects in its own service YAML, or reuse the default policies if there is no policy
definition in service objects. The default policies defined in ``gluon/models/base/base.yaml``
are as follows:
.. code-block:: yaml
.. code-block:: bash
ProtonBasePort:
...
existing model definition
...
BasePort:
...
existing model definition
...
policies:
create:
role: "rule:admin_or_owner"
delete:
role: "rule:admin_or_owner"
list:
role: "rule:admin"
get:
role: "rule:admin_or_owner"
update:
role: "rule:admin_or_owner"
This policy defines ``create``, ``delete``, ``get``, ``get_one`` and ``update`` actions on
the ``BasePort`` object. The rules section can embed any OpenStack policy directive
that is supported.
policies:
Summary of Gluon Authorization Rules
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
actions:
create:
role: "rule:admin_or_network_owner"
delete:
role: "rule:admin_or_network_owner"
get:
role: "rule:admin_or_owner"
get_one:
role: "rule:admin_or_owner"
update:
role: "rule:admin_or_network_owner"
Please refer to ``doc/samples/policy.json`` for a summary of default <rules> and default policies
used in Gluon. Note that this policy.json is a historical record for informational purpose.
The mechanism of how to define those default <rules> and default policies is at system level
as described above.
More Details of OpenStack Policies
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This policy defines create, delete, get, get_one and update actions on the ProtonBasePort object.
The rules section can embed any openstack policy directive that is supported. Please see
https://docs.openstack.org/kilo/config-reference/content/policy-json-file.html for complete details
of the policy.json file
Converting to policy.json file
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
During the installation of Gluon, the embedded policies in the YAML model file will be converted
to /etc/gluon/policy.json file. This file will have the following format.
.. code-block:: json
{
"context_is_admin": "role:admin or user_name:gluon",
"owner": "tenant_id:%(tenant_id)s",
"admin_or_owner": "rule:context_is_admin or rule:owner",
"context_is_advsvc": "role:advsvc",
"admin_or_network_owner": "rule:context_is_admin or tenant_id:%(network:tenant_id)s",
"admin_owner_or_network_owner": "rule:owner or rule:admin_or_network_owner",
"admin_only": "rule:context_is_admin",
"regular_user": "",
"default": "rule:admin_or_owner",
"create_ports": "rule:admin_or_network_owner",
"get_ports": "rule:admin_or_owner",
"update_ports": "rule:admin_or_network_owner",
"delete_ports": "rule:admin_or_network_owner",
"create_interfaces": "rule:admin_or_network_owner",
"get_interfaces": "rule:admin_or_owner",
"update_interfaces": "rule:admin_or_network_owner",
"delete_interfaces": "rule:admin_or_network_owner",
"create_vpns": "rule:admin_or_network_owner",
"get_vpns": "rule:admin_or_owner",
"update_vpns": "rule:admin_or_network_owner",
"delete_vpns": "rule:admin_or_network_owner",
"create_vpnbindings": "rule:admin_or_network_owner",
"get_vpnbindings": "rule:admin_or_owner",
"update_vpnbindings": "rule:admin_or_network_owner",
"delete_vpnbindings": "rule:admin_or_network_owner",
"create_vpnafconfigs": "rule:admin_or_network_owner",
"get_vpnafconfigs": "rule:admin_or_owner",
"update_vpnafconfigs": "rule:admin_or_network_owner",
"delete_vpnafconfigs": "rule:admin_or_network_owner",
}
Bootstrapping policy.json
~~~~~~~~~~~~~~~~~~~~~~~~~
In the Devstack environment, the gluon software is installed using "python setup.py install"
command from the gluon directory. The setup script will be enhanced to support creating
/etc/gluon/policy.json file from the YAML model file. Users will be able to edit the generated
policy.json file to add their own local rules even though it is not a recommended approach.
For a production OpenStack environment, the above steps need to be done from the package
installation scripts that are supported by tools such as rpm or dpkg.
Please refer to "OpenStack Security Guide - Policies" [4]_ for more details of
OpenStack policy directive.
Action to API Mapping
~~~~~~~~~~~~~~~~~~~~~
Gluon service has to map actions to respective API calls. The OpenStack keystonemiddleware
and oslo.policy(https://docs.openstack.org/oslo.policy/latest/) modules will be integrated
with Gluon to add keystone authentication and enforce RBAC policies defined in the JSON.policy file.
Gluon service has to map actions to respective API calls. The OpenStack ``keystonemiddleware``
and ``oslo.policy`` [5]_ modules is integrated with Gluon to add keystone authentication
and enforce RBAC policies defined in the YAMl files.
The pecan-wsgi service in the Neutron will be used as a reference code for Gluon implementation
The pecan-wsgi service in the Neutron is used as a reference code for above implementation in Gluon.
Current implementation in Gluon is at ``gluon/api/hooks/policy_enforcement.py``.
Configuration
~~~~~~~~~~~~~
The /etc/proton/proton.conf file can be used to configure the authentication details. A sample
configuration is shown below. Change 127.0.0.1 to your keystone endpoint.
The /etc/proton/proton.conf file is used to configure the authentication details. A sample
configuration is shown below. Note that you need to change IP address ``127.0.0.1``
to your keystone endpoint.
.. code-block:: ini
@ -205,49 +237,56 @@ configuration is shown below. Change 127.0.0.1 to your keystone endpoint.
auth_url = http://127.0.0.1:35357
auth_type = password
[oslo_policy]
policy_file = /etc/proton/policy.json
The default ``auth_strategy`` is ``noauth`` in Gluon.
Please note that:
* ``auth_uri`` is the **external** or **public** URL that ends up in the
``WWW-Authenticate: keystone-uri=<auth_uri>`` header. It is the unversioned public endpoint,
which tells someone where they need to go to authenticate.
* ``auth_url`` is the **internal** URL that the **auth plugin** is using. It is
where the process will authenticate to before it authenticates tokens.
Set Environment Variables
~~~~~~~~~~~~~~~~~~~~~~~~~
If Keystone is enabled for authentication, some environment variables will need
to be set up in order for protonclient commands to work properly. Modify the openrc
file in gluon home directory with the appropriate value for you Keystone endpoint.
A sample is shown below.
Then run ``source openrc <project_name> <user_name> <user_password>`` to set these variables.
to be set up in order for ``protonclient`` commands to work properly.
Modify the ``openrc`` file in Gluon home directory (or in ``devstack`` home directory)
with the appropriate value for you Keystone endpoint, your project name/tenant name,
your user name and password.
A sample is shown as follows:
.. code-block:: bash
#
# set Keystone endpoint
# Configure a set of credentials for $PROJECT/$USERNAME:
# set OS_AUTH_URL to Keystone end point
# set OS_PROJECT_NAME to openstack project name
# set OS_USERNAME to openstack user name
# set ADMIN_PASSWORD to openstack password
#
# If using devstack:
# set both OS_USERNAME and OS_TENANT_NAME to "admin" or "demo"
#
# Example config for devstack:
# export OS_AUTH_URL="http://192.168.56.101:5000"
# export OS_TENANT_NAME="admin"
# export OS_USERNAME="admin"
# export OS_PASSWORD="ubuntu"
#
export OS_AUTH_URL="http://192.168.56.101:5000"
Appendix
--------
Then run the following command to set these variables.
Configuring identity details for Keystone, change 10.0.2.15 to your gluon endpoint:
.. code-block:: bash
1. Create gluon user:
$ source openrc <project_name> <user_name> <user_password>
> openstack user create --password <password> gluon
References
2. Add the admin role to the gluon user:
> openstack role add --project service --user gluon admin
3. Create the gluon service
> openstack service create --name gluon --description "Gluon" network
4. Create Gluon API endpoints
> openstack endpoint create --publicurl http://10.0.2.15:2705 \
--adminurl http://10.0.2.15:2705 --internalurl http://10.0.2.15:2705 \
--region regionOne gluon
Reference
---------
1) Port and service binding model - https://review.openstack.org/#/c/392250
.. [2] https://docs.openstack.org/keystone/latest/admin/index.html
.. [3] ./service_binding_model
.. [4] https://docs.openstack.org/security-guide/identity/policies.html
.. [5] https://docs.openstack.org/oslo.policy/latest/

