x
/
group-based-policy-specs
Code Issues Proposed changes

EP, EPG, and Contract renaming and other cleanup 

The following resources are being renamed as follows:
Endpoints -> Policy Targets
Endpoint Groups -> Policy Target Groups
Contracts -> Policy Rule Sets

Also fixing other inconsistencies in the spec.

Change-Id: Id483805141d8face46f1502f1fb8089d8af4d4eb
This commit is contained in:
Sumit Naiksatam 2014-11-15 21:42:01 -08:00
parent 7b9c5e2c3b
commit ea8adf50f1
1 changed files with 163 additions and 159 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

322
specs/juno/group-based-policy-abstraction.rst
View File

@ -4,47 +4,47 @@
http://creativecommons.org/licenses/by/3.0/legalcode http://creativecommons.org/licenses/by/3.0/legalcode
=========================================== ==============================================
Group-based Policy Abstractions for Neutron Group-based Policy Abstractions for Networking
=========================================== ==============================================
Launchpad blueprint: Launchpad blueprint:
https://blueprints.launchpad.net/group-based-policy/+spec/group-based-policy-abstraction https://blueprints.launchpad.net/group-based-policy/+spec/group-based-policy-abstraction
This blueprint proposes an extension to the Neutron API with a declarative This blueprint proposes a networking API with a declarative policy driven
policy driven connectivity model that presents simplified application-oriented connectivity model that presents simplified application-oriented
interfaces to the user. interfaces to the user.
Problem description Problem description
=================== ===================
The current Neutron model of networks, ports, subnets, routers, and security The current OpenStack networking model of networks, ports, subnets, routers,
groups provides the necessary building blocks to build a logical network and security groups provides the necessary building blocks to build a logical
topology for connectivity. However, it does not provide the right level network topology for connectivity. However, it does not provide the right level
of abstraction for an application administrator who understands the of abstraction for an application administrator who understands the
application's details (like application port numbers), but not the application's details (like application port numbers), but not the
infrastructure details likes networks and routes. Not only that, the current infrastructure details likes networks and routes. Not only that, the current
abstraction puts the burden of maintaining the consistency of the network abstraction puts the burden of maintaining the consistency of the network
topology on the user. The lack of application developer/administrator focussed topology on the user. The lack of application developer/administrator focussed
abstractions supported by a declarative model make it hard for those users abstractions supported by a declarative model make it hard for those users
to consume Neutron as a connectivity layer. to consume the existing connectivity layer.
Proposed change Proposed change
=============== ===============
The policy framework described in this blueprint complements the current The policy framework described in this blueprint complements the current
Neutron model with the notion of policies that can be applied between groups of OpenStack networking model with the notion of policies that can be applied
endpoints. As users look beyond basic connectivity, richer network services between groups of network endpoints. As users look beyond basic connectivity,
with diverse implementations and network properties are naturally expressed as richer network services with diverse implementations and network properties are
policies. Examples include service chaining, QoS, path properties, access naturally expressed as policies. Examples include service chaining, QoS, path
control, etc. properties, access control, etc.
This proposal suggests a model that allows application administrators to This proposal suggests a model that allows application administrators to
express their networking requirements using group and policy abstractions, with express their networking requirements using group and policy abstractions, with
the specifics of policy enforcement and implementation left to the underlying the specifics of policy enforcement and implementation left to the underlying
policy driver. The main advantage of the extensions described in this blueprint policy driver. The main advantage of the extensions described in this blueprint
is that they allow for an application-centric interface to Neutron that is that they allow for an application-centric interface to OpenStack networking that
complements the existing network-centric interface. complements the existing network-centric interface.
More specifically the new abstractions will achieve the following: More specifically the new abstractions will achieve the following:
@ -75,53 +75,54 @@ More specifically the new abstractions will achieve the following:
specific actions. specific actions.
* Complement the governance model proposed in the OpenStack Congress project by * Complement the governance model proposed in the OpenStack Congress project by
making Policy Labels available for enforcement. making Policy Tags available for enforcement.
The following new terminology is being introduced: The following new terminology is being introduced:
**Endpoint (EP):** An L2/L3 addressable entity. **Policy Target (PT):** It is the smallest unit of resource abstraction at
which policy can be applied.
