diff --git a/specs/juno/introduce-shared-attribute.rst b/specs/juno/introduce-shared-attribute.rst index d0f337d..6467d49 100644 --- a/specs/juno/introduce-shared-attribute.rst +++ b/specs/juno/introduce-shared-attribute.rst @@ -8,9 +8,10 @@ Introduce globally shared resources =================================== -Launchpad blueprint: +Launchpad blueprints: https://blueprints.launchpad.net/group-based-policy/+spec/introduce-shared-attribute +https://blueprints.launchpad.net/group-based-policy/+spec/share-servicechain-objects Today, it's not possible to create shared GBP resources. This is especially useful in order to avoid duplication of policies @@ -41,8 +42,10 @@ following GBP resources: - L3 Policies; - Network Service policies; - Policy Rules; -- Policy Classifiers. -- Policy Actions. +- Policy Classifiers; +- Policy Actions; +- Service Chain Nodes; +- Service Chain Specs. The behavior will be consistent with Neutron's already existing sharing policy. Which means that a given resource can be either @@ -74,47 +77,89 @@ The proposed default policy.json follows:: "admin_only": "rule:context_is_admin", "regular_user": "", "default": "rule:admin_or_owner", - "gbp_shared": "field:policy_target_groups:shared=True", + "shared_ptg": "field:policy_target_groups:shared=True", + "shared_pt": "field:policy_targets:shared=True", + "shared_prs": "field:policy_rule_sets:shared=True", + "shared_l3p": "field:l3_policies:shared=True", + "shared_l2p": "field:l2_policies:shared=True", + "shared_es": "field:external_segments:shared=True", + "shared_ep": "field:external_policies:shared=True", + "shared_pc": "field:policy_classifiers:shared=True", + "shared_pa": "field:policy_actions:shared=True", + "shared_pr": "field:policy_rules:shared=True", + "shared_np": "field:nat_pools:shared=True", + "shared_nsp": "field:network_service_policies:shared=True", + "shared_scn": "field:servicechain_nodes:shared=True", + "shared_scs": "field:servicechain_specs:shared=True", "create_policy_target_group": "", "create_policy_target_group:shared": "rule:admin_only", - "get_policy_target_group": "rule:admin_or_owner or rule:gbp_shared", + "get_policy_target_group": "rule:admin_or_owner or rule:shared_ptg", "update_policy_target_group:shared": "rule:admin_only", "create_l2_policy": "", "create_l2_policy:shared": "rule:admin_only", - "get_l2_policy": "rule:admin_or_owner or rule:gbp_shared", + "get_l2_policy": "rule:admin_or_owner or rule:shared_l2p", "update_l2_policy:shared": "rule:admin_only", "create_l3_policy": "", "create_l3_policy:shared": "rule:admin_only", - "get_l3_policy": "rule:admin_or_owner or rule:gbp_shared", + "get_l3_policy": "rule:admin_or_owner or rule:shared_l3p", "update_l3_policy:shared": "rule:admin_only", "create_policy_classifier": "", "create_policy_classifier:shared": "rule:admin_only", - "get_policy_classifier": "rule:admin_or_owner or rule:gbp_shared", + "get_policy_classifier": "rule:admin_or_owner or rule:shared_pc", "update_policy_classifier:shared": "rule:admin_only", "create_policy_action": "", "create_policy_action:shared": "rule:admin_only", - "get_policy_action": "rule:admin_or_owner or rule:gbp_shared", + "get_policy_action": "rule:admin_or_owner or rule:shared_pa", "update_policy_action:shared": "rule:admin_only", "create_policy_rule": "", "create_policy_rule:shared": "rule:admin_only", - "get_policy_rule": "rule:admin_or_owner or rule:gbp_shared", + "get_policy_rule": "rule:admin_or_owner or rule:shared_pr", "update_policy_rule:shared": "rule:admin_only", "create_policy_rule_set": "", "create_policy_rule_set:shared": "rule:admin_only", - "get_policy_rule_set": "rule:admin_or_owner or rule:gbp_shared", + "get_policy_rule_set": "rule:admin_or_owner or rule:shared_prs", "update_policy_rule_set:shared": "rule:admin_only", "create_network_service_policy": "", "create_network_service_policy:shared": "rule:admin_only", - "get_network_service_policy": "rule:admin_or_owner or rule:gbp_shared", - "update_network_service_policy:shared": "rule:admin_only" + "get_network_service_policy": "rule:admin_or_owner or rule:shared_nsp", + "update_network_service_policy:shared": "rule:admin_only", + + "create_external_segment": "", + "create_external_segment:shared": "rule:admin_only", + "get_external_segment": "rule:admin_or_owner or rule:shared_es", + "update_external_segment:shared": "rule:admin_only", + + "create_external_policy": "", + "create_external_policy:shared": "rule:admin_only", + "get_external_policy": "rule:admin_or_owner or rule:shared_ep", + "update_external_policy:shared": "rule:admin_only", + + "create_nat_pool": "", + "create_nat_pool:shared": "rule:admin_only", + "get_nat_pool": "rule:admin_or_owner or rule:shared_np", + "update_nat_pool:shared": "rule:admin_only", + + "create_servicechain_node": "", + "create_servicechain_node:shared": "rule:admin_only", + "get_servicechain_node": "rule:admin_or_owner or rule:shared_scn", + "update_servicechain_node:shared": "rule:admin_only", + + "create_servicechain_spec": "", + "create_servicechain_spec:shared": "rule:admin_only", + "get_servicechain_spec": "rule:admin_or_owner or rule:shared_scs", + "update_servicechain_spec:shared": "rule:admin_only", + + "create_servicechain_instance": "", + "get_servicechain_instance": "rule:admin_or_owner", + "update_servicechain_instance:shared": "rule:admin_only" } Any datapath impact caused by a shared resource has to be @@ -128,7 +173,9 @@ following resources: - PTG: usable by any tenant when shared for PT placement; - Policy Classifiers: usable by any tenant when shared; - Policy Actions: usable by any tenant when shared; -- Policy Rules: usable by any tenant when shared. +- Policy Rules: usable by any tenant when shared; +- Service Chain Specs: usable by any tenant when shared; +- Service Chain Nodes: usable by any tenant when shared. L3 and L2 policies need to be sharable to allow PTG sharing. However, no external tenant could use them because there's no