View File

@ -1,3 +1,24 @@
..
Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with the License. You may obtain
a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
License for the specific language governing permissions and limitations
under the License.
Convention for heading levels in Gluon devref:
======= Heading 0 (reserved for the title in a document)
------- Heading 1
~~~~~~~ Heading 2
+++++++ Heading 3
''''''' Heading 4
(Avoid deeper levels because they do not render well.)
=======================
Gluon API Specification
=======================
@ -23,20 +44,20 @@ endpoints created will support the basic CRUD operations on the object. Each
API object will have a corresponding database table. Each API object is
required to have a primary key field. The primary key field is used as the
identifier in the generated API endpoints. For example, if we define an API
object for a Port with a path name of *ports* the following API URL endpoints
object for a Port with a path name of ``ports``, the following API URL endpoints
will be generated where <port_id> is the primary key.
.. csv-table::
:header: "Operation", "URL", "Description"
:widths: 5, 15, 15
POST, /proton/<api_name>/ports, Create Port object
PUT, /proton/<api_name>/ports/<port_id>, Modify Port object
GET, /proton/<api_name>/ports, Get all Port objects
GET, /proton/<api_name>/ports/<port_id>, Get one Port object
DELETE, /proton/<api_name>/ports/<port_id>, Delete a Port object
POST, /proton/<api_name>/<version>/ports, Create Port object
PUT, /proton/<api_name>/<version>/ports/<port_id>, Modify Port object
GET, /proton/<api_name>/<version>/ports, Get all Port objects
GET, /proton/<api_name>/<version>/ports/<port_id>, Get one Port object
DELETE, /proton/<api_name>/<version>/ports/<port_id>, Delete a Port object
The content type for all of the operations is *application/json*.
The content type for all of the operations is ``application/json``.
The API objects can have pointer relationships and parent/child relationships
to other API objects. A pointer relationship can be created by defining a
@ -51,7 +72,7 @@ is automatically created using the primary key of the parent.
In addition, different API endpoints are generated to manipulate the child
object. For example, assume we define an API object for Port and another API
object for Interface where the Interface is a child of the Port. If the path
names are *ports* and *interfaces*, the following API URL endpoints for the
names are ``ports`` and ``interfaces``, the following API URL endpoints for the
Interface object would be generated.
.. list-table::
@ -62,24 +83,24 @@ Interface object would be generated.
- URL
- Description
* - POST
- /proton/<api_name>/ports/<port_id>/interfaces
- /proton/<api_name>/<version>/ports/<port_id>/interfaces
- Create Interface object
* - PUT
- /proton/<api_name>/ports/<port_id>/interfaces/<interface_id>
- /proton/<api_name>/<version>/ports/<port_id>/interfaces/<interface_id>
- Modify Interface object
* - GET
- /proton/<api_name>/ports/<port_id>/interfaces
- /proton/<api_name>/<version>/ports/<port_id>/interfaces
- Get all Interface objects for Port
* - GET
- /proton/<api_name>/ports/<port_id>/interfaces/<interface_id>
- /proton/<api_name>/<version>/ports/<port_id>/interfaces/<interface_id>
- Get one Interface object
* - DELETE
- /proton/<api_name>/ports/<port_id>/interfaces/<interface_id>
- /proton/<api_name>/<version>/ports/<port_id>/interfaces/<interface_id>
- Delete an Interface object
This document describes the specification for defining an API. Further
guidance on how to design an API using the Service Binding Model can be found
`here <https://github.com/openstack/gluon/blob/master/doc/source/devref/service_binding_model.rst>`_.
guidance on how to design an API can be found in the
"Port and Service Binding Model" [3]_.
Schema Definition
-----------------
@ -92,8 +113,8 @@ an JSON object. The JSON objects are very similar to the Schema Object found
in Swagger. However, some extensions are added and only a small subset of the
properties are supported.
Primitive Data Types
---------------------
Primitive Data Types
--------------------
.. list-table::
:widths: 15 20 30
@ -105,14 +126,14 @@ Primitive Data Types
* - integer
- Integer number
- - format: int32, int64 (default: int32)
- min: *integer*
- max: *integer*
- min: <integer>
- max: <integer>
* - number
- Floating point number
- n/a
* - string
- Text String
- - length: *integer* (default: 255)
- - length: <integer> (default: 255)
- format: date-time, json, ipv4, ipv6, mac, url, email
* - boolean
- Boolean value (true/false)
@ -122,7 +143,7 @@ Primitive Data Types
- n/a
* - enum
- Text string from a list of values
- - values: [*string*]
- - values: [<string>]
File Structure
--------------
@ -170,9 +191,9 @@ ProtonDef
description: "Alarm summary for port"
...
The ProtonDef is the root object for the API specification. The *file_version*
is used to identify the format used to create this file. The *info* field
contains the metadata about the API. The *objects* field contains the base
The ProtonDef is the root object for the API specification. The ``file_version``
is used to identify the format used to create this file. The ``info`` field
contains the metadata about the API. The ``objects`` field contains the base
and API object definitions for the API.
InfoDef
@ -188,7 +209,7 @@ InfoDef
author, AuthorDef_, false, Information about API authorship
The InfoDef is where metadata about the API can be specified. At a minimum the
*name* and *version* of the API must be specified.
``name`` and ``version`` of the API must be specified.
**Example**
@ -272,12 +293,19 @@ ObjectDef
attributes, AttributesDef_, true, Attribute definitions of object
policies, PolicyDef_, false, Access rules for this API object
The ObjectDef defines either a base object or an API object. If the *api*
field is present, it is an API object. If the *api* field is omitted, it is a
base object. The *extends* field (if present) must specify the ObjectDef name
of another base object. The *policies* field is only allowed for an API
object. If the *policies* field is omitted, no access control is applied to
the object.
The ObjectDef defines either a base object or an API object. If the ``api``
field is present, it is an API object. If the ``api`` field is omitted, it is a
base object. The ``extends`` field (if present) must specify the ObjectDef name
of another base object. The ``policies`` field is only allowed for an API
object except that default policies are defined in ``BaseObject`` and
``BaseServiceBinding`` base objects in ``gluon/models/base/base.yaml`` file
at system level. This is because both ``BaseObject`` and ``BaseServiceBinding``
base objects are expected to be extended by other user-defined API objects.
If the ``policies`` field is omitted in those API objects, default policies
that are inherited from super class will apply. Or in rare cases, if a user-defined
API object does not extend ``BaseObject`` or ``BaseServiceBinding`` base object,
and no ``policies`` field is defined in the API object either,
no access control is applied to the API object.
**Example**
@ -293,11 +321,11 @@ the object.
length: 255
description: "Alarm summary for port"
policies:
create: "rule:admin_or_network_owner"
delete: "rule:admin_or_network_owner"
create: "rule:admin_or_owner"
delete: "rule:admin_or_owner"
list: "rule:admin"
get: "rule:admin_or_owner"
get_one: "rule:admin_or_owner"
update: "rule:admin_or_network_owner"
update: "rule:admin_or_owner"
ApiDef
@ -312,11 +340,11 @@ ApiDef
parent, string, false, Name of an ObjectDef specification
The ApiDef defines the API path and optionally a parent/child relationship for
the object. The *parent* field (if present) must specify the ObjectDef name
of another API object. The *name* field is used by the generated CLI code to
identify the object to be manipulated. The *plural_name* field is used by the
the object. The ``parent`` field (if present) must specify the ObjectDef name
of another API object. The ``name`` field is used by the generated CLI code to
identify the object to be manipulated. The ``plural_name`` field is used by the
generated API code as part of the path to identify the object to be manipulated.
If the *plural_name* field is omitted, an 's' character is added to the name
If the ``plural_name`` field is omitted, an 's' character is added to the name
for the API path during code generation.
**Example**
@ -336,14 +364,15 @@ PolicyDef
create, string, false, Rule specifier string
delete, string, false, Rule specifier string
list, string, false, Rule specifier string
get, string, false, Rule specifier string
get_one, string, false, Rule specifier string
update, string, false, Rule specifier string
The PolicyDef defines the Role-Based Access Control (RBAC) for the object. The
access to the object can be controlled for each generated action. The syntax
of the rule specifier string is defined in the Openstack Policy
`document <https://docs.openstack.org/newton/config-reference/policy-json-file.html>`_.
access to the object can be controlled for each generated action. Please refer to
"Gluon Authentication and Authorization" [6]_ for more details of how