**Endpoint Group (EPG):** A collection of endpoints. **Policy Target Group (PTG):** A collection of policy targets.
**Contract:** It defines how the application services provided by an EPG can be **Policy Rule Set (PRS):** It defines how the application services provided by
accessed. In effect it specifies how an EPG communicates with other EPGs. A a PTG can be accessed. In effect it specifies how a PTG communicates with other
Contract consists of Policy Rules. PTGs. A Policy Rule Set consists of Policy Rules.
**Policy Rule:** These are individual rules used to define the communication **Policy Rule (PR):** These are individual rules used to define the communication
criteria between EPGs. Each rule contains a Filter, Classifier, and Action. criteria between PTGs. Each rule contains a Filter, Classifier, and Action.
**Classifier:** Characterizes the traffic that a particular Policy Rule acts on. **Classifier:** Characterizes the traffic that a particular Policy Rule acts on.
Corresponding action is taken on traffic that satisfies this classification Corresponding action is taken on traffic that satisfies this classification
criteria. criteria.
**Action:** The action that is taken for a matching Policy Rule defined in a **Action:** The action that is taken for a matching Policy Rule defined in a
Contract. Policy Rule Set.
**Filter:** Provides a way to tag a Policy Rule with Capability and Role labels. **Filter:** Provides a way to tag a Policy Rule with Capability and Role tags.
**Capability:** It is a Policy Label that defines what part of a Contract a **Capability:** It is a Policy Label that defines what part of a Policy Rule Set a
particular EPG provides. particular PTG provides.
**Role:** It is a Policy Label that defines what part of a Contract an EPG wants **Role:** It is a Policy Label that defines what part of a Policy Rule Set a PTG wants
to consume. to consume.
**Contract Scope:** An EPG conveys its intent to provide or consume a Contract **Policy Rule Set Scope:** An PTG conveys its intent to provide or consume a Policy Rule Set
(or its part) by defining a Contract Scope which references the target (or its part) by defining a Policy Rule Set Scope which references the target
Contract. Policy Rule Set.
**Selector:** A Contract Scope can define additional constraints around choosing **Selector:** A Policy Rule Set Scope can define additional constraints around choosing
the matching provider or consumer EPGs for a Contract via a Selector. the matching provider or consumer PTGs for a Policy Rule Set via a Selector.
**Policy Tags:** These are labels contained within a namespace hierarchy and **Policy Tags:** These are labels contained within a namespace hierarchy and
used to define Capability and Role tags used in Filters. used to define Capability and Role tags used in Filters.
**L2 Policy:** Used to define a L2 boundary and impose additional **L2 Policy (L2P):** Used to define a L2 boundary and impose additional
constraints (such as no broadcast) within that L2 boundary. constraints (such as no broadcast) within that L2 boundary.
**L3 Policy:** Used to define a non-overlapping IP address space. **L3 Policy (L3P):** Used to define a non-overlapping IP address space.
**Network Service Policy:** Used to define policies that are used for assigning **Network Service Policy (NSP):** Used to define policies that are used for
resources in an EPG to be consumed by network services. assigning resources in a PTG to be consumed by network services.
