x
/
group-based-policy-specs
Code Issues Proposed changes

share servicechain objects 

implements blueprint share-servicechain-objects

Change-Id: Ie63dd4813a9c1bec857b5c5ba363c5c0abad94b7
This commit is contained in:
Ivar Lazzaro 2015-04-06 22:08:18 +02:00
parent de694f7164
commit e24fb015a6
1 changed files with 61 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

75
specs/juno/introduce-shared-attribute.rst
View File

@ -8,9 +8,10 @@
Introduce globally shared resources Introduce globally shared resources
=================================== ===================================
Launchpad blueprint: Launchpad blueprints:
https://blueprints.launchpad.net/group-based-policy/+spec/introduce-shared-attribute https://blueprints.launchpad.net/group-based-policy/+spec/introduce-shared-attribute
https://blueprints.launchpad.net/group-based-policy/+spec/share-servicechain-objects
Today, it's not possible to create shared GBP resources. Today, it's not possible to create shared GBP resources.
This is especially useful in order to avoid duplication of policies This is especially useful in order to avoid duplication of policies
@ -41,8 +42,10 @@ following GBP resources:
- L3 Policies; - L3 Policies;
- Network Service policies; - Network Service policies;
- Policy Rules; - Policy Rules;
- Policy Classifiers. - Policy Classifiers;
- Policy Actions. - Policy Actions;
- Service Chain Nodes;
- Service Chain Specs.
The behavior will be consistent with Neutron's already existing The behavior will be consistent with Neutron's already existing
sharing policy. Which means that a given resource can be either sharing policy. Which means that a given resource can be either
@ -74,47 +77,89 @@ The proposed default policy.json follows::
"admin_only": "rule:context_is_admin", "admin_only": "rule:context_is_admin",
"regular_user": "", "regular_user": "",
"default": "rule:admin_or_owner", "default": "rule:admin_or_owner",
"gbp_shared": "field:policy_target_groups:shared=True", "shared_ptg": "field:policy_target_groups:shared=True",
"shared_pt": "field:policy_targets:shared=True",
"shared_prs": "field:policy_rule_sets:shared=True",
"shared_l3p": "field:l3_policies:shared=True",
"shared_l2p": "field:l2_policies:shared=True",
"shared_es": "field:external_segments:shared=True",
"shared_ep": "field:external_policies:shared=True",
"shared_pc": "field:policy_classifiers:shared=True",
"shared_pa": "field:policy_actions:shared=True",
"shared_pr": "field:policy_rules:shared=True",
"shared_np": "field:nat_pools:shared=True",
"shared_nsp": "field:network_service_policies:shared=True",
"shared_scn": "field:servicechain_nodes:shared=True",
"shared_scs": "field:servicechain_specs:shared=True",
"create_policy_target_group": "", "create_policy_target_group": "",
"create_policy_target_group:shared": "rule:admin_only", "create_policy_target_group:shared": "rule:admin_only",
"get_policy_target_group": "rule:admin_or_owner or rule:gbp_shared", "get_policy_target_group": "rule:admin_or_owner or rule:shared_ptg",
"update_policy_target_group:shared": "rule:admin_only", "update_policy_target_group:shared": "rule:admin_only",
"create_l2_policy": "", "create_l2_policy": "",
"create_l2_policy:shared": "rule:admin_only", "create_l2_policy:shared": "rule:admin_only",
"get_l2_policy": "rule:admin_or_owner or rule:gbp_shared", "get_l2_policy": "rule:admin_or_owner or rule:shared_l2p",
"update_l2_policy:shared": "rule:admin_only", "update_l2_policy:shared": "rule:admin_only",
"create_l3_policy": "", "create_l3_policy": "",
"create_l3_policy:shared": "rule:admin_only", "create_l3_policy:shared": "rule:admin_only",
"get_l3_policy": "rule:admin_or_owner or rule:gbp_shared", "get_l3_policy": "rule:admin_or_owner or rule:shared_l3p",
"update_l3_policy:shared": "rule:admin_only", "update_l3_policy:shared": "rule:admin_only",
"create_policy_classifier": "", "create_policy_classifier": "",
"create_policy_classifier:shared": "rule:admin_only", "create_policy_classifier:shared": "rule:admin_only",