RBAC is applied in Gluon. Please refer to "OpenStack Security Guide - Policies" [4]_
for more details of OpenStack policy directive.
**Example**
@ -351,8 +380,8 @@ of the rule specifier string is defined in the Openstack Policy
create: "rule:admin_or_network_owner"
delete: "rule:admin_or_network_owner"
list: "rule:admin"
get: "rule:admin_or_owner"
get_one: "rule:admin_or_owner"
update: "rule:admin_or_network_owner"
AttributesDef
@ -396,23 +425,24 @@ AttributeSchemaDef
min, integer, false, Min value if type is integer
max, integer, false, Max value if type is integer
Each attribute is defined by an AttributeSchemaDef. The *type* field is
Each attribute is defined by an AttributeSchemaDef. The ``type`` field is
mandatory and can specify a primitive data type or it can be the name of an
ObjectDef. The ObjectDef name must be for an API object. One attribute for
an object must have the *primary* field specified. The *required* field is
an object must have the ``primary`` field specified. The ``required`` field is
used to specify if the attribute must be present when creating an object. If
the *type* is enum, the *values* field must be present and define an array of
the ``type`` is enum, the ``values`` field must be present and define an array of
valid strings for the enumeration.
If the *type* is integer:
If the ``type`` is integer:
* The *format* field can specify if the integer is 32 or 64 bit. Default is int32
* The *min* field can specify the valid minimum value
* The *max* field can specify the valid maximum value
* The ``format`` field can specify if the integer is 32 or 64 bit. Default is int32
* The ``min`` field can specify the valid minimum value
* The ``max`` field can specify the valid maximum value
If the *type* is string:
If the ``type`` is string:
* The *format* field can specify the formatting that will be validated for the string. The string formatting validations supported are:
* The ``format`` field can specify the formatting that will be validated for the string.
The string formatting validations supported are:
* date-time - Validated according to Date_Time_
* json - Valid JSON string
@ -421,7 +451,7 @@ If the *type* is string:
* mac - Valid MAC address according to IEEE 802
* uri - Validated according to URI_
* email - Validated according to EMAIL_
* The *length* field can specify the size of the string. Default is 255
* The ``length`` field can specify the size of the string. Default is 255
**Example**
@ -477,236 +507,321 @@ Base Objects
::
file_version: 1.0
objects:
BasePort:
attributes:
id:
type: uuid
primary: true:
description: "UUID of Port instance"
name:
type: string
length: 64
description: "Descriptive name for Port"
tenant_id:
type: uuid
required: true
description: "UUID of Tenant owning this Port"
mac_address:
type: string
length: 17
required: true
description: "MAC address for Port"
validate: mac_address
admin_state_up:
type: boolean
required: true
description: "Admin state of Port"
status:
type: enum
required: true
description: "Operational status of Port"
values:
- 'ACTIVE'
- 'DOWN'
vnic_type:
type: enum
required: true
description: "Port should be attache to this VNIC type"
values:
- 'normal'
- 'virtual'
- 'direct'
- 'macvtap'
- 'sriov'
- 'whole-dev'
mtu:
type: integer
description: "MTU"
required: true
vlan_transparency:
type: boolean
description: "Allow VLAN tagged traffic on Port"
required: true
profile:
type: string # JSON Format
length: 128
description: "JSON string for binding profile dictionary"
format: json
device_id:
type: uuid
description: "UUID of bound VM"
device_owner:
type: string
length: 128
description: "Name of compute or network service (if bound)"
host_id:
type: string
length: 32
description: "binding:host_id: Name of bound host"
vif_details:
type: string # JSON Format
length: 128
description: "binding:vif_details: JSON string for VIF details"
format: json
vif_type:
type: string
length: 32
description: "binding:vif_type: binding type for VIF"
BaseInterface:
attributes:
id:
type: uuid
required: true
primary: true
description: "UUID of Interface instance"
port_id:
type: uuid
required: true
description: "Pointer to Port instance"
segmentation_type:
type: enum
required: true
description: "Type of segmentation for this interface"
values:
- 'none'
- 'vlan'
- 'tunnel_vxlan'
- 'tunnel_gre'
- 'mpls'
segmentation_id:
type: integer
required: true
description: "Segmentation identifier"
BaseService:
attributes:
id:
type: uuid
required: true
primary: true
description: "UUID of Service instance"
name:
type: string
length: 64
description: "Descriptive name of Service"
description:
type: string
length: 256
description: "Description of Service"
BaseServiceBinding:
attributes:
interface_id:
type: uuid
required: true
primary: true
description: "Pointer to Interface instance"
service_id:
type: uuid
required: true
description: "Pointer to Service instance"
file_version: "1.0"
objects:
BaseObject:
attributes:
id:
type: uuid
primary: true
description: "UUID of Object"
tenant_id:
type: uuid
required: true
description: "UUID of Tenant"
name:
type: string
length: 64
description: "Descriptive name of Object"
policies:
create:
role: "rule:admin_or_owner"
delete:
role: "rule:admin_or_owner"
list:
role: "rule:admin"
get:
role: "rule:admin_or_owner"
update:
role: "rule:admin_or_owner"
BasePort:
extends: BaseObject
attributes:
mac_address:
type: string
length: 18
required: true
format: mac
description: "MAC address for Port"
admin_state_up:
type: boolean
required: true
description: "Admin state of Port"
status:
type: enum
required: true
description: "Operational status of Port"
values:
- 'ACTIVE'
- 'DOWN'
vnic_type:
type: enum
required: true
description: "Port should be attached to this VNIC type"
values:
- 'normal'
- 'virtual'
- 'direct'
- 'macvtap'
- 'sriov'
- 'whole-dev'
mtu:
type: integer
description: "MTU"
required: true
vlan_transparency:
type: boolean
description: "Allow VLAN tagged traffic on Port"
required: true
profile:
type: string # JSON Format
length: 128
description: "JSON string for binding profile dictionary"
format: json
device_id:
type: uuid
description: "UUID of bound VM"
device_owner:
type: string
length: 128
description: "Name of compute or network service (if bound)"
host_id:
type: string
length: 64
description: "binding:host_id: Name of bound host"
vif_details:
type: string # JSON Format
length: 128
description: "binding:vif_details: JSON string for VIF details"
format: json
vif_type:
type: string
length: 32
description: "binding:vif_type: binding type for VIF"
BaseInterface:
extends: BaseObject
attributes:
port_id:
type: uuid
required: true
description: "Pointer to Port instance"
segmentation_type:
type: enum
required: true
description: "Type of segmentation for this interface"
values:
- 'none'
- 'vlan'
- 'tunnel_vxlan'
- 'tunnel_gre'
- 'mpls'
segmentation_id:
type: integer
required: true
description: "Segmentation identifier"
BaseService:
extends: BaseObject
attributes:
description:
type: string
length: 256
description: "Description of Service"
BaseServiceBinding:
attributes:
tenant_id:
type: uuid
required: true
description: "UUID of Tenant"
interface_id:
type: uuid
required: true
primary: true
description: "Pointer to Interface instance"
service_id:
type: uuid
required: true
description: "Pointer to Service instance"
policies:
create:
role: "rule:admin_or_owner"
delete:
role: "rule:admin_or_owner"
list:
role: "rule:admin"
get:
role: "rule:admin_or_owner"
update:
role: "rule:admin_or_owner"
API Specification
*****************
::
file_version: 1.0
imports: base/base.yaml
info:
name: net-l3vpn
version: 1.0
description "L3VPN API Specification"
author:
name: "Gluon Team"
url: https://wiki.openstack.org/wiki/Gluon
email: bh526r@att.com
objects:
Port:
api:
name: port
plural_name: ports
extends: BasePort
attributes:
alarms:
type: string
length: 255
description: "Alarm summary for port"
Interface:
api:
name: interface
plural_name: interfaces
parent: Port
extends: BaseInterface
VpnService:
api:
name: vpn
plural_name: vpns
extends: BaseService
attributes:
ipv4_family:
type: string
length: 255
description: "Comma separated list of route target strings"
ipv6_family:
type: string
length: 255
description: "Comma separated list of route target strings"
route_distinguishers:
type: string
length: 32
description: "Route distinguisher for this VPN"
VpnBinding:
extends: BaseServiceBinding
api:
name: vpnbinding
plural_name: vpnbindings
attributes:
service_id: # Override from base object for specific Service type
type: VpnService
required: true
primary: true
description: "Pointer to VpnService instance"
ipaddress:
type: string
length: 23
description: "IP Address of port"
format: ipv4
subnet_prefix:
type: integer
description: "Subnet mask"
format: int32
min: 1
max: 31
gateway:
type: string
length: 32
description: "Default gateway"
format: ipv4
VpnAfConfig:
api:
name: vpnafconfig
plural_name: vpnafconfigs
attributes:
vrf_rt_value:
required: True
type: string
length: 32
primary: 'True'
description: "Route target string"
vrf_rt_type:
type: enum
required: True
description: "Route target type"
values:
- export_extcommunity
- import_extcommunity
- both
import_route_policy:
type: string
length: 32