Here is an example of how a three tier application would look like: Here is an example of how a three tier application would look like:
@ -129,10 +130,10 @@ Here is an example of how a three tier application would look like:
++ ++ ++ ++ ++ ++ ++ ++
| | | Web | | App | |DB | | | | Web | | App | |DB |
| Outside | | EPG | | EPG | |EPG | | Outside | | PTG | | PTG | |PTG |
| Public | ++ ++ | ++ ++ | ++ ++ | | Public | ++ ++ | ++ ++ | ++ ++ |
| Network ++Web | |VM| ++App | |VM| ++DB | |VM| | | Network ++Web | |VM| ++App | |VM| ++DB | |VM| |
| EPG | |Contract| ++ | |Contract| ++ | |Contract| ++ | | PTG | |PRS | ++ | |PRS | ++ | |PRS | ++ |
| | ++ | ++ | ++ | | | ++ | ++ | ++ |
| | | ++ | | ++ | | ++ | | | | ++ | | ++ | | ++ |
| | | |VM| | | |VM| | | |VM| | | | | |VM| | | |VM| | | |VM| |
@ -150,65 +151,65 @@ Create Classifier
neutron classifier-create Insecure-Web-Access --port 80 --protocol TCP neutron classifier-create Insecure-Web-Access --port 80 --protocol TCP
--direction IN --direction IN
Create Contract using the Classifier Create Policy Rule Set using the Classifier
:: ::
neutron contract-create Web-Server-Contract --classifier Insecure-Web-Access neutron policy-rule-set-create Web-Server-PRS --classifier Insecure-Web-Access
--action ALLOW --action ALLOW
Create EPG providing the Contract Create PTG providing the Policy Rule Set
:: ::
neutron epg-create Web-Server-EPG --provides-contract Web-Server-Contract neutron ptg-create Web-Server-PTG --provides-policy-rule-set Web-Server-PRS
Create Endpoint in EPG Create PT in PTG
:: ::
neutron ep-create --epg Web-Server-EPG neutron pt-create --epg Web-Server-PTG
Launch Web Server VM using Endpoint in EPG Launch Web Server VM using PT in PTG
:: ::
nova boot --image cirros --flavor m1.nano --nic port-id=<EP-NAME> Web-Server nova boot --image cirros --flavor m1.nano --nic port-id=<PT-NAME> Web-Server
Specify connectivity of Outside world VMs to Web Server Specify connectivity of Outside world VMs to Web Server
:: ::
neutron epg-create Outside-EPG --consumes-contract Web-Server-Contract neutron ptg-create Outside-PTG --consumes-policy-rule-set Web-Server-PRS
Note that the Contract Provider/Consuming Scopes are not explicitly shown in Note that the Policy Rule Set Provider/Consuming Scopes are not explicitly shown in
the above diagram but define each providing and consuming relation between an the above diagram but define each providing and consuming relation between an
EPG and a Contract as shown below: PTG and a Policy Rule Set as shown below:
:: ::
++ ++
|Web | |Web |
|Contract | |PRS |
|Consuming | |Consuming |
|Scope | |Scope |
+++ +++
++ | ++ ++ | ++
| | | | Web | | | | | Web |
| Outside | | | EPG | | Outside | | | PTG |
| Public | | ++ | ++ | | Public | | ++ | ++ |
| Network +++Web +++ |VM|EP | | Network +++Web +++ |VM|PT |
| EPG | |Contract| | | ++ | | PTG | |PRS | | | ++ |
| | ++ | | | | | ++ | | |
| | | | ++ | | | | | ++ |
| | | | |VM|EP | | | | | |VM|PT |
| | | | ++ | | | | | ++ |
++ | | | ++ | | |
| ++ | ++
+ +
+++ +++
|Web | |Web |
|Contract | |PRS |
|Providing | |Providing |
|Scope | |Scope |
++ ++
@ -227,16 +228,16 @@ New Database Objects to support Group Policy:
:: ::
++ ++ ++ ++ ++ ++
| | | Contract | |Contracts | | Policy | | PRS | | Policy |
| Endpoint | | Providing/ | | | | Target | | Providing/ | | Rule |
| Groups ++ Consuming ++ | | Groups ++ Consuming ++ Sets(PRS)|
| | | Scopes | +++ | | | Scopes | +++
+++ ++ | +++ ++ |
| +++ | +++
| |Policy | | | Policy |
+++ |Rules | +++ | Rules |
| | | | | Policy | | |
| Endpoints | +++++ | Targets | +++++
| | | | | | | | | |
++ | | | ++ | | |
| | | | | |
@ -250,39 +251,39 @@ All objects have the following common attributes:
* name - optional name * name - optional name
* description - optional annotation * description - optional annotation
Endpoint PolicyTarget
* epg_id - UUID of the EndpointGroup (EPG) that this Endpoint (EP) belongs to * ptg_id - UUID of the PolicyTargetGroup (PTG) that this PolicyTarget (PT) belongs to
* policy_tags - a list of PolicyTag uuids * policy_tags - a list of PolicyTag uuids
EndpointGroup PolicyTargetGroup
* endpoints - list of endpoint uuids * policy_targets - list of PolicyTarget uuids
