Updated Gluon Documentation for Pike Release
Updated documentation includes: - doc/source/devref * Update on Gluon Authentication and Authorization * Version Management in Gluon API Specification and updated examples * Updated examples for Proton Version Management * Updated repo structure - doc/source/installation * Updated installation guide for etcd and gluon - doc/source/usage.rst * Updated user guide - releasenotes/source * Updated release notes Change-Id: I836690ccb5c538031e624f5f547b5f2c594ca4ad Signed-off-by: Bin Hu <bh526r@att.com>
This commit is contained in:
parent
ee99e05e3c
commit
0e99426b9e
|
@ -0,0 +1,47 @@
|
||||||
|
{
|
||||||
|
"COMMENT": "This file is no longer needed, but for historical record !!!",
|
||||||
|
"COMMENT": "The policy.json file in /etc/proton directory should contain",
|
||||||
|
"COMMENT": "empty json object: {}",
|
||||||
|
|
||||||
|
"COMMENT": "This first part is moved to code in gluon/policies/base.py",
|
||||||
|
"context_is_admin": "role:admin",
|
||||||
|
"owner": "tenant_id:%(tenant_id)s",
|
||||||
|
"admin_or_owner": "rule:context_is_admin or rule:owner",
|
||||||
|
"context_is_advsvc": "role:advsvc",
|
||||||
|
"admin_or_network_owner": "rule:context_is_admin or tenant_id:%(network:tenant_id)s",
|
||||||
|
"admin_owner_or_network_owner": "rule:owner or rule:admin_or_network_owner",
|
||||||
|
"admin_only": "rule:context_is_admin",
|
||||||
|
"regular_user": "",
|
||||||
|
"default": "rule:admin_or_owner",
|
||||||
|
|
||||||
|
"COMMENT": "The rest of policies are defined in gluon/models/base/base.yaml file",
|
||||||
|
"create_port": "rule:admin_or_network_owner",
|
||||||
|
"list_ports": "rule:admin",
|
||||||
|
"get_port": "rule:admin_or_owner",
|
||||||
|
"update_port": "rule:admin_or_network_owner",
|
||||||
|
"delete_port": "rule:admin_or_network_owner",
|
||||||
|
|
||||||
|
"create_interface": "rule:admin_or_network_owner",
|
||||||
|
"list_interfaces": "rule:admin",
|
||||||
|
"get_interface": "rule:admin_or_owner",
|
||||||
|
"update_interface": "rule:admin_or_network_owner",
|
||||||
|
"delete_interface": "rule:admin_or_network_owner",
|
||||||
|
|
||||||
|
"create_vpn": "rule:admin_or_network_owner",
|
||||||
|
"list_vpns": "rule:admin",
|
||||||
|
"get_vpns": "rule:admin_or_owner",
|
||||||
|
"update_vpn": "rule:admin_or_network_owner",
|
||||||
|
"delete_vpn": "rule:admin_or_network_owner",
|
||||||
|
|
||||||
|
"create_vpnbinding": "rule:admin_or_network_owner",
|
||||||
|
"list_vpnbindings": "rule:admin",
|
||||||
|
"get_vpnbinding": "rule:admin_or_owner",
|
||||||
|
"update_vpnbinding": "rule:admin_or_network_owner",
|
||||||
|
"delete_vpnbinding": "rule:admin_or_network_owner",
|
||||||
|
|
||||||
|
"create_vpnafconfig": "rule:admin_or_network_owner",
|
||||||
|
"list_vpnafconfigs": "rule:admin",
|
||||||
|
"get_vpnafconfig": "rule:admin_or_owner",
|
||||||
|
"update_vpnafconfig": "rule:admin_or_network_owner",
|
||||||
|
"delete_vpnafconfig": "rule:admin_or_network_owner",
|
||||||
|
}
|
|
@ -1,20 +1,44 @@
|
||||||
====================================
|
..
|
||||||
Gluon Authentication & Authorization
|
Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
====================================
|
not use this file except in compliance with the License. You may obtain
|
||||||
|
a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
License for the specific language governing permissions and limitations
|
||||||
|
under the License.
|
||||||
|
|
||||||
|
Convention for heading levels in Gluon devref:
|
||||||
|
======= Heading 0 (reserved for the title in a document)
|
||||||
|
------- Heading 1
|
||||||
|
~~~~~~~ Heading 2
|
||||||
|
+++++++ Heading 3
|
||||||
|
''''''' Heading 4
|
||||||
|
(Avoid deeper levels because they do not render well.)
|
||||||
|
|
||||||
|
======================================
|
||||||
|
Gluon Authentication and Authorization
|
||||||
|
======================================
|
||||||
|
|
||||||
Summary
|
Summary
|
||||||
-------
|
-------
|
||||||
|
|
||||||
This document explains the integration of Gluon with OpenStack identity service
|
This document explains the integration of Gluon with OpenStack Identity service
|
||||||
or Keystone. When Keystone is enabled, users that submit requests to Gluon
|
or Keystone. When Keystone is enabled, users that submit requests to Gluon NFV
|
||||||
networking service will have to provide an authentication token in X-Auth-Token
|
networking service will have to provide an authentication token in X-Auth-Token
|
||||||
request header. The token is obtained by making a call to the Keystone authentication
|
request header. The token is obtained via making a call to the Keystone authentication
|
||||||
service by passing in username and password.
|
service by passing in username and password.
|
||||||
|
|
||||||
Assumptions
|
Assumptions
|
||||||
-----------
|
-----------
|
||||||
|
|
||||||
The document uses the proposed "port and service binding model"[1] to determine the
|
This document conforms to Identity concepts, and the mechanism of managing services,
|
||||||
|
projects, users, and roles described in "OpenStack Keystone Administrator Guide" [2]_.
|
||||||
|
|
||||||
|
The document uses the proposed "Port and Service Binding Model" [3]_ to determine the
|
||||||
policy actions (see section on Authorization).
|
policy actions (see section on Authorization).
|
||||||
|
|
||||||
Authentication
|
Authentication
|
||||||
|
@ -28,167 +52,175 @@ If the token is valid, Keystone will retrieve additional information from token
|
||||||
such as user name, user id, project name, project id etc and send this information
|
such as user name, user id, project name, project id etc and send this information
|
||||||
to the OpenStack service. Otherwise, the request will be rejected.
|
to the OpenStack service. Otherwise, the request will be rejected.
|
||||||
|
|
||||||
Setting up
|
Setting Up
|
||||||
~~~~~~~~~~
|
~~~~~~~~~~
|
||||||
|
|
||||||
Once Keystone is installed and running, services have to be configured to work with it.
|
Once Keystone is installed and running, services have to be configured to work with it.
|
||||||
This involves setting up projects, roles, users, and services. By default, OpenStack
|
This involves setting up services, projects, and users, and assigning roles to
|
||||||
already has several projects, roles and users created.
|
{ project, user } pair. After OpenStack is installed, when Identity (Keystone) is bootstrapped,
|
||||||
|
several services, projects, roles and users will be created by default.
|
||||||
|
|
||||||
Following is the normal process to add a service to Keystone.
|
Following is the normal process to add a service, and assign roles to
|
||||||
|
{ project, user } pairs in Keystone.
|
||||||
|
|
||||||
- Create a project
|
- Create a **service**
|
||||||
- Create a user for the service and add the user to the project
|
- Create **endpoint** of that **service**
|
||||||
- Create an admin role and assign to the user
|
- Create a **project**
|
||||||
- Create service
|
- Create a **user** that is expected to use the **service** under the **project**
|
||||||
- Create endpoint
|
- Assign an ``admin`` **role** to the { **project**, **user** } pair
|
||||||
|
|
||||||
For Gluon, we will add these objects.
|
For bootstrapping Gluon with Identity service, we will follow the procedure of:
|
||||||
|
|
||||||
- Create a new user called "gluon"
|
* Step 1: Create a new "NFV Networking" **service** named ``gluon`` (or any name) with service type ``nfvnet``
|
||||||
- Add "gluon" user to "service" project
|
|
||||||
- Add "service" role to "gluon" user in the "service" project
|
.. code-block:: bash
|
||||||
- Create a new service called "gluon"
|
|
||||||
- Create a new endpoint under the service "gluon"
|
$ openstack service create --name gluon --description "NFV Network Service" nfvnet
|
||||||
|
|
||||||
|
* Step 2: Create a new **endpoint** under the **service** ``gluon``
|
||||||
|
|
||||||
|
.. code-block:: bash
|
||||||
|
|
||||||
|
# Note: you need to change the IP address 10.0.2.7 to match your environment
|
||||||
|
|
||||||
|
$ openstack endpoint create --region RegionOne gluon public http://10.0.2.7:2705/proton/
|
||||||
|
$ openstack endpoint create --region RegionOne gluon admin http://10.0.2.7:2705/proton/
|
||||||
|
$ openstack endpoint create --region RegionOne gluon internal http://10.0.2.7:2705/proton/
|
||||||
|
|
||||||
|
* Step 3: Either reuse an existing **project** (e.g. a default project named ``service``) or create a new **project**
|
||||||
|
|
||||||
|
.. code-block:: bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# We reuse "service" project here.
|
||||||
|
# If you want to create a new project:
|
||||||
|
# $ openstack project create --description <description of your new project> <new-project-name> --domain default
|
||||||
|
#
|
||||||
|
|
||||||
|
* Step 4: Create a new **user** named ``gluon`` (or any name)
|
||||||
|
|
||||||
|
.. code-block:: bash
|
||||||
|
|
||||||
|
$ openstack user create --password <password> gluon
|
||||||
|
|
||||||
|
* Step 5: Assign ``admin`` **role** to { ``service``, ``gluon`` } pair
|
||||||
|
|
||||||
|
.. code-block:: bash
|
||||||
|
|
||||||
|
$ openstack role add --project service --user gluon admin
|
||||||
|
|
||||||
Authorization
|
Authorization
|
||||||
-------------
|
-------------
|
||||||
|
|
||||||
Each OpenSack service has its own role-based access policies to allow/disallow access to
|
Each OpenSack service has its own role-based access policies to allow/disallow access to
|
||||||
specific actions. The policy.json is used to define the access control, which contains
|
specific actions. The access control policy is defined in the format of ``<action> : <rule>``.
|
||||||
each policy defined in the format "<action> : <rule>".
|
|
||||||
|
|
||||||
The <action> represents an API call like "create network" whereas <rule> determines
|
The <action> represents an API call like "create a user" whereas <rule> determines
|
||||||
under which circumstances API call is permitted. As an example, consider following rule
|
under which circumstances this API call is permitted. For example, consider following policy:
|
||||||
|
|
||||||
``"identity:create_user" : "role:admin"``
|
.. code-block:: bash
|
||||||
|
|
||||||
This rule allows admin role to create a new user in the identity service.
|
"identity:create_user" : "role:admin"
|
||||||
|
|
||||||
|
This policy allows ``admin`` **role** to create a new user in the Identity service.