description: "Route target import policy"
export_route_policy:
type: string
length: 32
description: "Route target export policy"
file_version: "1.0"
imports: base/base.yaml
info:
name: net-l3vpn
version: 1.0
description: "L3VPN API Specification"
author:
name: "Gluon Team"
url: https://wiki.openstack.org/wiki/Gluon
email: bh526r@att.com
objects:
Port:
api:
name: port
plural_name: ports
extends: BasePort
Interface:
api:
name: interface
plural_name: interfaces
parent: Port
parent_key: port_id
extends: BaseInterface
attributes:
port_id:
type: Port # Override from base object for specific Service type
VpnService:
api:
name: vpn
plural_name: vpns
extends: BaseService
attributes:
ipv4_family:
type: string
length: 255
description: "Comma separated list of route target strings"
ipv6_family:
type: string
length: 255
description: "Comma separated list of route target strings"
route_distinguishers:
type: string
length: 32
description: "Route distinguisher for this VPN"
VpnBinding:
extends: BaseServiceBinding
api:
name: vpnbinding
plural_name: vpnbindings
attributes:
service_id: # Override from base object for specific Service type
type: VpnService
interface_id: # Override from base object for specific Interface type
type: Interface
ipaddress:
type: string
length: 16
description: "IP Address of port"
format: ipv4
subnet_prefix:
type: integer
description: "Subnet mask"
format: int32
min: 1
max: 31
gateway:
type: string
length: 16
description: "Default gateway"
format: ipv4
VpnAfConfig:
api:
name: vpnafconfig
plural_name: vpnafconfigs
attributes:
tenant_id:
type: uuid
required: true
description: "UUID of Tenant"
vrf_rt_value:
required: true
type: string
length: 32
primary: true
description: "Route target string"
vrf_rt_type:
type: enum
required: true
description: "Route target type"
values:
- export_extcommunity
- import_extcommunity
- both
import_route_policy:
type: string
length: 32
description: "Route target import policy"
export_route_policy:
type: string
length: 32
description: "Route target export policy"
policies:
create:
role: "rule:admin_or_owner"
delete:
role: "rule:admin_or_owner"
get:
role: "rule:admin_or_owner"
list:
role: "rule:admin"
update:
role: "rule:admin_or_owner"
BGPPeering:
api:
name: bgppeering
plural_name: bgppeerings
extends: BaseObject
attributes:
local_ip_address:
required: true
type: string
format: ipv4
length: 16
description: "Local IP of the SDN controller which is supposed to
create a new BGP peering with a remote SDN controller
or data center gateway. This local IP is used as a
unique identifier to allow the SDN controllers / shim
layers to determine if a new peering which has been
pushed to etcd is meant for them."
peer_ip_address:
required: true
type: string
format: ipv4
length: 16
description: "IP of the BGP neighbor to establish a peering with."
as_number:
required: true
type: integer
format: int32
description: "Autonomous system number used by the local BGP stack."
DataplaneTunnel:
api:
name: dataplanetunnel
plural_name: dataplanetunnels
extends: BaseObject
attributes:
local_tunnel_endpoint:
required: true
type: string
format: ipv4
length: 16
description: "Local tunnel endpoint IP. This IP is used as a unique
identifier to allow the SDN controller / shim layer to
determine if this dataplane tunnel is supposed to be
handled by them."
remote_tunnel_endpoint:
required: true
type: string
format: ipv4
length: 16
description: "Remote tunnel endpoint IP of the virtual switch or data
center gateway."
References
.. [6] ./gluon-auth

View File

@ -1,3 +1,24 @@
..
Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with the License. You may obtain
a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
License for the specific language governing permissions and limitations
under the License.
Convention for heading levels in Gluon devref:
======= Heading 0 (reserved for the title in a document)
------- Heading 1
~~~~~~~ Heading 2
+++++++ Heading 3
''''''' Heading 4
(Avoid deeper levels because they do not render well.)
=============================
Proton API Version Management
=============================
@ -22,136 +43,177 @@ When the Proton root URI "/proton/" is accessed it will return a list of Proton
$ curl http://192.168.59.103:2705/proton/
{
"protons":
[
{ "status": "CURRENT",
"proton_service": "net-l3vpn",
"links":
[
{"id": "net-l3vpn",
"status": "CURRENT",
"links":
[
{"href": "http://192.168.59.103:2705/proton/net-l3vpn/",
"rel": "self"
}
]
},
{"id": "bgp",
"status": "CURRENT",
"links":
[
{"href": "http://192.168.59.103:2705/proton/bgp/",
"rel": "self"
}
]
}
...
{ "href": "http://192.168.59.103:2705/proton/net-l3vpn",
"rel": "self"
}
]
},
{ "status": "CURRENT",
"proton_service": "test",
"links":
[
{ "href": "http://192.168.59.103:2705/proton/test",
"rel": "self"
}
]
},
{ "status": "CURRENT",
"proton_service": "ietf-sfc",
"links":
[
{ "href": "http://192.168.59.103:2705/proton/ietf-sfc",
"rel": "self"
}
]
}
]
}
Proton Version Management
-------------------------
Proton providers can specify version info in the proton model's YAML file.
**Example**
.. code-block:: bash
file_version: 1.0
imports: base/base.yaml
info:
name: net-l3vpn
version: 1.0
description "L3VPN API Specification"
...
Version information is appended to the root URL of a particular Proton, e.g. L3VPN.
For example, <some URL>/proton/net-l3vpn/v1.
For example, http://192.168.59.103:2705/proton/net-l3vpn/v1.0/.
When accessing the root URL of a particular Proton without version information, all
available versions of this Proton will be returned so that users can choose to use
a particular version of this Proton.
When accessing the root URL of a particular Proton with version information, all
available resources in this version of Proton will be returned.
Proton providers can specify version info in the proton model's yaml file.
.. code-block:: bash
$ curl http://192.168.59.103:2705/proton/net-l3vpn/
{
"default_version":
{"id": "v1",
"status": "CURRENT",
"links":
[
{"href":"http://192.168.59.103:2705/proton/net-l3vpn/v1/",
"rel": "self"
}
]
},
"versions":
[
{"id": "v1",
"status": "CURRENT",
"links":
[
{"href":"http://192.168.59.103:2705/proton/net-l3vpn/v1/",
"rel": "self"
}
]
{ "status": "CURRENT",
"proton_service": "net-l3vpn",
"links":
[
{ "href": "http://192.168.59.103:2705/proton/net-l3vpn/v1.0",
"rel": "self"
}
],
"name": "net-l3vpn",
"description": "net-l3vpn description..."
],
"version_id": "v1.0"
},
"versions":
[
{ "status": "CURRENT",
"proton_service": "net-l3vpn",
"links":
[
{ "href": "http://192.168.59.103:2705/proton/net-l3vpn/v1.0",
"rel": "self"
}
],
"version_id": "v1.0"
}
]
}
When accessing the root URL of a particular Proton with version information, all
available resources in this version of Proton will be returned.
.. code-block:: bash
$ curl http://192.168.59.103:2705/proton/net-l3vpn/v1/
$ curl http://192.168.59.103:2705/proton/net-l3vpn/v1.0/
{
"resources":
[
{"id": "interface",
"status": "CURRENT",
"links":
[
{"href":"http://192.168.59.103:2705/proton/net-l3vpn/v1/interface/",
"rel": "self"
}
]
},
{"id": "port",
"status": "CURRENT",
"links":
[
{"href":"http://192.168.59.103:2705/proton/net-l3vpn/v1/port/",
"rel": "self"
}
]
},
{"id": "vpn",
"status": "CURRENT",
"links":
[
{"href":"http://192.168.59.103:2705/proton/net-l3vpn/v1/vpn/",
"rel": "self"
}
]
},
{"id": "vpnafconfig",
"status": "CURRENT",
"links":
[
{"href":"http://192.168.59.103:2705/proton/net-l3vpn/v1/vpnafconfig/",
"rel": "self"
}
]
},
{"id": "vpnbinding",
"status": "CURRENT",
"links":
[
{"href":"http://192.168.59.103:2705/proton/net-l3vpn/v1/binding/",
"rel": "self"
}
]
}
]
[
{ "status": "CURRENT",
"proton_service": "net-l3vpn",
"resource_name": "dataplanetunnels",
"links":
[
{ "href": "http://192.168.59.103:2705/proton/net-l3vpn/v1.0/dataplanetunnels",
"rel": "self"
}
],
"version_id": "v1.0"
},
{ "status": "CURRENT",
"proton_service": "net-l3vpn",
"resource_name": "bgppeerings",
"links":
[
{ "href": "http://192.168.59.103:2705/proton/net-l3vpn/v1.0/bgppeerings",
"rel": "self"
}
],
"version_id": "v1.0"
},
{ "status": "CURRENT",
"proton_service": "net-l3vpn",
"resource_name": "vpnafconfigs",
"links":
[
{ "href": "http://192.168.59.103:2705/proton/net-l3vpn/v1.0/vpnafconfigs",
"rel": "self"
}
],
"version_id": "v1.0"
},
{ "status": "CURRENT",
"proton_service": "net-l3vpn",
"resource_name": "vpns",
"links":
[
{ "href": "http://192.168.59.103:2705/proton/net-l3vpn/v1.0/vpns",
"rel": "self"
}
],
"version_id": "v1.0"
},
{ "status": "CURRENT",
"proton_service": "net-l3vpn",
"resource_name": "interfaces",
"links":
[
{ "href": "http://192.168.59.103:2705/proton/net-l3vpn/v1.0/interfaces",
"rel": "self"
}
],
"version_id": "v1.0"
},
{ "status": "CURRENT",
"proton_service": "net-l3vpn",
"resource_name": "vpnbindings",
"links":
[
{ "href": "http://192.168.59.103:2705/proton/net-l3vpn/v1.0/vpnbindings",
"rel": "self"
}
],
"version_id": "v1.0"
},
{ "status": "CURRENT",
"proton_service": "net-l3vpn",
"resource_name": "ports",
"links":
[
{ "href": "http://192.168.59.103:2705/proton/net-l3vpn/v1.0/ports",
"rel": "self"
}
],
"version_id": "v1.0"
}
]
}
**Example**
::
file_version: 1.0
imports: base/base.yaml
info:
name: net-l3vpn
version: 1.0
description "L3VPN API Specification"
...