"get_policy_classifier": "rule:admin_or_owner or rule:gbp_shared", "get_policy_classifier": "rule:admin_or_owner or rule:shared_pc",
"update_policy_classifier:shared": "rule:admin_only", "update_policy_classifier:shared": "rule:admin_only",
"create_policy_action": "", "create_policy_action": "",
"create_policy_action:shared": "rule:admin_only", "create_policy_action:shared": "rule:admin_only",
"get_policy_action": "rule:admin_or_owner or rule:gbp_shared", "get_policy_action": "rule:admin_or_owner or rule:shared_pa",
"update_policy_action:shared": "rule:admin_only", "update_policy_action:shared": "rule:admin_only",
"create_policy_rule": "", "create_policy_rule": "",
"create_policy_rule:shared": "rule:admin_only", "create_policy_rule:shared": "rule:admin_only",
"get_policy_rule": "rule:admin_or_owner or rule:gbp_shared", "get_policy_rule": "rule:admin_or_owner or rule:shared_pr",
"update_policy_rule:shared": "rule:admin_only", "update_policy_rule:shared": "rule:admin_only",
"create_policy_rule_set": "", "create_policy_rule_set": "",
"create_policy_rule_set:shared": "rule:admin_only", "create_policy_rule_set:shared": "rule:admin_only",
"get_policy_rule_set": "rule:admin_or_owner or rule:gbp_shared", "get_policy_rule_set": "rule:admin_or_owner or rule:shared_prs",
"update_policy_rule_set:shared": "rule:admin_only", "update_policy_rule_set:shared": "rule:admin_only",
"create_network_service_policy": "", "create_network_service_policy": "",
"create_network_service_policy:shared": "rule:admin_only", "create_network_service_policy:shared": "rule:admin_only",
"get_network_service_policy": "rule:admin_or_owner or rule:gbp_shared", "get_network_service_policy": "rule:admin_or_owner or rule:shared_nsp",
"update_network_service_policy:shared": "rule:admin_only" "update_network_service_policy:shared": "rule:admin_only",
"create_external_segment": "",
"create_external_segment:shared": "rule:admin_only",
"get_external_segment": "rule:admin_or_owner or rule:shared_es",
"update_external_segment:shared": "rule:admin_only",
"create_external_policy": "",
"create_external_policy:shared": "rule:admin_only",
"get_external_policy": "rule:admin_or_owner or rule:shared_ep",
"update_external_policy:shared": "rule:admin_only",
"create_nat_pool": "",
"create_nat_pool:shared": "rule:admin_only",
"get_nat_pool": "rule:admin_or_owner or rule:shared_np",
"update_nat_pool:shared": "rule:admin_only",
"create_servicechain_node": "",
"create_servicechain_node:shared": "rule:admin_only",
"get_servicechain_node": "rule:admin_or_owner or rule:shared_scn",
"update_servicechain_node:shared": "rule:admin_only",
"create_servicechain_spec": "",
"create_servicechain_spec:shared": "rule:admin_only",
"get_servicechain_spec": "rule:admin_or_owner or rule:shared_scs",
"update_servicechain_spec:shared": "rule:admin_only",
"create_servicechain_instance": "",
"get_servicechain_instance": "rule:admin_or_owner",
"update_servicechain_instance:shared": "rule:admin_only"
} }
Any datapath impact caused by a shared resource has to be Any datapath impact caused by a shared resource has to be
@ -128,7 +173,9 @@ following resources:
- PTG: usable by any tenant when shared for PT placement; - PTG: usable by any tenant when shared for PT placement;
- Policy Classifiers: usable by any tenant when shared; - Policy Classifiers: usable by any tenant when shared;
- Policy Actions: usable by any tenant when shared; - Policy Actions: usable by any tenant when shared;
- Policy Rules: usable by any tenant when shared. - Policy Rules: usable by any tenant when shared;
- Service Chain Specs: usable by any tenant when shared;
- Service Chain Nodes: usable by any tenant when shared.
L3 and L2 policies need to be sharable to allow PTG sharing. L3 and L2 policies need to be sharable to allow PTG sharing.
However, no external tenant could use them because there's no However, no external tenant could use them because there's no