|
||||||
|
|
||||||
Authorization Scope
|
Authorization Scope
|
||||||
~~~~~~~~~~~~~~~~~~~
|
~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
It will be possible to specify authorization at object level. In the future, we may allow
|
Currently, Gluon supports the policy-based authorization at object level. In the future,
|
||||||
setting access control at the attribute level.
|
we may consider to support this role-based access control (RBAC) at the attribute level.
|
||||||
|
|
||||||
Defining authorization rules
|
Defining Authorization Rules
|
||||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
The YAML model definitions will be enhanced to support authorization rules. We will add a new
|
In OpenStack, typically a ``policy.json`` file is used to store those RBAC policies,
|
||||||
section for policies.
|
for example, in ``/etc/nova/policy.json``. Because the APIs of those services (e.g.
|
||||||
|
``nova`` / ``compute``) are fixed, this policy.json mechanism provides flexibility
|
||||||
|
for defining policies for those services.
|
||||||
|
|
||||||
The "rules" will be defined at the system level and model authors can use the rules while
|
On the other hand, Gluon provides a model-driven approach to generate
|
||||||
defining the actions.
|
NFV Networking Service APIs (including objects, database schema, and
|
||||||
|
RESTful API endpoints) from a YAML file which models the Networking Service.
|
||||||
|
Thus it is natural to define the RBAC policies of a new service with its own YAML
|
||||||
|
model definitions in the same YAML file. Thus a new section for RBAC policies
|
||||||
|
is defined in the YAML of service model.
|
||||||
|
|
||||||
Following will be the default rules:
|
A set of default <rules> is defined at the system level (i.e. in ``gluon/policies/base.py``).
|
||||||
|
Model authors can then use those rules to define the actions, and thus the policies in YAML.
|
||||||
|
The default <rules> are defined in ``gluon/policies/base.py``:
|
||||||
|
|
||||||
|
.. code-block:: bash
|
||||||
|
|
||||||
|
"context_is_admin": "role:admin",
|
||||||
"owner": "tenant_id:%(tenant_id)s",
|
"owner": "tenant_id:%(tenant_id)s",
|
||||||
"admin_or_owner": "rule:context_is_admin or rule:owner",
|
"admin_or_owner": "rule:context_is_admin or rule:owner",
|
||||||
|
"context_is_advsvc": "role:advsvc",
|
||||||
"admin_or_network_owner": "rule:context_is_admin or tenant_id:%(network:tenant_id)s",
|
"admin_or_network_owner": "rule:context_is_admin or tenant_id:%(network:tenant_id)s",
|
||||||
"admin_owner_or_network_owner": "rule:owner or rule:admin_or_network_owner",
|
"admin_owner_or_network_owner": "rule:owner or rule:admin_or_network_owner",
|
||||||
"admin_only": "rule:context_is_admin",
|
"admin_only": "rule:context_is_admin",
|
||||||
|
"regular_user": "",
|
||||||
|
"default": "rule:admin_or_owner",
|
||||||
|
|
||||||
The actions are defined within the "policies" section as shown below.
|
The default policies are defined at the system level too (i.e. within the ``policies`` section
|
||||||
|
in ``BaseObject`` definition and ``BaseServiceBinding`` definition in
|
||||||
|
``gluon/models/base/base.yaml`` file). Model authors can define own policies for those
|
||||||
|
service objects in its own service YAML, or reuse the default policies if there is no policy
|
||||||
|
definition in service objects. The default policies defined in ``gluon/models/base/base.yaml``
|
||||||
|
are as follows:
|
||||||
|
|
||||||
.. code-block:: yaml
|
.. code-block:: bash
|
||||||
|
|
||||||
ProtonBasePort:
|
BasePort:
|
||||||
...
|
...
|
||||||
existing model definition
|
existing model definition
|
||||||
...
|
...
|
||||||
|
policies:
|
||||||
|
create:
|
||||||
|
role: "rule:admin_or_owner"
|
||||||
|
delete:
|
||||||
|
role: "rule:admin_or_owner"
|
||||||
|
list:
|
||||||
|
role: "rule:admin"
|
||||||
|
get:
|
||||||
|
role: "rule:admin_or_owner"
|
||||||
|
update:
|
||||||
|
role: "rule:admin_or_owner"
|
||||||
|
|
||||||
|
This policy defines ``create``, ``delete``, ``get``, ``get_one`` and ``update`` actions on
|
||||||
|
the ``BasePort`` object. The rules section can embed any OpenStack policy directive
|
||||||
|
that is supported.
|
||||||
|
|
||||||
policies:
|
Summary of Gluon Authorization Rules
|
||||||
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
actions:
|
Please refer to ``doc/samples/policy.json`` for a summary of default <rules> and default policies
|
||||||
create:
|
used in Gluon. Note that this policy.json is a historical record for informational purpose.
|
||||||
role: "rule:admin_or_network_owner"
|
The mechanism of how to define those default <rules> and default policies is at system level
|
||||||
delete:
|
as described above.
|
||||||
role: "rule:admin_or_network_owner"
|
|
||||||
get:
|
|
||||||
role: "rule:admin_or_owner"
|
|
||||||
get_one:
|
|
||||||
role: "rule:admin_or_owner"
|
|
||||||
update:
|
|
||||||
role: "rule:admin_or_network_owner"
|
|
||||||
|
|
||||||
|
More Details of OpenStack Policies
|
||||||
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
This policy defines create, delete, get, get_one and update actions on the ProtonBasePort object.
|
Please refer to "OpenStack Security Guide - Policies" [4]_ for more details of
|
||||||
The rules section can embed any openstack policy directive that is supported. Please see
|
OpenStack policy directive.
|
||||||
https://docs.openstack.org/kilo/config-reference/content/policy-json-file.html for complete details
|
|
||||||
of the policy.json file
|
|
||||||
|
|
||||||
Converting to policy.json file
|
|
||||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
||||||
|
|
||||||
During the installation of Gluon, the embedded policies in the YAML model file will be converted
|
|
||||||
to /etc/gluon/policy.json file. This file will have the following format.
|
|
||||||
|
|
||||||
.. code-block:: json
|
|
||||||
|
|
||||||
{
|
|
||||||
"context_is_admin": "role:admin or user_name:gluon",
|
|
||||||
"owner": "tenant_id:%(tenant_id)s",
|
|
||||||
"admin_or_owner": "rule:context_is_admin or rule:owner",
|
|
||||||
"context_is_advsvc": "role:advsvc",
|
|
||||||
"admin_or_network_owner": "rule:context_is_admin or tenant_id:%(network:tenant_id)s",
|
|
||||||
"admin_owner_or_network_owner": "rule:owner or rule:admin_or_network_owner",
|
|
||||||
"admin_only": "rule:context_is_admin",
|
|
||||||
"regular_user": "",
|
|
||||||
"default": "rule:admin_or_owner",
|
|
||||||
|
|
||||||
"create_ports": "rule:admin_or_network_owner",
|
|
||||||
"get_ports": "rule:admin_or_owner",
|
|
||||||
"update_ports": "rule:admin_or_network_owner",
|
|
||||||
"delete_ports": "rule:admin_or_network_owner",
|
|
||||||
|
|
||||||
"create_interfaces": "rule:admin_or_network_owner",
|
|
||||||
"get_interfaces": "rule:admin_or_owner",
|
|
||||||
"update_interfaces": "rule:admin_or_network_owner",
|
|
||||||
"delete_interfaces": "rule:admin_or_network_owner",
|
|
||||||
|
|
||||||
"create_vpns": "rule:admin_or_network_owner",
|
|
||||||
"get_vpns": "rule:admin_or_owner",
|
|
||||||
"update_vpns": "rule:admin_or_network_owner",
|
|
||||||
"delete_vpns": "rule:admin_or_network_owner",
|
|
||||||
|
|
||||||
"create_vpnbindings": "rule:admin_or_network_owner",
|
|
||||||
"get_vpnbindings": "rule:admin_or_owner",
|
|
||||||
"update_vpnbindings": "rule:admin_or_network_owner",
|
|
||||||
"delete_vpnbindings": "rule:admin_or_network_owner",
|
|
||||||
|
|
||||||
"create_vpnafconfigs": "rule:admin_or_network_owner",
|
|
||||||
"get_vpnafconfigs": "rule:admin_or_owner",
|
|
||||||
"update_vpnafconfigs": "rule:admin_or_network_owner",
|
|
||||||
"delete_vpnafconfigs": "rule:admin_or_network_owner",
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
Bootstrapping policy.json
|
|
||||||
~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
||||||
|
|
||||||
In the Devstack environment, the gluon software is installed using "python setup.py install"
|
|
||||||
command from the gluon directory. The setup script will be enhanced to support creating
|
|
||||||
/etc/gluon/policy.json file from the YAML model file. Users will be able to edit the generated
|
|
||||||
policy.json file to add their own local rules even though it is not a recommended approach.
|
|
||||||
|
|
||||||
For a production OpenStack environment, the above steps need to be done from the package
|
|
||||||
installation scripts that are supported by tools such as rpm or dpkg.
|
|
||||||
|
|
||||||
Action to API Mapping
|
Action to API Mapping
|
||||||
~~~~~~~~~~~~~~~~~~~~~
|
~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
Gluon service has to map actions to respective API calls. The OpenStack keystonemiddleware
|
Gluon service has to map actions to respective API calls. The OpenStack ``keystonemiddleware``
|
||||||
and oslo.policy(https://docs.openstack.org/oslo.policy/latest/) modules will be integrated
|
and ``oslo.policy`` [5]_ modules is integrated with Gluon to add keystone authentication
|
||||||
with Gluon to add keystone authentication and enforce RBAC policies defined in the JSON.policy file.
|
and enforce RBAC policies defined in the YAMl files.
|
||||||
|
|
||||||
The pecan-wsgi service in the Neutron will be used as a reference code for Gluon implementation
|
The pecan-wsgi service in the Neutron is used as a reference code for above implementation in Gluon.
|
||||||
|
|
||||||
|
Current implementation in Gluon is at ``gluon/api/hooks/policy_enforcement.py``.
|
||||||
|
|
||||||
Configuration
|
Configuration
|
||||||
~~~~~~~~~~~~~
|
~~~~~~~~~~~~~
|
||||||
|
|
||||||
The /etc/proton/proton.conf file can be used to configure the authentication details. A sample
|
The /etc/proton/proton.conf file is used to configure the authentication details. A sample
|
||||||
configuration is shown below. Change 127.0.0.1 to your keystone endpoint.
|
configuration is shown below. Note that you need to change IP address ``127.0.0.1``
|
||||||
|
to your keystone endpoint.
|
||||||
|
|
||||||
.. code-block:: ini
|
.. code-block:: ini
|
||||||
|
|
||||||
|
@ -205,49 +237,56 @@ configuration is shown below. Change 127.0.0.1 to your keystone endpoint.
|
||||||
auth_url = http://127.0.0.1:35357
|
auth_url = http://127.0.0.1:35357
|
||||||
auth_type = password
|
auth_type = password
|
||||||
|
|
||||||
[oslo_policy]
|
The default ``auth_strategy`` is ``noauth`` in Gluon.