* contract_providing_scopes - list of ContractProvidingScope uuids * policy_rule_set_providing_scopes - list of PolicyRuleSetProvidingScope uuids
* contract_consuming_scopes - list of ContractConsumingScope uuids * policy_rule_set_consuming_scopes - list of PolicyRuleSetConsumingScope uuids
Contract PolicyRuleSet
* policy_rules - ordered list of PolicyRule uuids * policy_rules - ordered list of PolicyRule uuids
* contract_providing_scopes - list of ContractProvidingScope uuids * policy_rule_set_providing_scopes - list of PolicyRuleSetProvidingScope uuids
* contract_consuming_scopes - list of ContractConsumingScope uuids * policy_rule_set_consuming_scopes - list of PolicyRuleSetConsumingScope uuids
* child_contracts - ordered list of Contract uuids * child_policy_rule_sets - ordered list of PolicyRuleSet uuids
ContractProvidingScope PolicyRuleSetProvidingScope
* contract_id - uuid of the Contract that is being provided by the EPG * policy_rule_set_id - uuid of the PolicyRuleSet that is being provided by the PTG
* selectors - list of Selectors uuids * selectors - list of Selectors uuids
* capabilites - list of PolicyTag uuids * capabilites - list of PolicyTag uuids
* providing_epg - EndpointGroup uuid * providing_ptg - PolicyTargetGroup uuid
ContractConsumingScope PolicyRuleSetConsumingScope
* contract_id - uuid of the Contract that is being consumed by the EPG * policy_rule_set_id - uuid of the PolicyRuleSet that is being consumed by the PTG
* selectors - list of Selectors uuids * selectors - list of Selectors uuids
* roles - list of PolicyTags * roles - list of PolicyTags
* consuming_epg - EndpointGroup uuid * consuming_ptg - PolicyTargetGroup uuid
Selector Selector
* scope - enum: GLOBAL, TENANT, EPG * scope - enum: GLOBAL, TENANT, PTG
* value - None for GLOBAL, or uuid of tenant/EPG * value - None for GLOBAL, or uuid of tenant/PTG
PolicyTag PolicyTag
* namespace - string, a namespace identifier for policy labels * namespace - string, a namespace identifier for policy tags
* name - string, not optional * name - string, not optional
* values - list of PolicyValue uuids * values - list of PolicyValue uuids
@ -309,24 +310,24 @@ Action
case of REDIRECT, its the uuid of the Service Chain case of REDIRECT, its the uuid of the Service Chain
L2Policy L2Policy
* endpoint_groups - list of EndpointGroup uuids * policy_target_groups - list of PolicyTargetGroup uuids
* l3_policy_id - uuid of the l3_policy * l3_policy_id - uuid of the l3_policy
L3Policy L3Policy
* l2_policies - list of L2Policy uuids * l2_policies - list of L2Policy uuids
* ip_version - enum, v4 or v6 * ip_version - enum, v4 or v6
* ip_pool - string, IPSubnet with mask, used to pull subnets from if the * ip_pool - string, IPSubnet with mask, used to pull subnets from if the
user creates an EPG without specifying a subnet user creates a PTG without specifying a subnet
* default_subnet_prefix_length - int, used as the default subnet length if * subnet_prefix_length - int, used as the default subnet length if
the user creates an EPG without a subnet the user creates a PTG without a subnet
The way ip_pool and default_subnet_prefix_length work is as follows: When The way ip_pool and subnet_prefix_length work is as follows: When
creating L3Policy a default ip_pool and default_subnet_prefix_length are creating L3Policy a default ip_pool and default_subnet_prefix_length are
created. If a user creates an EPG, a subnet will be pulled from ip_pool using created. If a user creates a PTG, a subnet will be pulled from ip_pool using
default_subnet_prefix_length. default_subnet_prefix_length.
NetworkServicePolicy NetworkServicePolicy
* endpoint_groups - list of EndpointGroup uuids * policy_target_groups - list of PolicyTargetGroup uuids
* network_service_params - list of ServiceArgument uuids * network_service_params - list of ServiceArgument uuids
NetworkServiceParams NetworkServiceParams
@ -341,18 +342,18 @@ NetworkServiceParams
The supported values are: self_subnet and external_subnet, The supported values are: self_subnet and external_subnet,
but the values are not validated when the tpye is 'string'. but the values are not validated when the tpye is 'string'.