View File

@ -30,28 +30,32 @@ Current Repository Structure
----------------------------
- **doc**
- samples # Sample policy.json and proton.conf files
- source # All documentation
- devref # Developer Guides
- testcase # Test Case proposals
- doc/samples # Sample policy.json.sample and proton.conf.sample files
- doc/source # All documentation
- doc/source/devref # Developer Guides
- doc/source/installation # Installation Guides
- doc/source/testcase # Test Case proposals
- **etc** # Config options for model handlers and backends
- proton # Config options for Protons
- shim # Config options for Shims
- **etc** # Config options for model handlers and backends
- etc/proton # Config options for Protons
- etc/shim # Config options for Shims
- **gluon** # Gluon code base
- api # Proton API model and control
- backends # Proton backend handlers, including ``net_l3vpn`` model handler
- cmd # CLI API generator and other tools
- common # Common libraries
- db # Database handler
- managers # API manager, including ``net_l3vpn`` API manager
- models # Proton data model, including base model and ``net_l3vpn`` model
- particleGenerator # Particle Generator to generate APIs from YAML
- plugin # Extended ML2 Plugin for Gluon, a.k.a. Gluon Wrapper Plugin
- shim # Shim Layer, including ``net-l3vpn`` model, sample backend and ODL backend
- sync_etcd # Make hosts of ``etcd`` configurable
- tests # Unit tests
- **gluon** # Gluon code base
- gluon/api # Proton API model and control
- gluon/api/hooks # Policy enforcement is included here
- gluon/backends # Proton backend handlers, including ``net_l3vpn`` model handler
- gluon/cmd # CLI API generator and other tools
- gluon/conf # Handling configuration options in /etc/proton/proton.conf
- gluon/common # Common libraries
- gluon/db # Database handler, e.g. managing database /opt/proton/gluon.sqlite
- gluon/managers # API and model manager, including ``net_l3vpn`` API manager
- gluon/models # Proton data model, including base model ``net_l3vpn`` model, and ``ietf-sfc`` model
- gluon/particleGenerator # Particle Generator to generate APIs from YAML
- gluon/plugin # Extended ML2 Plugin for Gluon, a.k.a. Gluon Wrapper Plugin
- gluon/policies # Default rules definition at system level
- gluon/shim # Shim Layer, including ``net-l3vpn`` model, sample backend and ODL backend
- gluon/sync_etcd # Make hosts of ``etcd`` configurable
- gluon/tests # Unit tests
- **releasenotes** # Enable release notes translation. Initiated by cookiecutter when repo was created

View File

@ -21,6 +21,42 @@
''''''' Heading 4
(Avoid deeper levels because they do not render well.)
=================
Install OpenStack
=================
Before you start installing ``etcd``, please make sure that you have installed
OpenStack Pike Release. For example, to install ``devstack`` Pike release:
.. code-block:: bash
$ git clone https://github.com/openstack-dev/devstack -b stable/pike
# Then generate local.conf in devstack directory, then run
$ ./stack.sh
=======================================
Stop ``etcd3`` in Devstack Pike Release
=======================================
OpenStack Pike Release starts ``etcd3`` by default when user starts stack,
while Gluon is based on ``etcd-v2.3.6``. This will cause issue for Gluon.
Thus you need to stop ``etcd3`` that is started by OpenStack Pike.
For Devstack Pike Release:
.. code-block:: bash
$ sudo systemctl stop devstack@etcd.service
You may double check to make sure there is no etcd3 running:
.. code-block:: bash
$ ps -aef | grep etcd
You should not see any etcd process running.
==========================
Install ``etcd`` for Gluon
==========================
@ -37,22 +73,23 @@ On Each Node
.. code-block:: bash
curl -L https://github.com/coreos/etcd/releases/download/v2.3.6/etcd-v2.3.6-linux-amd64.tar.gz -o etcd-v2.3.6-linux-amd64.tar.gz
Unzip/Untar the downloaded file
$ curl -L https://github.com/coreos/etcd/releases/download/v2.3.6/etcd-v2.3.6-linux-amd64.tar.gz -o etcd-v2.3.6-linux-amd64.tar.gz
# Then Unzip/Untar the downloaded file
**STEP-2**: Copy executables to ``/usr/local/bin``
.. code-block:: bash
cd etcd-v2.3.6-linux-amd64
sudo cp etcd /usr/local/bin
sudo cp etcdctl /usr/local/bin
$ cd etcd-v2.3.6-linux-amd64
$ sudo cp etcd /usr/local/bin
$ sudo cp etcdctl /usr/local/bin
**STEP-3**: Create a directory for ``etcd`` data
.. code-block:: bash
sudo mkdir /var/etcd
$ sudo mkdir /var/etcd
**STEP-4**: Create upstart ``init`` file:
@ -135,8 +172,12 @@ For instance, the files on the other two nodes would look like:
.. code-block:: bash
sudo iptables -A INPUT -p tcp -m multiport --ports 2380,2379 -m comment --comment "etcd" -j ACCEPT
sudo invoke-rc.d iptables-persistent save
$ sudo iptables -A INPUT -p tcp -m multiport --ports 2380,2379 -m comment --comment "etcd" -j ACCEPT
$ sudo invoke-rc.d iptables-persistent save
# Note: for Ubuntu 16.04, you may have to use netfilter-persistent as follows:
# sudo apt-get install netfilter-persistent
# sudo invoke-rc.d netfilter-persistent save
**STEP-7**: Start the ``etcd`` server:
@ -144,15 +185,15 @@ As root:
.. code-block:: bash
initctl start etcd
$ initctl start etcd
Or on ``ubuntu 14.04``, run:
.. code-block:: bash
sudo start etcd
$ sudo start etcd
**STEP-8**: Verify the cluster is healty:
**STEP-8**: Verify the cluster is healthy:
.. code-block:: bash