|
||||||
policy_file = /etc/proton/policy.json
|
|
||||||
|
Please note that:
|
||||||
|
|
||||||
|
* ``auth_uri`` is the **external** or **public** URL that ends up in the
|
||||||
|
``WWW-Authenticate: keystone-uri=<auth_uri>`` header. It is the unversioned public endpoint,
|
||||||
|
which tells someone where they need to go to authenticate.
|
||||||
|
* ``auth_url`` is the **internal** URL that the **auth plugin** is using. It is
|
||||||
|
where the process will authenticate to before it authenticates tokens.
|
||||||
|
|
||||||
Set Environment Variables
|
Set Environment Variables
|
||||||
~~~~~~~~~~~~~~~~~~~~~~~~~
|
~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
If Keystone is enabled for authentication, some environment variables will need
|
If Keystone is enabled for authentication, some environment variables will need
|
||||||
to be set up in order for protonclient commands to work properly. Modify the openrc
|
to be set up in order for ``protonclient`` commands to work properly.
|
||||||
file in gluon home directory with the appropriate value for you Keystone endpoint.
|
|
||||||
A sample is shown below.
|
Modify the ``openrc`` file in Gluon home directory (or in ``devstack`` home directory)
|
||||||
Then run ``source openrc <project_name> <user_name> <user_password>`` to set these variables.
|
with the appropriate value for you Keystone endpoint, your project name/tenant name,
|
||||||
|
your user name and password.
|
||||||
|
|
||||||
|
A sample is shown as follows:
|
||||||
|
|
||||||
.. code-block:: bash
|
.. code-block:: bash
|
||||||
|
|
||||||
#
|
#
|
||||||
# set Keystone endpoint
|
# Configure a set of credentials for $PROJECT/$USERNAME:
|
||||||
|
# set OS_AUTH_URL to Keystone end point
|
||||||
|
# set OS_PROJECT_NAME to openstack project name
|
||||||
|
# set OS_USERNAME to openstack user name
|
||||||
|
# set ADMIN_PASSWORD to openstack password
|
||||||
|
#
|
||||||
|
# If using devstack:
|
||||||
|
# set both OS_USERNAME and OS_TENANT_NAME to "admin" or "demo"
|
||||||
|
#
|
||||||
|
# Example config for devstack:
|
||||||
|
# export OS_AUTH_URL="http://192.168.56.101:5000"
|
||||||
|
# export OS_TENANT_NAME="admin"
|
||||||
|
# export OS_USERNAME="admin"
|
||||||
|
# export OS_PASSWORD="ubuntu"
|
||||||
#
|
#
|
||||||
export OS_AUTH_URL="http://192.168.56.101:5000"
|
|
||||||
|
|
||||||
Appendix
|
Then run the following command to set these variables.
|
||||||
--------
|
|
||||||
|
|
||||||
Configuring identity details for Keystone, change 10.0.2.15 to your gluon endpoint:
|
.. code-block:: bash
|
||||||
|
|
||||||
1. Create gluon user:
|
$ source openrc <project_name> <user_name> <user_password>
|
||||||
|
|
||||||
> openstack user create --password <password> gluon
|
References
|
||||||
|
|
||||||
2. Add the admin role to the gluon user:
|
.. [2] https://docs.openstack.org/keystone/latest/admin/index.html
|
||||||
|
.. [3] ./service_binding_model
|
||||||
> openstack role add --project service --user gluon admin
|
.. [4] https://docs.openstack.org/security-guide/identity/policies.html
|
||||||
|
.. [5] https://docs.openstack.org/oslo.policy/latest/
|
||||||
3. Create the gluon service
|
|
||||||
|
|
||||||
> openstack service create --name gluon --description "Gluon" network
|
|
||||||
|
|
||||||
4. Create Gluon API endpoints
|
|
||||||
|
|
||||||
> openstack endpoint create --publicurl http://10.0.2.15:2705 \
|
|
||||||
--adminurl http://10.0.2.15:2705 --internalurl http://10.0.2.15:2705 \
|
|
||||||
--region regionOne gluon
|
|
||||||
|
|
||||||
Reference
|
|
||||||
---------
|
|
||||||
|
|
||||||
1) Port and service binding model - https://review.openstack.org/#/c/392250
|
|
||||||
|
|
|
@ -1,3 +1,24 @@
|
||||||
|
..
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
not use this file except in compliance with the License. You may obtain
|
||||||
|
a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
License for the specific language governing permissions and limitations
|
||||||
|
under the License.
|
||||||
|
|
||||||
|
Convention for heading levels in Gluon devref:
|
||||||
|
======= Heading 0 (reserved for the title in a document)
|
||||||
|
------- Heading 1
|
||||||
|
~~~~~~~ Heading 2
|
||||||
|
+++++++ Heading 3
|
||||||
|
''''''' Heading 4
|
||||||
|
(Avoid deeper levels because they do not render well.)
|
||||||
|
|
||||||
=======================
|
=======================
|
||||||
Gluon API Specification
|
Gluon API Specification
|
||||||
=======================
|
=======================
|
||||||
|
@ -23,20 +44,20 @@ endpoints created will support the basic CRUD operations on the object. Each
|
||||||
API object will have a corresponding database table. Each API object is
|
API object will have a corresponding database table. Each API object is
|
||||||
required to have a primary key field. The primary key field is used as the
|
required to have a primary key field. The primary key field is used as the
|
||||||
identifier in the generated API endpoints. For example, if we define an API
|
identifier in the generated API endpoints. For example, if we define an API
|
||||||
object for a Port with a path name of *ports* the following API URL endpoints
|
object for a Port with a path name of ``ports``, the following API URL endpoints
|
||||||
will be generated where <port_id> is the primary key.
|
will be generated where <port_id> is the primary key.
|
||||||
|
|
||||||
.. csv-table::
|
.. csv-table::
|
||||||
:header: "Operation", "URL", "Description"
|
:header: "Operation", "URL", "Description"
|
||||||
:widths: 5, 15, 15
|
:widths: 5, 15, 15
|
||||||
|
|
||||||
POST, /proton/<api_name>/ports, Create Port object
|
POST, /proton/<api_name>/<version>/ports, Create Port object
|
||||||
PUT, /proton/<api_name>/ports/<port_id>, Modify Port object
|
PUT, /proton/<api_name>/<version>/ports/<port_id>, Modify Port object
|
||||||
GET, /proton/<api_name>/ports, Get all Port objects
|
GET, /proton/<api_name>/<version>/ports, Get all Port objects
|
||||||
GET, /proton/<api_name>/ports/<port_id>, Get one Port object
|
GET, /proton/<api_name>/<version>/ports/<port_id>, Get one Port object
|
||||||
DELETE, /proton/<api_name>/ports/<port_id>, Delete a Port object
|
DELETE, /proton/<api_name>/<version>/ports/<port_id>, Delete a Port object
|
||||||
|
|
||||||
The content type for all of the operations is *application/json*.
|
The content type for all of the operations is ``application/json``.
|
||||||
|
|
||||||
The API objects can have pointer relationships and parent/child relationships
|
The API objects can have pointer relationships and parent/child relationships
|
||||||
to other API objects. A pointer relationship can be created by defining a
|
to other API objects. A pointer relationship can be created by defining a
|
||||||
|
@ -51,7 +72,7 @@ is automatically created using the primary key of the parent.
|
||||||
In addition, different API endpoints are generated to manipulate the child
|
In addition, different API endpoints are generated to manipulate the child
|
||||||
object. For example, assume we define an API object for Port and another API
|
object. For example, assume we define an API object for Port and another API
|
||||||
object for Interface where the Interface is a child of the Port. If the path
|
object for Interface where the Interface is a child of the Port. If the path
|
||||||
names are *ports* and *interfaces*, the following API URL endpoints for the
|
names are ``ports`` and ``interfaces``, the following API URL endpoints for the
|
||||||
Interface object would be generated.
|
Interface object would be generated.
|
||||||
|
|
||||||
.. list-table::
|
.. list-table::
|
||||||
|
@ -62,24 +83,24 @@ Interface object would be generated.
|
||||||
- URL
|
- URL
|
||||||
- Description
|
- Description
|
||||||
* - POST
|
* - POST
|
||||||
- /proton/<api_name>/ports/<port_id>/interfaces
|
- /proton/<api_name>/<version>/ports/<port_id>/interfaces
|
||||||
- Create Interface object
|
- Create Interface object
|
||||||
* - PUT
|
* - PUT
|
||||||
- /proton/<api_name>/ports/<port_id>/interfaces/<interface_id>
|
- /proton/<api_name>/<version>/ports/<port_id>/interfaces/<interface_id>
|
||||||
- Modify Interface object
|
- Modify Interface object
|
||||||
* - GET
|
* - GET
|
||||||
- /proton/<api_name>/ports/<port_id>/interfaces
|
- /proton/<api_name>/<version>/ports/<port_id>/interfaces
|
||||||
- Get all Interface objects for Port
|
- Get all Interface objects for Port
|
||||||
* - GET
|
* - GET
|
||||||
- /proton/<api_name>/ports/<port_id>/interfaces/<interface_id>
|
- /proton/<api_name>/<version>/ports/<port_id>/interfaces/<interface_id>
|
||||||
- Get one Interface object
|
- Get one Interface object
|
||||||
* - DELETE
|
* - DELETE
|
||||||
- /proton/<api_name>/ports/<port_id>/interfaces/<interface_id>
|
- /proton/<api_name>/<version>/ports/<port_id>/interfaces/<interface_id>
|
||||||
- Delete an Interface object
|
- Delete an Interface object
|
||||||
|
|
||||||
This document describes the specification for defining an API. Further
|
This document describes the specification for defining an API. Further
|
||||||
guidance on how to design an API using the Service Binding Model can be found
|
guidance on how to design an API can be found in the
|
||||||
`here <https://github.com/openstack/gluon/blob/master/doc/source/devref/service_binding_model.rst>`_.
|
"Port and Service Binding Model" [3]_.
|
||||||
|
|
||||||
Schema Definition
|
Schema Definition
|
||||||
-----------------
|
-----------------
|
||||||
|
@ -92,8 +113,8 @@ an JSON object. The JSON objects are very similar to the Schema Object found
|
||||||
in Swagger. However, some extensions are added and only a small subset of the
|
in Swagger. However, some extensions are added and only a small subset of the
|
||||||
properties are supported.
|
properties are supported.