Valid combinations are: Valid combinations are:
ip_single, self_subnet: Allocate a single IP addr from epg subnet, ip_single, self_subnet: Allocate a single IP addr from ptg subnet,
e.g. VIP (in the private network) e.g. VIP (in the private network)
ip_single, external_subnet: Allocate a single floating-ip addr, ip_single, external_subnet: Allocate a single floating-ip addr,
e.g. Public address for the VIP e.g. Public address for the VIP
ip_pool, external_subnet: Allocate a floating-ip for every EP in EPG ip_pool, external_subnet: Allocate a floating-ip for every PT in PTG
Objects to support Mapping to existing Neutron resources Objects to support Mapping to existing Neutron resources
EndpointPortBinding (extends Endpoint) PolicyTargetPortBinding (extends PolicyTarget)
* neutron_port_id - uuid of Neutron Port that this EP maps to * neutron_port_id - uuid of Neutron Port that this PT maps to
EndpointGroupNetworkBinding (extends EndpointGroup) PolicyTargetGroupNetworkBinding (extends PolicyTargetGroup)
* neutron_subnets - list of Neutron Subnet uuids * neutron_subnets - list of Neutron Subnet uuids
L2PolicyBinding (extends l2_policy) L2PolicyBinding (extends l2_policy)
@ -378,13 +379,13 @@ The following new resources are being introduced:
gp_supported_actions = [None, 'ALLOW', 'REDIRECT'] gp_supported_actions = [None, 'ALLOW', 'REDIRECT']
gp_supported_directions = [None, 'IN', 'OUT', 'BI'] gp_supported_directions = [None, 'IN', 'OUT', 'BI']
gp_supported_protocols = [None, 'TCP', 'UDP', 'ICMP'] gp_supported_protocols = [None, 'TCP', 'UDP', 'ICMP']
gp_supported_scopes = [None, 'GLOBAL', 'TENANT', 'EPG'] gp_supported_scopes = [None, 'GLOBAL', 'TENANT', 'PTG']
ENDPOINTS = 'endpoints' POLICY_TARGETS = 'policy_targets'
ENDPOINT_GROUPS = 'endpoint_groups' POLICY_TARGET_GROUPS = 'policy_target_groups'
CONTRACTS = 'contracts' POLICY_RULE_SETS = 'policy_rule_sets'
CONTRACT_PROVIDING_SCOPES = 'contract_providing_scopes' POLICY_RULE_SET_PROVIDING_SCOPES = 'policy_rule_set_providing_scopes'
CONTRACT_CONSUMING_SCOPES = 'contract_consuming_scopes' POLICY_RULE_SET_CONSUMING_SCOPES = 'policy_rule_set_consuming_scopes'
POLICY_RULES = 'policy_rules' POLICY_RULES = 'policy_rules'
FILTERS = 'filters' FILTERS = 'filters'
CLASSIFIERS = 'classifiers' CLASSIFIERS = 'classifiers'
@ -396,7 +397,7 @@ The following new resources are being introduced:
NETWORK_SERVICE_POLICIES = 'network_service_policies' NETWORK_SERVICE_POLICIES = 'network_service_policies'
RESOURCE_ATTRIBUTE_MAP = { RESOURCE_ATTRIBUTE_MAP = {
ENDPOINTS: { POLICY_TARGETS: {
'id': {'allow_post': False, 'allow_put': False, 'id': {'allow_post': False, 'allow_put': False,
'validate': {'type:uuid': None}, 'is_visible': True, 'validate': {'type:uuid': None}, 'is_visible': True,
'primary_key': True}, 'primary_key': True},
@ -409,11 +410,11 @@ The following new resources are being introduced:
'tenant_id': {'allow_post': True, 'allow_put': False, 'tenant_id': {'allow_post': True, 'allow_put': False,
'validate': {'type:string': None}, 'validate': {'type:string': None},
'required_by_policy': True, 'is_visible': True}, 'required_by_policy': True, 'is_visible': True},
'endpointgroup_id': {'allow_post': True, 'allow_put': True, 'policy_target_group_id': {'allow_post': True, 'allow_put': True,
'validate': {'type:uuid__or_none': None}, 'validate': {'type:uuid__or_none': None},
'required': True, 'is_visible': True}, 'required': True, 'is_visible': True},
}, },
ENDPOINT_GROUPS: { POLICY_TARGET_GROUPS: {
'id': {'allow_post': False, 'allow_put': False, 'id': {'allow_post': False, 'allow_put': False,
'validate': {'type:uuid': None}, 'is_visible': True, 'validate': {'type:uuid': None}, 'is_visible': True,
'primary_key': True}, 'primary_key': True},
