x
/
group-based-policy-specs
Code Issues Proposed changes

share servicechain objects 

implements blueprint share-servicechain-objects

Change-Id: Ie63dd4813a9c1bec857b5c5ba363c5c0abad94b7
This commit is contained in:
Ivar Lazzaro 2015-04-06 22:08:18 +02:00
parent de694f7164
commit e24fb015a6
1 changed files with 61 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

75
specs/juno/introduce-shared-attribute.rst
View File

@ -8,9 +8,10 @@
Introduce globally shared resources
===================================
Launchpad blueprint:
Launchpad blueprints:
https://blueprints.launchpad.net/group-based-policy/+spec/introduce-shared-attribute
https://blueprints.launchpad.net/group-based-policy/+spec/share-servicechain-objects
Today, it's not possible to create shared GBP resources.
This is especially useful in order to avoid duplication of policies
@ -41,8 +42,10 @@ following GBP resources:
- L3 Policies;
- Network Service policies;
- Policy Rules;
- Policy Classifiers.
- Policy Actions.
- Policy Classifiers;
- Policy Actions;
- Service Chain Nodes;
- Service Chain Specs.
The behavior will be consistent with Neutron's already existing
sharing policy. Which means that a given resource can be either
@ -74,47 +77,89 @@ The proposed default policy.json follows::
"admin_only": "rule:context_is_admin",
"regular_user": "",
"default": "rule:admin_or_owner",
"gbp_shared": "field:policy_target_groups:shared=True",
"shared_ptg": "field:policy_target_groups:shared=True",
"shared_pt": "field:policy_targets:shared=True",
"shared_prs": "field:policy_rule_sets:shared=True",
"shared_l3p": "field:l3_policies:shared=True",
"shared_l2p": "field:l2_policies:shared=True",
"shared_es": "field:external_segments:shared=True",
"shared_ep": "field:external_policies:shared=True",
"shared_pc": "field:policy_classifiers:shared=True",
"shared_pa": "field:policy_actions:shared=True",
"shared_pr": "field:policy_rules:shared=True",
"shared_np": "field:nat_pools:shared=True",
"shared_nsp": "field:network_service_policies:shared=True",
"shared_scn": "field:servicechain_nodes:shared=True",
"shared_scs": "field:servicechain_specs:shared=True",
"create_policy_target_group": "",
"create_policy_target_group:shared": "rule:admin_only",
"get_policy_target_group": "rule:admin_or_owner or rule:gbp_shared",
"get_policy_target_group": "rule:admin_or_owner or rule:shared_ptg",
"update_policy_target_group:shared": "rule:admin_only",
"create_l2_policy": "",
"create_l2_policy:shared": "rule:admin_only",
"get_l2_policy": "rule:admin_or_owner or rule:gbp_shared",
"get_l2_policy": "rule:admin_or_owner or rule:shared_l2p",
"update_l2_policy:shared": "rule:admin_only",
"create_l3_policy": "",
"create_l3_policy:shared": "rule:admin_only",
"get_l3_policy": "rule:admin_or_owner or rule:gbp_shared",
"get_l3_policy": "rule:admin_or_owner or rule:shared_l3p",
"update_l3_policy:shared": "rule:admin_only",
"create_policy_classifier": "",
"create_policy_classifier:shared": "rule:admin_only",
"get_policy_classifier": "rule:admin_or_owner or rule:gbp_shared",
"get_policy_classifier": "rule:admin_or_owner or rule:shared_pc",
"update_policy_classifier:shared": "rule:admin_only",
"create_policy_action": "",
"create_policy_action:shared": "rule:admin_only",
"get_policy_action": "rule:admin_or_owner or rule:gbp_shared",
"get_policy_action": "rule:admin_or_owner or rule:shared_pa",
"update_policy_action:shared": "rule:admin_only",
"create_policy_rule": "",
"create_policy_rule:shared": "rule:admin_only",
"get_policy_rule": "rule:admin_or_owner or rule:gbp_shared",
"get_policy_rule": "rule:admin_or_owner or rule:shared_pr",
"update_policy_rule:shared": "rule:admin_only",
"create_policy_rule_set": "",
"create_policy_rule_set:shared": "rule:admin_only",
"get_policy_rule_set": "rule:admin_or_owner or rule:gbp_shared",
"get_policy_rule_set": "rule:admin_or_owner or rule:shared_prs",
"update_policy_rule_set:shared": "rule:admin_only",
"create_network_service_policy": "",
"create_network_service_policy:shared": "rule:admin_only",
"get_network_service_policy": "rule:admin_or_owner or rule:gbp_shared",
"update_network_service_policy:shared": "rule:admin_only"
"get_network_service_policy": "rule:admin_or_owner or rule:shared_nsp",
"update_network_service_policy:shared": "rule:admin_only",
"create_external_segment": "",
"create_external_segment:shared": "rule:admin_only",
"get_external_segment": "rule:admin_or_owner or rule:shared_es",
"update_external_segment:shared": "rule:admin_only",
"create_external_policy": "",
"create_external_policy:shared": "rule:admin_only",
"get_external_policy": "rule:admin_or_owner or rule:shared_ep",
"update_external_policy:shared": "rule:admin_only",
"create_nat_pool": "",
"create_nat_pool:shared": "rule:admin_only",
"get_nat_pool": "rule:admin_or_owner or rule:shared_np",
"update_nat_pool:shared": "rule:admin_only",
"create_servicechain_node": "",
"create_servicechain_node:shared": "rule:admin_only",
"get_servicechain_node": "rule:admin_or_owner or rule:shared_scn",
"update_servicechain_node:shared": "rule:admin_only",
"create_servicechain_spec": "",
"create_servicechain_spec:shared": "rule:admin_only",
"get_servicechain_spec": "rule:admin_or_owner or rule:shared_scs",
"update_servicechain_spec:shared": "rule:admin_only",
"create_servicechain_instance": "",
"get_servicechain_instance": "rule:admin_or_owner",
"update_servicechain_instance:shared": "rule:admin_only"
}
Any datapath impact caused by a shared resource has to be
@ -128,7 +173,9 @@ following resources:
- PTG: usable by any tenant when shared for PT placement;
- Policy Classifiers: usable by any tenant when shared;
- Policy Actions: usable by any tenant when shared;
- Policy Rules: usable by any tenant when shared.
- Policy Rules: usable by any tenant when shared;
- Service Chain Specs: usable by any tenant when shared;
- Service Chain Nodes: usable by any tenant when shared.
L3 and L2 policies need to be sharable to allow PTG sharing.
However, no external tenant could use them because there's no