|
||||||
|
|
||||||
Primitive Data Types
|
Primitive Data Types
|
||||||
---------------------
|
--------------------
|
||||||
|
|
||||||
.. list-table::
|
.. list-table::
|
||||||
:widths: 15 20 30
|
:widths: 15 20 30
|
||||||
|
@ -105,14 +126,14 @@ Primitive Data Types
|
||||||
* - integer
|
* - integer
|
||||||
- Integer number
|
- Integer number
|
||||||
- - format: int32, int64 (default: int32)
|
- - format: int32, int64 (default: int32)
|
||||||
- min: *integer*
|
- min: <integer>
|
||||||
- max: *integer*
|
- max: <integer>
|
||||||
* - number
|
* - number
|
||||||
- Floating point number
|
- Floating point number
|
||||||
- n/a
|
- n/a
|
||||||
* - string
|
* - string
|
||||||
- Text String
|
- Text String
|
||||||
- - length: *integer* (default: 255)
|
- - length: <integer> (default: 255)
|
||||||
- format: date-time, json, ipv4, ipv6, mac, url, email
|
- format: date-time, json, ipv4, ipv6, mac, url, email
|
||||||
* - boolean
|
* - boolean
|
||||||
- Boolean value (true/false)
|
- Boolean value (true/false)
|
||||||
|
@ -122,7 +143,7 @@ Primitive Data Types
|
||||||
- n/a
|
- n/a
|
||||||
* - enum
|
* - enum
|
||||||
- Text string from a list of values
|
- Text string from a list of values
|
||||||
- - values: [*string*]
|
- - values: [<string>]
|
||||||
|
|
||||||
File Structure
|
File Structure
|
||||||
--------------
|
--------------
|
||||||
|
@ -170,9 +191,9 @@ ProtonDef
|
||||||
description: "Alarm summary for port"
|
description: "Alarm summary for port"
|
||||||
...
|
...
|
||||||
|
|
||||||
The ProtonDef is the root object for the API specification. The *file_version*
|
The ProtonDef is the root object for the API specification. The ``file_version``
|
||||||
is used to identify the format used to create this file. The *info* field
|
is used to identify the format used to create this file. The ``info`` field
|
||||||
contains the metadata about the API. The *objects* field contains the base
|
contains the metadata about the API. The ``objects`` field contains the base
|
||||||
and API object definitions for the API.
|
and API object definitions for the API.
|
||||||
|
|
||||||
InfoDef
|
InfoDef
|
||||||
|
@ -188,7 +209,7 @@ InfoDef
|
||||||
author, AuthorDef_, false, Information about API authorship
|
author, AuthorDef_, false, Information about API authorship
|
||||||
|
|
||||||
The InfoDef is where metadata about the API can be specified. At a minimum the
|
The InfoDef is where metadata about the API can be specified. At a minimum the
|
||||||
*name* and *version* of the API must be specified.
|
``name`` and ``version`` of the API must be specified.
|
||||||
|
|
||||||
**Example**
|
**Example**
|
||||||
|
|
||||||
|
@ -272,12 +293,19 @@ ObjectDef
|
||||||
attributes, AttributesDef_, true, Attribute definitions of object
|
attributes, AttributesDef_, true, Attribute definitions of object
|
||||||
policies, PolicyDef_, false, Access rules for this API object
|
policies, PolicyDef_, false, Access rules for this API object
|
||||||
|
|
||||||
The ObjectDef defines either a base object or an API object. If the *api*
|
The ObjectDef defines either a base object or an API object. If the ``api``
|
||||||
field is present, it is an API object. If the *api* field is omitted, it is a
|
field is present, it is an API object. If the ``api`` field is omitted, it is a
|
||||||
base object. The *extends* field (if present) must specify the ObjectDef name
|
base object. The ``extends`` field (if present) must specify the ObjectDef name
|
||||||
of another base object. The *policies* field is only allowed for an API
|
of another base object. The ``policies`` field is only allowed for an API
|
||||||
object. If the *policies* field is omitted, no access control is applied to
|
object except that default policies are defined in ``BaseObject`` and
|
||||||
the object.
|
``BaseServiceBinding`` base objects in ``gluon/models/base/base.yaml`` file
|
||||||
|
at system level. This is because both ``BaseObject`` and ``BaseServiceBinding``
|
||||||
|
base objects are expected to be extended by other user-defined API objects.
|
||||||
|
If the ``policies`` field is omitted in those API objects, default policies
|
||||||
|
that are inherited from super class will apply. Or in rare cases, if a user-defined
|
||||||
|
API object does not extend ``BaseObject`` or ``BaseServiceBinding`` base object,
|
||||||
|
and no ``policies`` field is defined in the API object either,
|
||||||
|
no access control is applied to the API object.
|
||||||
|
|
||||||
**Example**
|
**Example**
|
||||||
|
|
||||||
|
@ -293,11 +321,11 @@ the object.
|
||||||
length: 255
|
length: 255
|
||||||
description: "Alarm summary for port"
|
description: "Alarm summary for port"
|
||||||
policies:
|
policies:
|
||||||
create: "rule:admin_or_network_owner"
|
create: "rule:admin_or_owner"
|
||||||
delete: "rule:admin_or_network_owner"
|
delete: "rule:admin_or_owner"
|
||||||
|
list: "rule:admin"
|
||||||
get: "rule:admin_or_owner"
|
get: "rule:admin_or_owner"
|
||||||
get_one: "rule:admin_or_owner"
|
update: "rule:admin_or_owner"
|
||||||
update: "rule:admin_or_network_owner"
|
|
||||||
|
|
||||||
|
|
||||||
ApiDef
|
ApiDef
|
||||||
|
@ -312,11 +340,11 @@ ApiDef
|
||||||
parent, string, false, Name of an ObjectDef specification
|
parent, string, false, Name of an ObjectDef specification
|
||||||
|
|
||||||
The ApiDef defines the API path and optionally a parent/child relationship for
|
The ApiDef defines the API path and optionally a parent/child relationship for
|
||||||
the object. The *parent* field (if present) must specify the ObjectDef name
|
the object. The ``parent`` field (if present) must specify the ObjectDef name
|
||||||
of another API object. The *name* field is used by the generated CLI code to
|
of another API object. The ``name`` field is used by the generated CLI code to
|
||||||
identify the object to be manipulated. The *plural_name* field is used by the
|
identify the object to be manipulated. The ``plural_name`` field is used by the
|
||||||
generated API code as part of the path to identify the object to be manipulated.
|
generated API code as part of the path to identify the object to be manipulated.
|
||||||
If the *plural_name* field is omitted, an 's' character is added to the name
|
If the ``plural_name`` field is omitted, an 's' character is added to the name
|
||||||
for the API path during code generation.
|
for the API path during code generation.
|
||||||
|
|
||||||
**Example**
|
**Example**
|
||||||
|
@ -336,14 +364,15 @@ PolicyDef
|
||||||
|
|
||||||
create, string, false, Rule specifier string
|
create, string, false, Rule specifier string
|
||||||
delete, string, false, Rule specifier string
|
delete, string, false, Rule specifier string
|
||||||
|
list, string, false, Rule specifier string
|
||||||
get, string, false, Rule specifier string
|
get, string, false, Rule specifier string
|
||||||
get_one, string, false, Rule specifier string
|
|
||||||
update, string, false, Rule specifier string
|
update, string, false, Rule specifier string
|
||||||
|
|
||||||
The PolicyDef defines the Role-Based Access Control (RBAC) for the object. The
|
The PolicyDef defines the Role-Based Access Control (RBAC) for the object. The
|
||||||
access to the object can be controlled for each generated action. The syntax
|
access to the object can be controlled for each generated action. Please refer to
|
||||||
of the rule specifier string is defined in the Openstack Policy
|
"Gluon Authentication and Authorization" [6]_ for more details of how
|
||||||
`document <https://docs.openstack.org/newton/config-reference/policy-json-file.html>`_.
|
RBAC is applied in Gluon. Please refer to "OpenStack Security Guide - Policies" [4]_
|
||||||
|
for more details of OpenStack policy directive.
|
||||||
|
|
||||||
**Example**
|
**Example**
|
||||||
|
|
||||||
|
@ -351,8 +380,8 @@ of the rule specifier string is defined in the Openstack Policy
|
||||||
|
|
||||||
create: "rule:admin_or_network_owner"
|
create: "rule:admin_or_network_owner"
|
||||||
delete: "rule:admin_or_network_owner"
|
delete: "rule:admin_or_network_owner"
|
||||||
|
list: "rule:admin"
|
||||||
get: "rule:admin_or_owner"
|
get: "rule:admin_or_owner"
|
||||||
get_one: "rule:admin_or_owner"
|
|
||||||
update: "rule:admin_or_network_owner"
|
update: "rule:admin_or_network_owner"
|
||||||
|
|
||||||
AttributesDef
|
AttributesDef
|
||||||
|
@ -396,23 +425,24 @@ AttributeSchemaDef
|
||||||
min, integer, false, Min value if type is integer
|
min, integer, false, Min value if type is integer
|
||||||
max, integer, false, Max value if type is integer
|
max, integer, false, Max value if type is integer
|
||||||
|
|
||||||
Each attribute is defined by an AttributeSchemaDef. The *type* field is
|
Each attribute is defined by an AttributeSchemaDef. The ``type`` field is
|
||||||
mandatory and can specify a primitive data type or it can be the name of an
|
mandatory and can specify a primitive data type or it can be the name of an
|
||||||
ObjectDef. The ObjectDef name must be for an API object. One attribute for
|
ObjectDef. The ObjectDef name must be for an API object. One attribute for
|
||||||
an object must have the *primary* field specified. The *required* field is
|
an object must have the ``primary`` field specified. The ``required`` field is
|
||||||
used to specify if the attribute must be present when creating an object. If
|
used to specify if the attribute must be present when creating an object. If
|
||||||
the *type* is enum, the *values* field must be present and define an array of
|
the ``type`` is enum, the ``values`` field must be present and define an array of
|
||||||
valid strings for the enumeration.
|
valid strings for the enumeration.
|
||||||
|
|
||||||
If the *type* is integer:
|
If the ``type`` is integer:
|
||||||
|
|
||||||
* The *format* field can specify if the integer is 32 or 64 bit. Default is int32
|
* The ``format`` field can specify if the integer is 32 or 64 bit. Default is int32
|
||||||
* The *min* field can specify the valid minimum value
|
* The ``min`` field can specify the valid minimum value
|
||||||
* The *max* field can specify the valid maximum value
|
* The ``max`` field can specify the valid maximum value
|
||||||
|
|
||||||
If the *type* is string:
|
If the ``type`` is string:
|
||||||
|
|
||||||
* The *format* field can specify the formatting that will be validated for the string. The string formatting validations supported are:
|
* The ``format`` field can specify the formatting that will be validated for the string.