@ -426,28 +427,28 @@ The following new resources are being introduced:
'tenant_id': {'allow_post': True, 'allow_put': False, 'tenant_id': {'allow_post': True, 'allow_put': False,
'validate': {'type:string': None}, 'validate': {'type:string': None},
'required_by_policy': True, 'is_visible': True}, 'required_by_policy': True, 'is_visible': True},
'endpoints': {'allow_post': False, 'allow_put': False, 'policy_targets': {'allow_post': False, 'allow_put': False,
'validate': {'type:uuid_list': None}, 'validate': {'type:uuid_list': None},
'convert_to': attr.convert_none_to_empty_list, 'convert_to': attr.convert_none_to_empty_list,
'default': None, 'is_visible': True}, 'default': None, 'is_visible': True},
'l2_policy_id': {'allow_post': True, 'allow_put': True, 'l2_policy_id': {'allow_post': True, 'allow_put': True,
'validate': {'type:uuid_or_none': None}, 'validate': {'type:uuid_or_none': None},
'default': None, 'is_visible': True}, 'default': None, 'is_visible': True},
'network_service_policy_id': {'allow_post': True, 'allow_put': True, 'network_service_policy_id': {'allow_post': True, 'allow_put': True,
'validate': {'type:uuid_or_none': None}, 'validate': {'type:uuid_or_none': None},
'default': None, 'is_visible': True}, 'default': None, 'is_visible': True},
'provided_contract_scopes': {'allow_post': True, 'allow_put': True, 'provided_policy_rule_set_scopes': {'allow_post': True, 'allow_put': True,
'validate': {'type:uuid_list': None}, 'validate': {'type:uuid_list': None},
'convert_to': 'convert_to':
attr.convert_none_to_empty_list, attr.convert_none_to_empty_list,
'default': None, 'is_visible': True}, 'default': None, 'is_visible': True},
'consumed_contract_scopes': {'allow_post': True, 'allow_put': True, 'consumed_policy_rule_set_scopes': {'allow_post': True, 'allow_put': True,
'validate': {'type:uuid_list': None}, 'validate': {'type:uuid_list': None},
'convert_to': 'convert_to':
attr.convert_none_to_empty_list, attr.convert_none_to_empty_list,
'default': None, 'is_visible': True}, 'default': None, 'is_visible': True},
}, },
CONTRACTS: { POLICY_RULE_SETS: {
'id': {'allow_post': False, 'allow_put': False, 'id': {'allow_post': False, 'allow_put': False,
'validate': {'type:uuid': None}, 'validate': {'type:uuid': None},
'is_visible': True, 'is_visible': True,
@ -463,18 +464,18 @@ The following new resources are being introduced:
'validate': {'type:string': None}, 'validate': {'type:string': None},
'required_by_policy': True, 'required_by_policy': True,
'is_visible': True}, 'is_visible': True},
'child_contracts': {'allow_post': True, 'allow_put': True, 'child_policy_rule_sets': {'allow_post': True, 'allow_put': True,
'default': None, 'default': None,
'validate': {'type:uuid_list': None}, 'validate': {'type:uuid_list': None},
'convert_to': attr.convert_none_to_empty_list, 'convert_to': attr.convert_none_to_empty_list,
'required': True, 'is_visible': True}, 'required': True, 'is_visible': True},
'policy_rules': {'allow_post': True, 'allow_put': True, 'policy_rules': {'allow_post': True, 'allow_put': True,
'default': None, 'default': None,
'validate': {'type:uuid_list': None}, 'validate': {'type:uuid_list': None},
'convert_to': attr.convert_none_to_empty_list, 'convert_to': attr.convert_none_to_empty_list,
'required': True, 'is_visible': True}, 'required': True, 'is_visible': True},
}, },
CONTRACT_PROVIDING_SCOPES: { POLICY_RULE_SET_PROVIDING_SCOPES: {
'id': {'allow_post': False, 'allow_put': False, 'id': {'allow_post': False, 'allow_put': False,
'validate': {'type:uuid': None}, 'validate': {'type:uuid': None},
'is_visible': True, 'is_visible': True,
@ -490,12 +491,12 @@ The following new resources are being introduced:
'validate': {'type:string': None}, 'validate': {'type:string': None},