View File

@ -33,12 +33,12 @@ On Controller
Assume the user logged in with sudo privileges. On an Ubuntu system:
**STEP-1**: Clone Gluon Repository ``stable/ocata`` branch:
**STEP-1**: Clone Gluon Repository ``stable/pike`` branch:
.. code-block:: bash
$ cd ~
$ git clone https://github.com/openstack/gluon.git -b stable/ocata
$ git clone https://github.com/openstack/gluon.git -b stable/pike
**STEP-2**: Create user and group for gluon and proton users
@ -50,9 +50,9 @@ Assume the user logged in with sudo privileges. On an Ubuntu system:
.. code-block:: bash
$ sudo mkdir /opt/proton
$ sudo mkdir /etc/proton
$ sudo mkdir /var/log/proton
$ sudo mkdir /opt/proton # Proton working directory, for such as gluon.sqlite
$ sudo mkdir /etc/proton # Proton configuration directory, for such as proton.conf
$ sudo mkdir /var/log/proton # Proton logs
**STEP-4**: Setup ``iptables``
@ -69,16 +69,27 @@ Assume the user logged in with sudo privileges. On an Ubuntu system:
.. code-block:: bash
$ sudo cat > /etc/proton/proton.conf <<EOF
[DEFAULT]
state_path = /opt/proton
EOF
#
# Copy ~/gluon/etc/proton/proton.conf to /etc/proton/proton.conf
# Copy ~/gluon/etc/proton/policy.json to /etc/proton/policy.json
#
$ sudo cp ~/gluon/etc/proton/proton.conf /etc/proton/
$ sudo cp ~/gluon/etc/proton/policy.json /etc/proton/
# After copying proton.conf, if you do not plan to use RBAC (Role-based Access Control) in Gluon,
# please modify proton.conf by changing "auth_strategy" to "noauth" in [api] section. i.e:
#
# [api]
# auth_strategy = noauth
#
$ sudo chown -R proton:proton /opt/proton
$ sudo chown -R proton:proton /etc/proton
$ sudo chown -R proton:proton /var/log/proton
$ sudo chmod 750 /etc/proton
$ sudo chmod 644 /etc/proton/proton.conf
$ sudo chmod 644 /etc/proton/policy.json
$ sudo chmod 750 /var/log/proton
**STEP-6**: Install Gluon package
@ -86,7 +97,7 @@ Assume the user logged in with sudo privileges. On an Ubuntu system:
.. code-block:: bash
$ cd ~/gluon
$ pip install -r requirements.txt
$ sudo pip install -r requirements.txt
$ python setup.py build
$ sudo python setup.py develop
$ sudo python setup.py install
@ -123,7 +134,7 @@ following command:
"ports": []
}
**STEP-9**: Modify ``neutron.conf`` to point to the ``gluon plugin``
**STEP-9**: Modify ``neutron.conf`` to point ``core_plugin`` to the ``gluon.plugin.core.GluonPlugin``
.. code-block:: bash
@ -140,6 +151,9 @@ Or in a devstack environment, do the following:
.. code-block:: bash
$ service devstack@q-svc restart
# Alternatively, you can do:
# do "screen -x"
# goto the screen for q-svc
# do "Ctrl C" to kill the service
@ -151,10 +165,16 @@ Or in a devstack environment, do the following:
# Source the openrc file for the admin user (depends on your system)
# Create the dummy Gluon Network:
$ neutron net-create --shared --provider:network_type local GluonNetwork
$ openstack network create --share --provider-network-type local GluonNetwork
# Or legacy way:
# neutron net-create --shared --provider:network_type local GluonNetwork
# Create the dummy GluonSubnet:
$ neutron subnet-create --name GluonSubnet --no-gateway --disable-dhcp GluonNetwork 0.0.0.0/1
$ openstack subnet create --network GluonNetwork --no-dhcp --gateway none --subnet-range 0.0.0.0/1 GluonSubnet
# Or legacy way:
# neutron subnet-create --name GluonSubnet --no-gateway --disable-dhcp GluonNetwork 0.0.0.0/1
**STEP-12**: Restart ``neutron-server``
@ -162,6 +182,9 @@ Or in a devstack environment, do the following:
service neutron-server restart
# Or in Devstack:
$ service devstack@q-svc restart
** The controller should be setup now**
**STEP-13**: Running the Sample Shim Layer Server
@ -176,7 +199,134 @@ A test shim server is included in the gluon package. You need to:
# Modify host list for shim server
# Create br-gluon bridge
Role-based Access Control of Gluon
----------------------------------
After we complete the basic setups as instructed above,
Advanced users may also want to enable RBAC feature in Gluon.
Please refer to [2]_ for the basic concept, and how to configure
and enable RBAC in Gluon. Here is the summary of steps:
* RBAC-1: Create a new "NFV Networking" **service** named ``gluon``
with service type ``nfvnet``
.. code-block:: bash
$ openstack service create --name gluon --description "NFV Network Service" nfvnet
* RBAC-2: Create a new **endpoint** under the **service** ``gluon``
.. code-block:: bash
# Note: you need to change the IP address 10.0.2.7 to match your environment
$ openstack endpoint create --region RegionOne gluon public http://10.0.2.7:2705/proton/
$ openstack endpoint create --region RegionOne gluon admin http://10.0.2.7:2705/proton/
$ openstack endpoint create --region RegionOne gluon internal http://10.0.2.7:2705/proton/
* RBAC-3: We reuse an existing **project** named ``service``
.. code-block:: bash
#
# If you want to create a new project:
# $ openstack project create --description <description of your new project> <new-project-name> --domain default
#
* RBAC-4: Create a new **user** named ``gluon`` and password ``gluon``
.. code-block:: bash
$ openstack user create --password gluon gluon
* RBAC-5: Assign ``admin`` **role** to { ``service``, ``gluon`` } pair
.. code-block:: bash
$ openstack role add --project service --user gluon admin
* RBAC-6: Set environment variables
.. code-block:: bash
# Modify the ``openrc`` file in Gluon home directory (or in``devstack`` home directory)
# with the appropriate value for you Keystone endpoint, your project name/tenant name,
# your user name and password. Then run the following command to set these variables.
#
# $ source openrc <project_name> <user_name> <user_password>
$ source openrc service gluon gluon
* RBAC-7: Add the following configuration in ``/etc/proton/proton.conf``. Note that the
``project_name``, ``username`` and ``password`` must match what you have created/used
in prior steps.
.. code-block:: ini
[api]
auth_strategy = keystone
[keystone_authtoken]
auth_uri = http://10.0.2.7:5000
project_domain_name = Default
project_name = service
user_domain_name = Default
password = gluon
username = gluon
auth_url = http://10.0.2.7:35357
auth_type = password
* RBAC-8: If policies are defined in YAML, those policies will be applied.
Otherwise, default policies defined in ``gluon/models/base/base.yaml`` will be used.
* RBAC-9: Restart ``proton-server``
.. code-block:: bash
$ sudo /usr/local/bin/proton-server --config-file /etc/proton/proton.conf --logfile /var/log/proton/api.log
* RBAC-10: Get token using curl or OpenStack CLI:
.. code-block:: bash
#
# Use curl
#
$ curl -s -X POST http://192.0.2.4:5000/v2.0/tokens \
-H "Content-Type: application/json" \
-d '{"auth": {"tenantName": "'"$OS_TENANT_NAME"'", \
"passwordCredentials": {"username": "'"$OS_USERNAME"'", \
"password": "'"$OS_PASSWORD"'"}}}' \
| python -m json.tool
#
# Or use OpenStack CLI
#
$ openstack token issue
* RBAC-10: Now you can access Proton server with token
.. code-block:: bash
#
# Note: you need to replace the exemplary token value with your own token value
# and replace the Proton server URL with your own URL
#
$ curl -s -H "X-Auth-Token: 1678f8ef3a97497b842f0f7088b0b090" http://192.0.2.4:2705 | python -m json.tool
#
# Get a specific port information
# Note you also need to replace the exemplary port-id with your own port-id
#
$ curl -s -H "X-Auth-Token: 1678f8ef3a97497b842f0f7088b0b090" http://192.0.2.4:2705/proton/net-l3vpn/v1.0/ports/30f12741-ffe8-4c85-819b-04a496251f00
* RBAC-11: At this moment, RBAC should work fine now. You need to make sure that
"X-Auth-Token: <auth-token>" header is always added in your RESTful http request.
References
.. [1] install_etcd
.. [2] ../devref/gluon-auth.inc