|
||||||
|
The string formatting validations supported are:
|
||||||
|
|
||||||
* date-time - Validated according to Date_Time_
|
* date-time - Validated according to Date_Time_
|
||||||
* json - Valid JSON string
|
* json - Valid JSON string
|
||||||
|
@ -421,7 +451,7 @@ If the *type* is string:
|
||||||
* mac - Valid MAC address according to IEEE 802
|
* mac - Valid MAC address according to IEEE 802
|
||||||
* uri - Validated according to URI_
|
* uri - Validated according to URI_
|
||||||
* email - Validated according to EMAIL_
|
* email - Validated according to EMAIL_
|
||||||
* The *length* field can specify the size of the string. Default is 255
|
* The ``length`` field can specify the size of the string. Default is 255
|
||||||
|
|
||||||
**Example**
|
**Example**
|
||||||
|
|
||||||
|
@ -477,236 +507,321 @@ Base Objects
|
||||||
|
|
||||||
::
|
::
|
||||||
|
|
||||||
file_version: 1.0
|
file_version: "1.0"
|
||||||
objects:
|
objects:
|
||||||
BasePort:
|
BaseObject:
|
||||||
attributes:
|
attributes:
|
||||||
id:
|
id:
|
||||||
type: uuid
|
type: uuid
|
||||||
primary: true:
|
primary: true
|
||||||
description: "UUID of Port instance"
|
description: "UUID of Object"
|
||||||
name:
|
tenant_id:
|
||||||
type: string
|
type: uuid
|
||||||
length: 64
|
required: true
|
||||||
description: "Descriptive name for Port"
|
description: "UUID of Tenant"
|
||||||
tenant_id:
|
name:
|
||||||
type: uuid
|
type: string
|
||||||
required: true
|
length: 64
|
||||||
description: "UUID of Tenant owning this Port"
|
description: "Descriptive name of Object"
|
||||||
mac_address:
|
policies:
|
||||||
type: string
|
create:
|
||||||
length: 17
|
role: "rule:admin_or_owner"
|
||||||
required: true
|
delete:
|
||||||
description: "MAC address for Port"
|
role: "rule:admin_or_owner"
|
||||||
validate: mac_address
|
list:
|
||||||
admin_state_up:
|
role: "rule:admin"
|
||||||
type: boolean
|
get:
|
||||||
required: true
|
role: "rule:admin_or_owner"
|
||||||
description: "Admin state of Port"
|
update:
|
||||||
status:
|
role: "rule:admin_or_owner"
|
||||||
type: enum
|
BasePort:
|
||||||
required: true
|
extends: BaseObject
|
||||||
description: "Operational status of Port"
|
attributes:
|
||||||
values:
|
mac_address:
|
||||||
- 'ACTIVE'
|
type: string
|
||||||
- 'DOWN'
|
length: 18
|
||||||
vnic_type:
|
required: true
|
||||||
type: enum
|
format: mac
|
||||||
required: true
|
description: "MAC address for Port"
|
||||||
description: "Port should be attache to this VNIC type"
|
admin_state_up:
|
||||||
values:
|
type: boolean
|
||||||
- 'normal'
|
required: true
|
||||||
- 'virtual'
|
description: "Admin state of Port"
|
||||||
- 'direct'
|
status:
|
||||||
- 'macvtap'
|
type: enum
|
||||||
- 'sriov'
|
required: true
|
||||||
- 'whole-dev'
|
description: "Operational status of Port"
|
||||||
mtu:
|
values:
|
||||||
type: integer
|
- 'ACTIVE'
|
||||||
description: "MTU"
|
- 'DOWN'
|
||||||
required: true
|
vnic_type:
|
||||||
vlan_transparency:
|
type: enum
|
||||||
type: boolean
|
required: true
|
||||||
description: "Allow VLAN tagged traffic on Port"
|
description: "Port should be attached to this VNIC type"
|
||||||
required: true
|
values:
|
||||||
profile:
|
- 'normal'
|
||||||
type: string # JSON Format
|
- 'virtual'
|
||||||
length: 128
|
- 'direct'
|
||||||
description: "JSON string for binding profile dictionary"
|
- 'macvtap'
|
||||||
format: json
|
- 'sriov'
|
||||||
device_id:
|
- 'whole-dev'
|
||||||
type: uuid
|
mtu:
|
||||||
description: "UUID of bound VM"
|
type: integer
|
||||||
device_owner:
|
description: "MTU"
|
||||||
type: string
|
required: true
|
||||||
length: 128
|
vlan_transparency:
|
||||||
description: "Name of compute or network service (if bound)"
|
type: boolean
|
||||||
host_id:
|
description: "Allow VLAN tagged traffic on Port"
|
||||||
type: string
|
required: true
|
||||||
length: 32
|
profile:
|
||||||
description: "binding:host_id: Name of bound host"
|
type: string # JSON Format
|
||||||
vif_details:
|
length: 128
|
||||||
type: string # JSON Format
|
description: "JSON string for binding profile dictionary"
|
||||||
length: 128
|
format: json
|
||||||
description: "binding:vif_details: JSON string for VIF details"
|
device_id:
|
||||||
format: json
|
type: uuid
|
||||||
vif_type:
|
description: "UUID of bound VM"
|
||||||
type: string
|
device_owner:
|
||||||
length: 32
|
type: string
|
||||||
description: "binding:vif_type: binding type for VIF"
|
length: 128
|
||||||
BaseInterface:
|
description: "Name of compute or network service (if bound)"
|
||||||
attributes:
|
host_id:
|
||||||
id:
|
type: string
|
||||||
type: uuid
|
length: 64
|
||||||
required: true
|
description: "binding:host_id: Name of bound host"
|
||||||
primary: true
|
vif_details:
|
||||||
description: "UUID of Interface instance"
|
type: string # JSON Format
|
||||||
port_id:
|
length: 128
|
||||||
type: uuid
|
description: "binding:vif_details: JSON string for VIF details"
|
||||||
required: true
|
format: json
|
||||||
description: "Pointer to Port instance"
|
vif_type:
|
||||||
segmentation_type:
|
type: string
|
||||||
type: enum
|
length: 32
|
||||||
required: true
|
description: "binding:vif_type: binding type for VIF"
|
||||||
description: "Type of segmentation for this interface"
|
BaseInterface:
|
||||||
values:
|
extends: BaseObject
|
||||||
- 'none'
|
attributes:
|
||||||
- 'vlan'
|
port_id:
|
||||||
- 'tunnel_vxlan'
|
type: uuid
|
||||||
- 'tunnel_gre'
|
required: true
|
||||||
- 'mpls'
|
description: "Pointer to Port instance"
|
||||||
segmentation_id:
|
segmentation_type:
|
||||||
type: integer
|
type: enum
|
||||||
required: true
|
required: true
|
||||||
description: "Segmentation identifier"
|
description: "Type of segmentation for this interface"
|
||||||
BaseService:
|
values:
|
||||||
attributes:
|
- 'none'
|
||||||
id:
|
- 'vlan'
|
||||||
type: uuid
|
- 'tunnel_vxlan'
|
||||||
required: true
|
- 'tunnel_gre'
|
||||||
primary: true
|
- 'mpls'
|
||||||
description: "UUID of Service instance"
|
segmentation_id:
|
||||||
name:
|
type: integer
|
||||||
type: string
|
required: true
|
||||||
length: 64
|
description: "Segmentation identifier"
|
||||||
description: "Descriptive name of Service"
|
BaseService:
|
||||||
description:
|
extends: BaseObject
|
||||||
type: string
|
attributes:
|
||||||
length: 256
|
description:
|
||||||
description: "Description of Service"
|
type: string
|
||||||
BaseServiceBinding:
|
length: 256
|
||||||
attributes:
|
description: "Description of Service"
|
||||||
interface_id:
|
BaseServiceBinding:
|
||||||
type: uuid
|
attributes:
|
||||||
required: true
|
tenant_id:
|
||||||
primary: true
|
type: uuid
|
||||||
description: "Pointer to Interface instance"
|
required: true
|
||||||
service_id:
|
description: "UUID of Tenant"
|
||||||
type: uuid
|
interface_id:
|
||||||
required: true
|
type: uuid
|
||||||
description: "Pointer to Service instance"
|
required: true
|
||||||
|
primary: true
|
||||||
|
description: "Pointer to Interface instance"
|
||||||
|
service_id:
|
||||||
|
type: uuid
|
||||||
|
required: true
|
||||||
|
description: "Pointer to Service instance"
|
||||||
|
policies:
|
||||||
|
create:
|
||||||
|
role: "rule:admin_or_owner"
|
||||||
|
delete:
|
||||||
|
role: "rule:admin_or_owner"
|
||||||
|
list:
|
||||||
|
role: "rule:admin"
|
||||||
|
get:
|
||||||
|
role: "rule:admin_or_owner"
|
||||||
|
update:
|
||||||
|
role: "rule:admin_or_owner"
|
||||||
|
|
||||||
API Specification
|
API Specification
|
||||||
*****************
|
*****************
|
||||||
|
|
||||||
::
|
::
|
||||||
|
|
||||||
file_version: 1.0
|
file_version: "1.0"
|
||||||
imports: base/base.yaml
|
imports: base/base.yaml
|
||||||
info:
|
info:
|
||||||
name: net-l3vpn
|
name: net-l3vpn
|
||||||
version: 1.0
|
version: 1.0
|
||||||
description "L3VPN API Specification"
|
description: "L3VPN API Specification"
|
||||||
author:
|
author:
|
||||||
name: "Gluon Team"
|
name: "Gluon Team"
|
||||||
url: https://wiki.openstack.org/wiki/Gluon
|
url: https://wiki.openstack.org/wiki/Gluon
|
||||||
email: bh526r@att.com
|
email: bh526r@att.com
|
||||||
objects:
|
objects:
|
||||||
Port:
|
Port:
|
||||||
api:
|
api:
|
||||||
name: port
|
name: port
|
||||||
plural_name: ports
|
plural_name: ports
|
||||||
extends: BasePort
|
extends: BasePort
|
||||||
attributes:
|
Interface:
|
||||||
alarms:
|
api:
|
||||||
type: string
|
name: interface
|
||||||
length: 255
|
plural_name: interfaces
|
||||||
description: "Alarm summary for port"
|
parent: Port
|
||||||
Interface:
|
parent_key: port_id
|
||||||
api:
|
extends: BaseInterface
|
||||||
name: interface
|
attributes:
|
||||||
plural_name: interfaces
|
port_id:
|
||||||
parent: Port
|
type: Port # Override from base object for specific Service type
|
||||||
extends: BaseInterface
|
VpnService:
|
||||||
VpnService:
|
api:
|
||||||
api:
|
name: vpn
|
||||||
name: vpn
|
plural_name: vpns
|
||||||
plural_name: vpns
|
extends: BaseService
|
||||||
extends: BaseService
|
attributes:
|
||||||
attributes:
|
ipv4_family:
|
||||||
ipv4_family:
|
type: string
|
||||||
type: string
|
length: 255
|
||||||
length: 255
|
description: "Comma separated list of route target strings"
|
||||||
description: "Comma separated list of route target strings"
|
ipv6_family:
|
||||||
ipv6_family:
|
type: string
|
||||||
type: string
|
length: 255
|
||||||
length: 255
|
description: "Comma separated list of route target strings"
|
||||||
description: "Comma separated list of route target strings"
|
route_distinguishers:
|
||||||
route_distinguishers:
|
type: string
|
||||||
type: string
|
length: 32
|
||||||
length: 32
|
description: "Route distinguisher for this VPN"
|
||||||
description: "Route distinguisher for this VPN"
|