'required_by_policy': True, 'required_by_policy': True,
'is_visible': True}, 'is_visible': True},
'endpointgroup_id': {'allow_post': True, 'allow_put': True, 'policy_target_group_id': {'allow_post': True, 'allow_put': True,
'validate': {'type:uuid': None}, 'validate': {'type:uuid': None},
'required': True, 'is_visible': True}, 'required': True, 'is_visible': True},
'contract_id': {'allow_post': True, 'allow_put': True, 'policy_rule_set_id': {'allow_post': True, 'allow_put': True,
'validate': {'type:uuid': None}, 'validate': {'type:uuid': None},
'required': True, 'is_visible': True}, 'required': True, 'is_visible': True},
'selector_id': {'allow_post': True, 'allow_put': True, 'selector_id': {'allow_post': True, 'allow_put': True,
'validate': {'type:uuid_or_none': None}, 'validate': {'type:uuid_or_none': None},
'required': True, 'is_visible': True}, 'required': True, 'is_visible': True},
@ -505,7 +506,7 @@ The following new resources are being introduced:
'convert_to': attr.convert_none_to_empty_list, 'convert_to': attr.convert_none_to_empty_list,
'required': True, 'is_visible': True}, 'required': True, 'is_visible': True},
}, },
CONTRACT_CONSUMING_SCOPES: { POLICY_RULE_SET_CONSUMING_SCOPES: {
'id': {'allow_post': False, 'allow_put': False, 'id': {'allow_post': False, 'allow_put': False,
'validate': {'type:uuid': None}, 'validate': {'type:uuid': None},
'is_visible': True, 'primary_key': True}, 'is_visible': True, 'primary_key': True},
@ -520,12 +521,12 @@ The following new resources are being introduced:
'validate': {'type:string': None}, 'validate': {'type:string': None},
'required_by_policy': True, 'required_by_policy': True,
'is_visible': True}, 'is_visible': True},
'endpointgroup_id': {'allow_post': True, 'allow_put': True, 'policy_target_group_id': {'allow_post': True, 'allow_put': True,
'validate': {'type:uuid': None}, 'validate': {'type:uuid': None},
'required': True, 'is_visible': True}, 'required': True, 'is_visible': True},
'contract_id': {'allow_post': True, 'allow_put': True, 'policy_rule_set_id': {'allow_post': True, 'allow_put': True,
'validate': {'type:uuid': None}, 'validate': {'type:uuid': None},
'required': True, 'is_visible': True}, 'required': True, 'is_visible': True},
'selector_id': {'allow_post': True, 'allow_put': True, 'selector_id': {'allow_post': True, 'allow_put': True,
'validate': {'type:uuid_or_none': None}, 'validate': {'type:uuid_or_none': None},
'required': True, 'is_visible': True}, 'required': True, 'is_visible': True},
@ -697,10 +698,10 @@ The following new resources are being introduced:
'tenant_id': {'allow_post': True, 'allow_put': False, 'tenant_id': {'allow_post': True, 'allow_put': False,
'validate': {'type:string': None}, 'validate': {'type:string': None},
'required_by_policy': True, 'is_visible': True}, 'required_by_policy': True, 'is_visible': True},
'endpoint_groups': {'allow_post': False, 'allow_put': False, 'policy_target_groups': {'allow_post': False, 'allow_put': False,
'validate': {'type:uuid_list': None}, 'validate': {'type:uuid_list': None},
'convert_to': attr.convert_none_to_empty_list, 'convert_to': attr.convert_none_to_empty_list,
'default': None, 'is_visible': True}, 'default': None, 'is_visible': True},
'l3_policy_id': {'allow_post': True, 'allow_put': True, 'l3_policy_id': {'allow_post': True, 'allow_put': True,
'validate': {'type:uuid_or_none': None}, 'validate': {'type:uuid_or_none': None},
'default': None, 'is_visible': True, 'default': None, 'is_visible': True,
@ -724,19 +725,18 @@ The following new resources are being introduced:
'validate': {'type:values': [4, 6]}, 'validate': {'type:values': [4, 6]},
'is_visible': True}, 'is_visible': True},
'ip_pool': {'allow_post': True, 'allow_put': False, 'ip_pool': {'allow_post': True, 'allow_put': False,