View File

@ -30,6 +30,16 @@ and then use ``nova boot`` to bind the port to a VM. It is assumed that you
have already installed ``etcd`` and **Gluon Plugin**, and started
**Proton Server**. If not, please refer to [1]_.
Advanced users may also want to enable RBAC feature in Gluon. Please refer to
"Gluon Authentication and Authorization" [2]_ for the basic concept,
and how to configure and enable RBAC in Gluon. The setup steps are also described
in [1]_.
This User Guide provides CLI examples. The RESTful API is specified in
"Gluon API Specification" [3]_. If RBAC is enabled, you need to make sure
that "X-Auth-Token: <auth-token>" header is always added in your
RESTful HTTP request.
Getting Help
------------
@ -38,12 +48,16 @@ information:
.. code-block:: bash
# The equivalent RESTful API is
# GET /proton HTTP/1.1
$ protonclient --help
--api is not specified!
Usage: protonclient --api <api_name> [OPTIONS] COMMAND[ARGS]...
Options:
--api TEXT Name of API, one of ['net-l3vpn', 'test']
--api TEXT Name of API, one of ['ietf-sfc', 'net-l3vpn', 'test']
--port INTEGER Port of endpoint (OS_PROTON_PORT)
--host TEXT Host of endpoint (OS_PROTON_HOST)
--help Show this message and exit.
@ -58,13 +72,16 @@ parameters are required, and gives you general help information too:
.. code-block:: bash
# The equivalent RESTful API is
# GET /proton HTTP/1.1
$ protonclient
--api is not specified!
Usage: protonclient --api <api_name> [OPTIONS] COMMAND[ARGS]...
Options:
--api TEXT Name of API, one of ['net-l3vpn', 'test']
--api TEXT Name of API, one of ['ietf-sfc', 'net-l3vpn', 'test']
--port INTEGER Port of endpoint (OS_PROTON_PORT)
--host TEXT Host of endpoint (OS_PROTON_HOST)
--help Show this message and exit.
@ -78,6 +95,9 @@ correct command line usage.
.. code-block:: bash
# The equivalent RESTful API is
# GET /proton/net-l3vpn/v1.0 HTTP/1.1
$ protonclient --api net-l3vpn
Usage: protonclient [OPTIONS] COMMAND [ARGS]...
@ -85,6 +105,16 @@ correct command line usage.
--help Show this message and exit.
Commands:
bgppeering-create
bgppeering-delete
bgppeering-list
bgppeering-show
bgppeering-update
dataplanetunnel-create
dataplanetunnel-delete
dataplanetunnel-list
dataplanetunnel-show
dataplanetunnel-update
interface-create
interface-delete
interface-list
@ -116,6 +146,9 @@ Create ``Interface`` Object
.. code-block:: bash
# The equivalent RESTful API is
# POST /proton/net-l3vpn/v1.0/interfaces HTTP/1.1
$ protonclient --api net-l3vpn interface-create --help
Usage: protonclient interface-create [OPTIONS]
@ -126,6 +159,7 @@ Create ``Interface`` Object
--segmentation_type [none|vlan|tunnel_vxlan|tunnel_gre|mpls]
Type of segmentation for this interface
[required]
--tenant_id TEXT UUID of Tenant [required]
--port_id TEXT Pointer to Port instance [required]
--port INTEGER Port of endpoint (OS_PROTON_PORT)
--host TEXT Host of endpoint (OS_PROTON_HOST)
@ -139,6 +173,9 @@ UUID of the parent ``Port``.
.. code-block:: bash
# The equivalent RESTful API is
# GET /proton/net-l3vpn/v1.0/interfaces HTTP/1.1
$ protonclient --api net-l3vpn interface-list
{
"interfaces": [
@ -147,6 +184,7 @@ UUID of the parent ``Port``.
"segmentation_id": 0,
"created_at": "2017-02-14T20:35:47.760126",
"updated_at": "2017-02-14T20:35:47.760126",
"tenant_id": "a868a466bca84df18404a77db0ecac72",
"port_id": "fe338d4c-2aef-4487-aa25-cb753bf02518",
"segmentation_type": "none",
"id": "fe338d4c-2aef-4487-aa25-cb753bf02518"
@ -159,6 +197,9 @@ Create ``VPNAFConfig`` Object
.. code-block:: bash
# The equivalent RESTful API is
# POST /proton/net-l3vpn/v1.0/vpnafconfigs HTTP/1.1
$ protonclient --api net-l3vpn vpnafconfig-create --help
Usage: protonclient vpnafconfig-create [OPTIONS]
@ -168,6 +209,7 @@ Create ``VPNAFConfig`` Object
--import_route_policy TEXT Route target import policy
--vrf_rt_type [export_extcommunity|import_extcommunity|both]
Route target type [required]
--tenant_id TEXT UUID of Tenant [required]
--port INTEGER Port of endpoint (OS_PROTON_PORT)
--host TEXT Host of endpoint (OS_PROTON_HOST)
--help Show this message and exit.
@ -176,7 +218,10 @@ Create ``VPNAFConfig`` Object
.. code-block:: bash
$ protonclient --api net-l3vpn vpnafconfig-create --vrf_rt_type both --vrf_rt_value 1000:1000
# The equivalent RESTful API is
# POST /proton/net-l3vpn/v1.0/vpnafconfigs HTTP/1.1
$ protonclient --api net-l3vpn vpnafconfig-create --vrf_rt_type both --vrf_rt_value 1000:1000 --tenant_id a868a466bca84df18404a77db0ecac72
{
"vrf_rt_type": "both",
"vrf_rt_value": "1000:1000"
@ -187,18 +232,22 @@ Create ``VPN`` Object
.. code-block:: bash
# The equivalent RESTful API is
# POST /proton/net-l3vpn/v1.0/vpns HTTP/1.1
$ protonclient --api net-l3vpn vpn-create --help
Usage: protonclient vpn-create [OPTIONS]
Options:
--id TEXT UUID of VPN instance
--name TEXT Name of VPN [required]
--id TEXT UUID of Object
--name TEXT Descriptive name of Object
--tenant_id TEXT UUID of Tenant [required]
--ipv4_family TEXT Comma separated list of route target strings
(VpnAfConfig)
--ipv6_family TEXT Comma separated list of route target strings
(VpnAfConfig)
--route_distinguishers TEXT Route distinguisher for this VPN
--description TEXT About the VPN
--description TEXT Description of Service
--port INTEGER Port of endpoint (OS_PROTON_PORT)
--host TEXT Host of endpoint (OS_PROTON_HOST)
--help Show this message and exit.
@ -209,10 +258,14 @@ The UUID of VPN instance ``id`` is generated by Proton and returned.
.. code-block:: bash
$ protonclient --api net-l3vpn vpn-create --name "TestVPN" --ipv4_family 1000:1000 --ipv6_family 1000:1000 --route_distinguishers 1000:1000 --description "My Test VPN"
# The equivalent RESTful API is
# POST /proton/net-l3vpn/v1.0/vpns HTTP/1.1
$ protonclient --api net-l3vpn vpn-create --name "TestVPN" --ipv4_family 1000:1000 --ipv6_family 1000:1000 --route_distinguishers 1000:1000 --tenant_id a868a466bca84df18404a77db0ecac72 --description "My Test VPN"
{
"description": "My Test VPN",
"route_distinguishers": "1000:1000",
"tenant_id": "a868a466bca84df18404a77db0ecac72",
"created_at": "2017-02-14T20:37:58.592999",
"updated_at": "2017-02-14T20:37:58.592999",
"ipv6_family": "1000:1000",
@ -226,6 +279,9 @@ Create ``Port`` Object
.. code-block:: bash
# The equivalent RESTful API is
# POST /proton/net-l3vpn/v1.0/ports HTTP/1.1
$ protonclient --api net-l3vpn port-create --help
Usage: protonclient port-create [OPTIONS]
@ -244,7 +300,7 @@ Create ``Port`` Object
[required]
--vif_details TEXT binding:vif_details: JSON string for VIF
details
--tenant_id TEXT UUID of Tenant owning this Port [required]
--tenant_id TEXT UUID of Tenant [required]
--admin_state_up BOOLEAN Admin state of Port [required]
--name TEXT Descriptive name of Object
--vif_type TEXT binding:vif_type: binding type for VIF
@ -256,7 +312,7 @@ Create ``Port`` Object
These values should be specified.
The ``tenant_id`` should be obtained from OpenStack.
The ``tenant_id`` should be a ``project-id`` obtained from OpenStack.
The UUID of the object ``id`` is generated by the Proton and returned.
@ -264,6 +320,9 @@ The UUID of the object ``id`` is generated by the Proton and returned.
.. code-block:: bash
# The equivalent RESTful API is
# POST /proton/net-l3vpn/v1.0/ports HTTP/1.1
$ protonclient --api net-l3vpn port-create --mac_address c8:2a:14:04:43:80 --mtu 1500 --admin_state_up True --name "TestVPNPort" --vlan_transparency True --vnic_type normal --vif_type ovs --status ACTIVE --tenant_id 5205b400fa6c4a888a0b229200562229
{
"profile": null,
@ -272,7 +331,7 @@ The UUID of the object ``id`` is generated by the Proton and returned.
"name": "TestVPNPort",
"device_owner": null,
"admin_state_up": true,
"tenant_id": "5205b400fa6c4a888a0b229200562229",
"tenant_id": "a868a466bca84df18404a77db0ecac72",
"created_at": "2017-02-14T20:35:47.749427",
"vif_details": null,
"updated_at": "2017-02-14T20:35:47.749427",
@ -298,12 +357,16 @@ You can view the values with the following commands:
.. code-block:: bash
# The equivalent RESTful API is
# GET /proton/net-l3vpn/v1.0/vpns HTTP/1.1
$ protonclient --api net-l3vpn vpn-list
{
"vpns": [
{
"description": "My Test VPN",
"route_distinguishers": "1000:1000",
"tenant_id": "a868a466bca84df18404a77db0ecac72",
"created_at": "2017-02-14T20:37:58.592999",
"updated_at": "2017-02-14T20:37:58.592999",
"ipv6_family": "1000:1000",
@ -313,7 +376,11 @@ You can view the values with the following commands:
}
]
}
$
$
# The equivalent RESTful API is
# GET /proton/net-l3vpn/v1.0/ports HTTP/1.1
$ protonclient --api net-l3vpn port-list
{
"ports": [
@ -324,7 +391,7 @@ You can view the values with the following commands:
"name": "TestVPNPort",
"device_owner": null,
"admin_state_up": true,
"tenant_id": "5205b400fa6c4a888a0b229200562229",
"tenant_id": "a868a466bca84df18404a77db0ecac72",
"created_at": "2017-02-14T20:35:47.749427",
"vif_details": null,
"updated_at": "2017-02-14T20:35:47.749427",
@ -347,6 +414,9 @@ You need to create a ``vpnbinding`` object to tie the ``Interface`` and the
.. code-block:: bash
# The equivalent RESTful API is
# POST /proton/net-l3vpn/v1.0/vpnbindings HTTP/1.1
$ protonclient --api net-l3vpn vpnbinding-create --help
Usage: protonclient vpnbinding-create [OPTIONS]
@ -356,6 +426,7 @@ You need to create a ``vpnbinding`` object to tie the ``Interface`` and the
--ipaddress TEXT IP Address of port
--subnet_prefix INTEGER Subnet mask
--service_id TEXT Pointer to Service instance [required]
--tenant_id TEXT UUID of Tenant [required]
--port INTEGER Port of endpoint (OS_PROTON_PORT)
--host TEXT Host of endpoint (OS_PROTON_HOST)
--help Show this message and exit.
@ -370,8 +441,12 @@ default ``interface`` object, and the ``id`` of the ``vpn`` object.
.. code-block:: bash
$ protonclient --api net-l3vpn vpnbinding-create --interface_id fe338d4c-2aef-4487-aa25-cb753bf02518 --service_id b70b4bbd-aa40-48d7-aa4b-57cc2fd34010 --ipaddress 10.10.0.2 --subnet_prefix 24 --gateway 10.10.0.1
# The equivalent RESTful API is
# POST /proton/net-l3vpn/v1.0/vpnbindings HTTP/1.1
$ protonclient --api net-l3vpn vpnbinding-create --interface_id fe338d4c-2aef-4487-aa25-cb753bf02518 --service_id b70b4bbd-aa40-48d7-aa4b-57cc2fd34010 --ipaddress 10.10.0.2 --subnet_prefix 24 --gateway 10.10.0.1 --tenant_id a868a466bca84df18404a77db0ecac72
{
"tenant_id": "a868a466bca84df18404a77db0ecac72",
"created_at": "2017-02-14T20:39:52.382433",
"subnet_prefix": 24,
"updated_at": "2017-02-14T20:39:52.382433",
@ -386,10 +461,14 @@ View ``VPNBinding`` Objects
.. code-block:: bash
# The equivalent RESTful API is
# GET /proton/net-l3vpn/v1.0/vpnbindings HTTP/1.1
$ protonclient --api net-l3vpn vpnbinding-list
{
"vpnbindings": [
{
"tenant_id": "a868a466bca84df18404a77db0ecac72",
"created_at": "2017-02-14T20:39:52.382433",
"subnet_prefix": 24,
"updated_at": "2017-02-14T20:39:52.382433",
@ -409,7 +488,9 @@ Create VM and Bind our L3VPN Port
.. code-block:: bash
$ nova --debug boot --flavor 1 --image cirros --nic port-id=fe338d4c-2aef-4487-aa25-cb753bf02518 TestGluon
# Refer to Nova documentation for RESTful APIs
$ nova --debug boot --flavor m1.tiny --image cirros --nic port-id=fe338d4c-2aef-4487-aa25-cb753bf02518 TestGluon
When bound, the ``etcd`` data will look like:
@ -446,5 +527,6 @@ To Use Gluon in a Project
References
.. [1] installation
.. [1] installation.rst
.. [2] devref/gluon-auth.inc
.. [3] devref/gluon_api_spec.inc