VpnBinding:
|
||||||
VpnBinding:
|
extends: BaseServiceBinding
|
||||||
extends: BaseServiceBinding
|
api:
|
||||||
api:
|
name: vpnbinding
|
||||||
name: vpnbinding
|
plural_name: vpnbindings
|
||||||
plural_name: vpnbindings
|
attributes:
|
||||||
attributes:
|
service_id: # Override from base object for specific Service type
|
||||||
service_id: # Override from base object for specific Service type
|
type: VpnService
|
||||||
type: VpnService
|
interface_id: # Override from base object for specific Interface type
|
||||||
required: true
|
type: Interface
|
||||||
primary: true
|
ipaddress:
|
||||||
description: "Pointer to VpnService instance"
|
type: string
|
||||||
ipaddress:
|
length: 16
|
||||||
type: string
|
description: "IP Address of port"
|
||||||
length: 23
|
format: ipv4
|
||||||
description: "IP Address of port"
|
subnet_prefix:
|
||||||
format: ipv4
|
type: integer
|
||||||
subnet_prefix:
|
description: "Subnet mask"
|
||||||
type: integer
|
format: int32
|
||||||
description: "Subnet mask"
|
min: 1
|
||||||
format: int32
|
max: 31
|
||||||
min: 1
|
gateway:
|
||||||
max: 31
|
type: string
|
||||||
gateway:
|
length: 16
|
||||||
type: string
|
description: "Default gateway"
|
||||||
length: 32
|
format: ipv4
|
||||||
description: "Default gateway"
|
VpnAfConfig:
|
||||||
format: ipv4
|
api:
|
||||||
VpnAfConfig:
|
name: vpnafconfig
|
||||||
api:
|
plural_name: vpnafconfigs
|
||||||
name: vpnafconfig
|
attributes:
|
||||||
plural_name: vpnafconfigs
|
tenant_id:
|
||||||
attributes:
|
type: uuid
|
||||||
vrf_rt_value:
|
required: true
|
||||||
required: True
|
description: "UUID of Tenant"
|
||||||
type: string
|
vrf_rt_value:
|
||||||
length: 32
|
required: true
|
||||||
primary: 'True'
|
type: string
|
||||||
description: "Route target string"
|
length: 32
|
||||||
vrf_rt_type:
|
primary: true
|
||||||
type: enum
|
description: "Route target string"
|
||||||
required: True
|
vrf_rt_type:
|
||||||
description: "Route target type"
|
type: enum
|
||||||
values:
|
required: true
|
||||||
- export_extcommunity
|
description: "Route target type"
|
||||||
- import_extcommunity
|
values:
|
||||||
- both
|
- export_extcommunity
|
||||||
import_route_policy:
|
- import_extcommunity
|
||||||
type: string
|
- both
|
||||||
length: 32
|
import_route_policy:
|
||||||
description: "Route target import policy"
|
type: string
|
||||||
export_route_policy:
|
length: 32
|
||||||
type: string
|
description: "Route target import policy"
|
||||||
length: 32
|
export_route_policy:
|
||||||
description: "Route target export policy"
|
type: string
|
||||||
|
length: 32
|
||||||
|
description: "Route target export policy"
|
||||||
|
policies:
|
||||||
|
create:
|
||||||
|
role: "rule:admin_or_owner"
|
||||||
|
delete:
|
||||||
|
role: "rule:admin_or_owner"
|
||||||
|
get:
|
||||||
|
role: "rule:admin_or_owner"
|
||||||
|
list:
|
||||||
|
role: "rule:admin"
|
||||||
|
update:
|
||||||
|
role: "rule:admin_or_owner"
|
||||||
|
BGPPeering:
|
||||||
|
api:
|
||||||
|
name: bgppeering
|
||||||
|
plural_name: bgppeerings
|
||||||
|
extends: BaseObject
|
||||||
|
attributes:
|
||||||
|
local_ip_address:
|
||||||
|
required: true
|
||||||
|
type: string
|
||||||
|
format: ipv4
|
||||||
|
length: 16
|
||||||
|
description: "Local IP of the SDN controller which is supposed to
|
||||||
|
create a new BGP peering with a remote SDN controller
|
||||||
|
or data center gateway. This local IP is used as a
|
||||||
|
unique identifier to allow the SDN controllers / shim
|
||||||
|
layers to determine if a new peering which has been
|
||||||
|
pushed to etcd is meant for them."
|
||||||
|
peer_ip_address:
|
||||||
|
required: true
|
||||||
|
type: string
|
||||||
|
format: ipv4
|
||||||
|
length: 16
|
||||||
|
description: "IP of the BGP neighbor to establish a peering with."
|
||||||
|
as_number:
|
||||||
|
required: true
|
||||||
|
type: integer
|
||||||
|
format: int32
|
||||||
|
description: "Autonomous system number used by the local BGP stack."
|
||||||
|
DataplaneTunnel:
|
||||||
|
api:
|
||||||
|
name: dataplanetunnel
|
||||||
|
plural_name: dataplanetunnels
|
||||||
|
extends: BaseObject
|
||||||
|
attributes:
|
||||||
|
local_tunnel_endpoint:
|
||||||
|
required: true
|
||||||
|
type: string
|
||||||
|
format: ipv4
|
||||||
|
length: 16
|
||||||
|
description: "Local tunnel endpoint IP. This IP is used as a unique
|
||||||
|
identifier to allow the SDN controller / shim layer to
|
||||||
|
determine if this dataplane tunnel is supposed to be
|
||||||
|
handled by them."
|
||||||
|
remote_tunnel_endpoint:
|
||||||
|
required: true
|
||||||
|
type: string
|
||||||
|
format: ipv4
|
||||||
|
length: 16
|
||||||
|
description: "Remote tunnel endpoint IP of the virtual switch or data
|
||||||
|
center gateway."
|
||||||
|
|
||||||
|
References
|
||||||
|
|
||||||
|
.. [6] ./gluon-auth
|
||||||
|
|
||||||
|
|
|
@ -1,3 +1,24 @@
|
||||||
|
..
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
not use this file except in compliance with the License. You may obtain
|
||||||
|
a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
License for the specific language governing permissions and limitations
|
||||||
|
under the License.
|
||||||
|
|
||||||
|
Convention for heading levels in Gluon devref:
|
||||||
|
======= Heading 0 (reserved for the title in a document)
|
||||||
|
------- Heading 1
|
||||||
|
~~~~~~~ Heading 2
|
||||||
|
+++++++ Heading 3
|
||||||
|
''''''' Heading 4
|
||||||
|
(Avoid deeper levels because they do not render well.)
|
||||||
|
|
||||||
=============================
|
=============================
|
||||||
Proton API Version Management
|
Proton API Version Management
|
||||||
=============================
|
=============================
|
||||||
|
@ -22,136 +43,177 @@ When the Proton root URI "/proton/" is accessed it will return a list of Proton
|
||||||
$ curl http://192.168.59.103:2705/proton/
|
$ curl http://192.168.59.103:2705/proton/
|
||||||
{
|
{
|
||||||
"protons":
|
"protons":
|
||||||
|
[
|
||||||
|
{ "status": "CURRENT",
|
||||||
|
"proton_service": "net-l3vpn",
|
||||||
|
"links":
|
||||||
[
|
[
|
||||||
{"id": "net-l3vpn",
|
{ "href": "http://192.168.59.103:2705/proton/net-l3vpn",
|
||||||
"status": "CURRENT",
|
"rel": "self"
|
||||||
"links":
|
}
|
||||||
[
|
|
||||||
{"href": "http://192.168.59.103:2705/proton/net-l3vpn/",
|
|
||||||
"rel": "self"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
},
|
|
||||||
{"id": "bgp",
|
|
||||||
"status": "CURRENT",
|
|
||||||
"links":
|
|
||||||
[
|
|
||||||
{"href": "http://192.168.59.103:2705/proton/bgp/",
|
|
||||||
"rel": "self"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
}
|
|
||||||
...
|
|
||||||
]
|
]
|
||||||
|
},
|
||||||
|
{ "status": "CURRENT",
|
||||||
|
"proton_service": "test",
|
||||||
|
"links":
|
||||||
|
[
|
||||||
|
{ "href": "http://192.168.59.103:2705/proton/test",
|
||||||
|
"rel": "self"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{ "status": "CURRENT",
|
||||||
|
"proton_service": "ietf-sfc",
|
||||||
|
"links":
|
||||||
|
[
|
||||||
|
{ "href": "http://192.168.59.103:2705/proton/ietf-sfc",
|
||||||
|
"rel": "self"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
}
|
}
|
||||||
|
|
||||||
Proton Version Management
|
Proton Version Management
|
||||||
-------------------------
|
-------------------------
|
||||||
|
|
||||||
|
Proton providers can specify version info in the proton model's YAML file.
|
||||||
|
|
||||||
|
**Example**
|
||||||
|
|
||||||
|
.. code-block:: bash
|
||||||
|
|
||||||
|
file_version: 1.0
|
||||||
|
imports: base/base.yaml
|
||||||
|
info:
|
||||||
|
name: net-l3vpn
|
||||||
|
version: 1.0
|
||||||
|
description "L3VPN API Specification"
|
||||||
|
...
|
||||||
|
|
||||||
Version information is appended to the root URL of a particular Proton, e.g. L3VPN.
|
Version information is appended to the root URL of a particular Proton, e.g. L3VPN.
|
||||||
For example, <some URL>/proton/net-l3vpn/v1.
|
For example, http://192.168.59.103:2705/proton/net-l3vpn/v1.0/.
|
||||||
|
|
||||||
When accessing the root URL of a particular Proton without version information, all
|
When accessing the root URL of a particular Proton without version information, all
|
||||||
available versions of this Proton will be returned so that users can choose to use
|
available versions of this Proton will be returned so that users can choose to use
|
||||||
a particular version of this Proton.
|
a particular version of this Proton.
|
||||||
|
|
||||||
When accessing the root URL of a particular Proton with version information, all
|
|
||||||
available resources in this version of Proton will be returned.
|
|
||||||
|
|
||||||
Proton providers can specify version info in the proton model's yaml file.
|
|
||||||
|
|
||||||
.. code-block:: bash
|
.. code-block:: bash
|
||||||
|
|
||||||
$ curl http://192.168.59.103:2705/proton/net-l3vpn/
|
$ curl http://192.168.59.103:2705/proton/net-l3vpn/
|
||||||
{
|
{
|
||||||
"default_version":
|
"default_version":
|
||||||
{"id": "v1",
|
{ "status": "CURRENT",
|
||||||
"status": "CURRENT",
|
"proton_service": "net-l3vpn",
|
||||||
"links":
|
"links":
|
||||||
[
|
[
|
||||||
{"href":"http://192.168.59.103:2705/proton/net-l3vpn/v1/",
|
{ "href": "http://192.168.59.103:2705/proton/net-l3vpn/v1.0",
|
||||||
"rel": "self"
|
"rel": "self"
|
||||||
}
|
|
||||||
]
|
|
||||||
},
|
|
||||||
"versions":
|
|
||||||
[
|
|
||||||
{"id": "v1",
|
|
||||||
"status": "CURRENT",
|
|
||||||
"links":
|
|
||||||
[
|
|
||||||
{"href":"http://192.168.59.103:2705/proton/net-l3vpn/v1/",
|
|
||||||
"rel": "self"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"name": "net-l3vpn",
|
"version_id": "v1.0"
|
||||||
"description": "net-l3vpn description..."