'validate': {'type:subnet': None}, 'validate': {'type:subnet': None},
'default': '10.0.0.0/8', 'is_visible': True}, 'default': '10.0.0.0/8', 'is_visible': True},
'default_subnet_prefix_length': {'allow_post': True, 'allow_put': True, 'subnet_prefix_length': {'allow_post': True, 'allow_put': True,
'convert_to': attr.convert_to_int, 'convert_to': attr.convert_to_int,
'validate': { 'validate': {
# ipv4 specific validation is # for ipv4 legal values are 2 to 30
# performed in the plugin code. # for ipv6 legal values are 2 to 127
'type:values': range(1, 127)}, 'default': 24, 'is_visible': True},
'default': 24, 'is_visible': True},
'l2_policies': {'allow_post': False, 'allow_put': False, 'l2_policies': {'allow_post': False, 'allow_put': False,
'validate': {'type:uuid_list': None}, validate': {'type:uuid_list': None},
'convert_to': attr.convert_none_to_empty_list, 'convert_to': attr.convert_none_to_empty_list,
'default': None, 'is_visible': True}, 'default': None, 'is_visible': True},
}, },
NETWORK_SERVICE_POLICIES: { NETWORK_SERVICE_POLICIES: {
'id': {'allow_post': False, 'allow_put': False, 'id': {'allow_post': False, 'allow_put': False,
@ -751,7 +751,7 @@ The following new resources are being introduced:
'tenant_id': {'allow_post': True, 'allow_put': False, 'tenant_id': {'allow_post': True, 'allow_put': False,
'validate': {'type:string': None}, 'validate': {'type:string': None},
'required_by_policy': True, 'is_visible': True}, 'required_by_policy': True, 'is_visible': True},
'endpoint_groups': {'allow_post': False, 'allow_put': False, 'policy_target_groups': {'allow_post': False, 'allow_put': False,
'validate': {'type:uuid_list': None}, 'validate': {'type:uuid_list': None},
'convert_to': attr.convert_none_to_empty_list, 'convert_to': attr.convert_none_to_empty_list,
'default': None, 'is_visible': True}, 'default': None, 'is_visible': True},
@ -773,12 +773,12 @@ using attribute extension:
.. code-block:: python .. code-block:: python
EXTENDED_ATTRIBUTES_2_0 = { EXTENDED_ATTRIBUTES_2_0 = {
gpolicy.ENDPOINTS: { gpolicy.POLICY_TARGETS: {
'neutron_port_id': {'allow_post': True, 'allow_put': False, 'neutron_port_id': {'allow_post': True, 'allow_put': False,
'validate': {'type:uuid_or_none': None}, 'validate': {'type:uuid_or_none': None},
'is_visible': True, 'default': None}, 'is_visible': True, 'default': None},
}, },
gpolicy.ENDPOINT_GROUPS: { gpolicy.POLICY_TARGET_GROUPS: {
'neutron_subnets': {'allow_post': True, 'allow_put': True, 'neutron_subnets': {'allow_post': True, 'allow_put': True,
'validate': {'type:uuid_list': None}, 'validate': {'type:uuid_list': None},
'convert_to': attr.convert_none_to_empty_list, 'convert_to': attr.convert_none_to_empty_list,
@ -801,7 +801,7 @@ Security impact
--------------- ---------------
The connectivity model used here is consistent with OpenStack/Neutron's current The connectivity model used here is consistent with OpenStack/Neutron's current
white list model - that is, there is no connectivity outside an EPG unless white list model - that is, there is no connectivity outside a PTG unless
explicitly allowed. explicitly allowed.
The rendering of the proposed new abstractions happens via existing Security The rendering of the proposed new abstractions happens via existing Security
@ -890,6 +890,8 @@ Assignee(s)
Mandeep Dhami (mandeep-dhami) Mandeep Dhami (mandeep-dhami)
Ivar Lazzaro (mmaleckk)
Mohammad Banikazemi (banix) Mohammad Banikazemi (banix)
Stephen Wong (s3wong) Stephen Wong (s3wong)
@ -900,6 +902,8 @@ Assignee(s)
Subrahmanyam Ongole (osms69) Subrahmanyam Ongole (osms69)
Magesh GV (magesh-gv)
Ronak Shah (ronak-malav-shah) Ronak Shah (ronak-malav-shah)
Rudra Rugge (rudrarugge) Rudra Rugge (rudrarugge)