View File

@ -1,42 +1,2 @@
{
"COMMENT": "This file is no longer needed, but for historical record !!!",
"COMMENT": "The policy.json file in /etc/proton directory should contain",
"COMMENT": "empty json object: {}",
"COMMENT": "This first part is moved to code in policies/base.py",
"context_is_admin": "role:admin",
"owner": "tenant_id:%(tenant_id)s",
"admin_or_owner": "rule:context_is_admin or rule:owner",
"context_is_advsvc": "role:advsvc",
"admin_or_network_owner": "rule:context_is_admin or tenant_id:%(network:tenant_id)s",
"admin_owner_or_network_owner": "rule:owner or rule:admin_or_network_owner",
"admin_only": "rule:context_is_admin",
"regular_user": "",
"default": "rule:admin_or_owner",
"COMMENT": "The rest of policies are defined in YAML",
"create_ports": "rule:admin_or_network_owner",
"get_ports": "rule:admin_or_owner",
"update_ports": "rule:admin_or_network_owner",
"delete_ports": "rule:admin_or_network_owner",
"create_interfaces": "rule:admin_or_network_owner",
"get_interfaces": "rule:admin_or_owner",
"update_interfaces": "rule:admin_or_network_owner",
"delete_interfaces": "rule:admin_or_network_owner",
"create_vpns": "rule:admin_or_network_owner",
"get_vpns": "rule:admin_or_owner",
"update_vpns": "rule:admin_or_network_owner",
"delete_vpns": "rule:admin_or_network_owner",
"create_vpnbindings": "rule:admin_or_network_owner",
"get_vpnbindings": "rule:admin_or_owner",
"update_vpnbindings": "rule:admin_or_network_owner",
"delete_vpnbindings": "rule:admin_or_network_owner",
"create_vpnafconfigs": "rule:admin_or_network_owner",
"get_vpnafconfigs": "rule:admin_or_owner",
"update_vpnafconfigs": "rule:admin_or_network_owner",
"delete_vpnafconfigs": "rule:admin_or_network_owner",
}

View File

@ -14,15 +14,24 @@ auth_strategy = keystone
auth_uri = http://127.0.0.1/5000
project_domain_name = Default
# OpenStack project name. Please make sure that the *project_name* used here
# is consistent with the *project* name used/created at step RBAC-3 in
# "Install Gluon Plugin and Proton Server" (doc/source/installation/install_gluon.rst)
project_name = service
user_domain_name = Default
password = welcome
# keystone login username and password.
# Please make sure that the *username* and *password* used here are consistent with
# the *user* name and *password* created/used at step RBAC-4 in
# "Install Gluon Plugin and Proton Server" (doc/source/installation/install_gluon.rst)
password = gluon
username = gluon
# keystone identity_admin, change 127.0.0.1 to keystone endpoint
auth_url = http://127.0.0.1/35357
auth_type = password
[oslo_policy]

View File

@ -1,9 +1,10 @@
============================================
gluon Release Notes
============================================
===================
Gluon Release Notes
===================
.. toctree::
:maxdepth: 1
unreleased
ocata
pike

View File

@ -0,0 +1,6 @@
=========================
Pike Series Release Notes
=========================
.. release-notes::
:branch: origin/stable/pike