|
},
|
||||||
|
"versions":
|
||||||
|
[
|
||||||
|
{ "status": "CURRENT",
|
||||||
|
"proton_service": "net-l3vpn",
|
||||||
|
"links":
|
||||||
|
[
|
||||||
|
{ "href": "http://192.168.59.103:2705/proton/net-l3vpn/v1.0",
|
||||||
|
"rel": "self"
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"version_id": "v1.0"
|
||||||
|
}
|
||||||
|
]
|
||||||
}
|
}
|
||||||
|
|
||||||
|
When accessing the root URL of a particular Proton with version information, all
|
||||||
|
available resources in this version of Proton will be returned.
|
||||||
|
|
||||||
.. code-block:: bash
|
.. code-block:: bash
|
||||||
|
|
||||||
$ curl http://192.168.59.103:2705/proton/net-l3vpn/v1/
|
$ curl http://192.168.59.103:2705/proton/net-l3vpn/v1.0/
|
||||||
{
|
{
|
||||||
"resources":
|
"resources":
|
||||||
[
|
[
|
||||||
{"id": "interface",
|
{ "status": "CURRENT",
|
||||||
"status": "CURRENT",
|
"proton_service": "net-l3vpn",
|
||||||
"links":
|
"resource_name": "dataplanetunnels",
|
||||||
[
|
"links":
|
||||||
{"href":"http://192.168.59.103:2705/proton/net-l3vpn/v1/interface/",
|
[
|
||||||
"rel": "self"
|
{ "href": "http://192.168.59.103:2705/proton/net-l3vpn/v1.0/dataplanetunnels",
|
||||||
}
|
"rel": "self"
|
||||||
]
|
}
|
||||||
},
|
],
|
||||||
{"id": "port",
|
"version_id": "v1.0"
|
||||||
"status": "CURRENT",
|
},
|
||||||
"links":
|
{ "status": "CURRENT",
|
||||||
[
|
"proton_service": "net-l3vpn",
|
||||||
{"href":"http://192.168.59.103:2705/proton/net-l3vpn/v1/port/",
|
"resource_name": "bgppeerings",
|
||||||
"rel": "self"
|
"links":
|
||||||
}
|
[
|
||||||
]
|
{ "href": "http://192.168.59.103:2705/proton/net-l3vpn/v1.0/bgppeerings",
|
||||||
},
|
"rel": "self"
|
||||||
{"id": "vpn",
|
}
|
||||||
"status": "CURRENT",
|
],
|
||||||
"links":
|
"version_id": "v1.0"
|
||||||
[
|
},
|
||||||
{"href":"http://192.168.59.103:2705/proton/net-l3vpn/v1/vpn/",
|
{ "status": "CURRENT",
|
||||||
"rel": "self"
|
"proton_service": "net-l3vpn",
|
||||||
}
|
"resource_name": "vpnafconfigs",
|
||||||
]
|
"links":
|
||||||
},
|
[
|
||||||
{"id": "vpnafconfig",
|
{ "href": "http://192.168.59.103:2705/proton/net-l3vpn/v1.0/vpnafconfigs",
|
||||||
"status": "CURRENT",
|
"rel": "self"
|
||||||
"links":
|
}
|
||||||
[
|
],
|
||||||
{"href":"http://192.168.59.103:2705/proton/net-l3vpn/v1/vpnafconfig/",
|
"version_id": "v1.0"
|
||||||
"rel": "self"
|
},
|
||||||
}
|
{ "status": "CURRENT",
|
||||||
]
|
"proton_service": "net-l3vpn",
|
||||||
},
|
"resource_name": "vpns",
|
||||||
{"id": "vpnbinding",
|
"links":
|
||||||
"status": "CURRENT",
|
[
|
||||||
"links":
|
{ "href": "http://192.168.59.103:2705/proton/net-l3vpn/v1.0/vpns",
|
||||||
[
|
"rel": "self"
|
||||||
{"href":"http://192.168.59.103:2705/proton/net-l3vpn/v1/binding/",
|
}
|
||||||
"rel": "self"
|
],
|
||||||
}
|
"version_id": "v1.0"
|
||||||
]
|
},
|
||||||
}
|
{ "status": "CURRENT",
|
||||||
]
|
"proton_service": "net-l3vpn",
|
||||||
|
"resource_name": "interfaces",
|
||||||
|
"links":
|
||||||
|
[
|
||||||
|
{ "href": "http://192.168.59.103:2705/proton/net-l3vpn/v1.0/interfaces",
|
||||||
|
"rel": "self"
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"version_id": "v1.0"
|
||||||
|
},
|
||||||
|
{ "status": "CURRENT",
|
||||||
|
"proton_service": "net-l3vpn",
|
||||||
|
"resource_name": "vpnbindings",
|
||||||
|
"links":
|
||||||
|
[
|
||||||
|
{ "href": "http://192.168.59.103:2705/proton/net-l3vpn/v1.0/vpnbindings",
|
||||||
|
"rel": "self"
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"version_id": "v1.0"
|
||||||
|
},
|
||||||
|
{ "status": "CURRENT",
|
||||||
|
"proton_service": "net-l3vpn",
|
||||||
|
"resource_name": "ports",
|
||||||
|
"links":
|
||||||
|
[
|
||||||
|
{ "href": "http://192.168.59.103:2705/proton/net-l3vpn/v1.0/ports",
|
||||||
|
"rel": "self"
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"version_id": "v1.0"
|
||||||
|
}
|
||||||
|
]
|
||||||
}
|
}
|
||||||
|
|
||||||
**Example**
|
|
||||||
|
|
||||||
::
|
|
||||||
|
|
||||||
file_version: 1.0
|
|
||||||
imports: base/base.yaml
|
|
||||||
info:
|
|
||||||
name: net-l3vpn
|
|
||||||
version: 1.0
|
|
||||||
description "L3VPN API Specification"
|
|
||||||
...
|
|
||||||
|
|
|
@ -30,28 +30,32 @@ Current Repository Structure
|
||||||
----------------------------
|
----------------------------
|
||||||
|
|
||||||
- **doc**
|
- **doc**
|
||||||
- samples # Sample policy.json and proton.conf files
|
- doc/samples # Sample policy.json.sample and proton.conf.sample files
|
||||||
- source # All documentation
|
- doc/source # All documentation
|
||||||
- devref # Developer Guides
|
- doc/source/devref # Developer Guides
|
||||||
- testcase # Test Case proposals
|
- doc/source/installation # Installation Guides
|
||||||
|
- doc/source/testcase # Test Case proposals
|
||||||
|
|
||||||
- **etc** # Config options for model handlers and backends
|
- **etc** # Config options for model handlers and backends
|
||||||
- proton # Config options for Protons
|
- etc/proton # Config options for Protons
|
||||||
- shim # Config options for Shims
|
- etc/shim # Config options for Shims
|
||||||
|
|
||||||
- **gluon** # Gluon code base
|
- **gluon** # Gluon code base
|
||||||
- api # Proton API model and control
|
- gluon/api # Proton API model and control
|
||||||
- backends # Proton backend handlers, including ``net_l3vpn`` model handler
|
- gluon/api/hooks # Policy enforcement is included here
|
||||||
- cmd # CLI API generator and other tools
|
- gluon/backends # Proton backend handlers, including ``net_l3vpn`` model handler
|
||||||
- common # Common libraries
|
- gluon/cmd # CLI API generator and other tools
|
||||||
- db # Database handler
|
- gluon/conf # Handling configuration options in /etc/proton/proton.conf
|
||||||
- managers # API manager, including ``net_l3vpn`` API manager
|
- gluon/common # Common libraries
|
||||||
- models # Proton data model, including base model and ``net_l3vpn`` model
|
- gluon/db # Database handler, e.g. managing database /opt/proton/gluon.sqlite
|
||||||
- particleGenerator # Particle Generator to generate APIs from YAML
|
- gluon/managers # API and model manager, including ``net_l3vpn`` API manager
|
||||||
- plugin # Extended ML2 Plugin for Gluon, a.k.a. Gluon Wrapper Plugin
|
- gluon/models # Proton data model, including base model ``net_l3vpn`` model, and ``ietf-sfc`` model
|
||||||
- shim # Shim Layer, including ``net-l3vpn`` model, sample backend and ODL backend
|
- gluon/particleGenerator # Particle Generator to generate APIs from YAML
|
||||||
- sync_etcd # Make hosts of ``etcd`` configurable
|
- gluon/plugin # Extended ML2 Plugin for Gluon, a.k.a. Gluon Wrapper Plugin
|
||||||
- tests # Unit tests
|
- gluon/policies # Default rules definition at system level
|
||||||
|
- gluon/shim # Shim Layer, including ``net-l3vpn`` model, sample backend and ODL backend
|
||||||
|
- gluon/sync_etcd # Make hosts of ``etcd`` configurable
|
||||||
|
- gluon/tests # Unit tests
|
||||||
|
|
||||||
- **releasenotes** # Enable release notes translation. Initiated by cookiecutter when repo was created
|
- **releasenotes** # Enable release notes translation. Initiated by cookiecutter when repo was created
|
||||||
|
|
||||||
|
|
|
@ -21,6 +21,42 @@
|
||||||
''''''' Heading 4
|
''''''' Heading 4
|
||||||
(Avoid deeper levels because they do not render well.)
|
(Avoid deeper levels because they do not render well.)
|
||||||
|
|
||||||
|
=================
|
||||||
|
Install OpenStack
|
||||||
|
=================
|
||||||
|
|
||||||
|
Before you start installing ``etcd``, please make sure that you have installed
|
||||||
|
OpenStack Pike Release. For example, to install ``devstack`` Pike release:
|
||||||
|
|
||||||
|
.. code-block:: bash
|
||||||
|
|
||||||
|
$ git clone https://github.com/openstack-dev/devstack -b stable/pike
|
||||||
|
|
||||||
|
# Then generate local.conf in devstack directory, then run
|
||||||
|
$ ./stack.sh
|
||||||
|
|
||||||
|
=======================================
|
||||||
|
Stop ``etcd3`` in Devstack Pike Release
|
||||||
|
=======================================
|
||||||
|
|
||||||
|
OpenStack Pike Release starts ``etcd3`` by default when user starts stack,
|
||||||
|
while Gluon is based on ``etcd-v2.3.6``. This will cause issue for Gluon.
|
||||||
|
Thus you need to stop ``etcd3`` that is started by OpenStack Pike.
|
||||||
|
|
||||||
|
For Devstack Pike Release:
|
||||||
|
|
||||||
|
.. code-block:: bash
|
||||||
|
|
||||||
|
$ sudo systemctl stop devstack@etcd.service
|
||||||
|
|
||||||
|
You may double check to make sure there is no etcd3 running:
|
||||||
|
|
||||||
|
.. code-block:: bash
|
||||||
|
|
||||||
|
$ ps -aef | grep etcd
|
||||||
|
|
||||||
|
You should not see any etcd process running.
|
||||||
|
|
||||||
==========================
|
==========================
|
||||||
Install ``etcd`` for Gluon
|
Install ``etcd`` for Gluon
|
||||||
==========================
|
==========================
|
||||||
|
@ -37,22 +73,23 @@ On Each Node
|
||||||
|
|
||||||
.. code-block:: bash
|
.. code-block:: bash
|
||||||
|
|
||||||
curl -L https://github.com/coreos/etcd/releases/download/v2.3.6/etcd-v2.3.6-linux-amd64.tar.gz -o etcd-v2.3.6-linux-amd64.tar.gz
|
$ curl -L https://github.com/coreos/etcd/releases/download/v2.3.6/etcd-v2.3.6-linux-amd64.tar.gz -o etcd-v2.3.6-linux-amd64.tar.gz
|
||||||
Unzip/Untar the downloaded file
|
|
||||||
|
# Then Unzip/Untar the downloaded file
|
||||||
|
|
||||||
**STEP-2**: Copy executables to ``/usr/local/bin``
|
**STEP-2**: Copy executables to ``/usr/local/bin``
|
||||||
|
|
||||||
.. code-block:: bash
|
.. code-block:: bash
|
||||||
|
|
||||||
cd etcd-v2.3.6-linux-amd64
|
$ cd etcd-v2.3.6-linux-amd64
|
||||||
sudo cp etcd /usr/local/bin
|
$ sudo cp etcd /usr/local/bin
|
||||||
sudo cp etcdctl /usr/local/bin
|
$ sudo cp etcdctl /usr/local/bin
|
||||||
|
|
||||||
**STEP-3**: Create a directory for ``etcd`` data
|
**STEP-3**: Create a directory for ``etcd`` data
|
||||||
|
|
||||||
.. code-block:: bash
|
.. code-block:: bash
|
||||||
|
|
||||||
sudo mkdir /var/etcd
|
$ sudo mkdir /var/etcd
|
||||||
|
|
||||||
**STEP-4**: Create upstart ``init`` file:
|
**STEP-4**: Create upstart ``init`` file:
|
||||||
|
|
||||||
|
@ -135,8 +172,12 @@ For instance, the files on the other two nodes would look like:
|
||||||
|
|
||||||
.. code-block:: bash
|
.. code-block:: bash
|
||||||
|
|
||||||
sudo iptables -A INPUT -p tcp -m multiport --ports 2380,2379 -m comment --comment "etcd" -j ACCEPT
|
$ sudo iptables -A INPUT -p tcp -m multiport --ports 2380,2379 -m comment --comment "etcd" -j ACCEPT
|
||||||
sudo invoke-rc.d iptables-persistent save
|
$ sudo invoke-rc.d iptables-persistent save
|
||||||
|
|
||||||
|
# Note: for Ubuntu 16.04, you may have to use netfilter-persistent as follows:
|
||||||
|
# sudo apt-get install netfilter-persistent
|
||||||
|
# sudo invoke-rc.d netfilter-persistent save
|
||||||
|
|
||||||
**STEP-7**: Start the ``etcd`` server:
|
**STEP-7**: Start the ``etcd`` server:
|
||||||
|
|
||||||
|
@ -144,15 +185,15 @@ As root:
|
||||||
|
|
||||||
.. code-block:: bash
|
.. code-block:: bash
|
||||||
|
|
||||||
initctl start etcd
|
$ initctl start etcd
|
||||||
|
|
||||||
Or on ``ubuntu 14.04``, run:
|
Or on ``ubuntu 14.04``, run:
|
||||||
|
|
||||||
.. code-block:: bash
|
.. code-block:: bash
|
||||||
|
|
||||||
sudo start etcd
|
$ sudo start etcd
|
||||||
|
|
||||||
**STEP-8**: Verify the cluster is healty:
|
**STEP-8**: Verify the cluster is healthy:
|
||||||
|
|
||||||
.. code-block:: bash
|
.. code-block:: bash
|
||||||
|
|
||||||
|
|
|
@ -33,12 +33,12 @@ On Controller
|
||||||
|
|
||||||
Assume the user logged in with sudo privileges. On an Ubuntu system:
|
Assume the user logged in with sudo privileges. On an Ubuntu system:
|
||||||
|
|
||||||
**STEP-1**: Clone Gluon Repository ``stable/ocata`` branch:
|
**STEP-1**: Clone Gluon Repository ``stable/pike`` branch:
|
||||||
|
|
||||||
.. code-block:: bash
|
.. code-block:: bash
|
||||||
|
|
||||||
$ cd ~
|
$ cd ~
|
||||||
$ git clone https://github.com/openstack/gluon.git -b stable/ocata
|
$ git clone https://github.com/openstack/gluon.git -b stable/pike
|
||||||
|
|
||||||
**STEP-2**: Create user and group for gluon and proton users
|
**STEP-2**: Create user and group for gluon and proton users
|
||||||
|
|
||||||
|
@ -50,9 +50,9 @@ Assume the user logged in with sudo privileges. On an Ubuntu system:
|
||||||
|
|
||||||
.. code-block:: bash
|
.. code-block:: bash
|
||||||
|
|
||||||
$ sudo mkdir /opt/proton
|
$ sudo mkdir /opt/proton # Proton working directory, for such as gluon.sqlite
|
||||||
$ sudo mkdir /etc/proton
|
$ sudo mkdir /etc/proton # Proton configuration directory, for such as proton.conf
|
||||||
$ sudo mkdir /var/log/proton
|
$ sudo mkdir /var/log/proton # Proton logs
|
||||||
|
|
||||||
**STEP-4**: Setup ``iptables``
|
**STEP-4**: Setup ``iptables``
|
||||||
|
|
||||||
|
@ -69,16 +69,27 @@ Assume the user logged in with sudo privileges. On an Ubuntu system:
|
||||||
|
|
||||||
.. code-block:: bash
|
.. code-block:: bash
|
||||||
|
|
||||||
$ sudo cat > /etc/proton/proton.conf <<EOF
|
#
|
||||||
[DEFAULT]
|
# Copy ~/gluon/etc/proton/proton.conf to /etc/proton/proton.conf
|
||||||
state_path = /opt/proton
|
# Copy ~/gluon/etc/proton/policy.json to /etc/proton/policy.json
|
||||||
EOF
|
#
|
||||||
|
|
||||||
|
$ sudo cp ~/gluon/etc/proton/proton.conf /etc/proton/
|
||||||
|
$ sudo cp ~/gluon/etc/proton/policy.json /etc/proton/
|
||||||
|
|
||||||
|
# After copying proton.conf, if you do not plan to use RBAC (Role-based Access Control) in Gluon,
|
||||||
|
# please modify proton.conf by changing "auth_strategy" to "noauth" in [api] section. i.e:
|
||||||
|
#
|
||||||
|
# [api]
|
||||||
|
# auth_strategy = noauth
|
||||||
|
#
|
||||||
|
|
||||||
$ sudo chown -R proton:proton /opt/proton
|
$ sudo chown -R proton:proton /opt/proton
|
||||||
$ sudo chown -R proton:proton /etc/proton
|
$ sudo chown -R proton:proton /etc/proton
|
||||||
$ sudo chown -R proton:proton /var/log/proton
|
$ sudo chown -R proton:proton /var/log/proton
|
||||||
$ sudo chmod 750 /etc/proton
|
$ sudo chmod 750 /etc/proton
|
||||||
$ sudo chmod 644 /etc/proton/proton.conf
|
$ sudo chmod 644 /etc/proton/proton.conf
|
||||||
|
$ sudo chmod 644 /etc/proton/policy.json
|
||||||
$ sudo chmod 750 /var/log/proton
|
$ sudo chmod 750 /var/log/proton
|
||||||
|
|
||||||
**STEP-6**: Install Gluon package
|
**STEP-6**: Install Gluon package
|
||||||
|
@ -86,7 +97,7 @@ Assume the user logged in with sudo privileges. On an Ubuntu system:
|
||||||
.. code-block:: bash
|
.. code-block:: bash
|
||||||
|
|
||||||
$ cd ~/gluon
|
$ cd ~/gluon
|
||||||
$ pip install -r requirements.txt
|
$ sudo pip install -r requirements.txt
|
||||||
$ python setup.py build
|
$ python setup.py build
|
||||||
$ sudo python setup.py develop
|
$ sudo python setup.py develop
|
||||||
$ sudo python setup.py install
|
$ sudo python setup.py install
|
||||||
|
@ -123,7 +134,7 @@ following command:
|
||||||
"ports": []
|
"ports": []
|
||||||
}
|
}
|
||||||
|
|
||||||
**STEP-9**: Modify ``neutron.conf`` to point to the ``gluon plugin``
|
**STEP-9**: Modify ``neutron.conf`` to point ``core_plugin`` to the ``gluon.plugin.core.GluonPlugin``
|
||||||
|
|
||||||
.. code-block:: bash
|
.. code-block:: bash
|
||||||
|
|
||||||
|
@ -140,6 +151,9 @@ Or in a devstack environment, do the following:
|
||||||
|
|
||||||
.. code-block:: bash
|
.. code-block:: bash
|
||||||
|
|
||||||
|
$ service devstack@q-svc restart
|
||||||
|
|
||||||
|
# Alternatively, you can do:
|
||||||
# do "screen -x"
|
# do "screen -x"
|
||||||
# goto the screen for q-svc
|
# goto the screen for q-svc
|
||||||
# do "Ctrl C" to kill the service
|
# do "Ctrl C" to kill the service
|
||||||
|
@ -151,10 +165,16 @@ Or in a devstack environment, do the following:
|
||||||
|
|
||||||
# Source the openrc file for the admin user (depends on your system)
|
# Source the openrc file for the admin user (depends on your system)
|
||||||
# Create the dummy Gluon Network:
|
# Create the dummy Gluon Network:
|
||||||
$ neutron net-create --shared --provider:network_type local GluonNetwork
|
$ openstack network create --share --provider-network-type local GluonNetwork
|
||||||
|
|
||||||
|
# Or legacy way:
|
||||||
|
# neutron net-create --shared --provider:network_type local GluonNetwork
|
||||||
|
|
||||||
# Create the dummy GluonSubnet:
|
# Create the dummy GluonSubnet:
|
||||||
$ neutron subnet-create --name GluonSubnet --no-gateway --disable-dhcp GluonNetwork 0.0.0.0/1
|
$ openstack subnet create --network GluonNetwork --no-dhcp --gateway none --subnet-range 0.0.0.0/1 GluonSubnet
|
||||||
|
|
||||||
|
# Or legacy way:
|
||||||
|
# neutron subnet-create --name GluonSubnet --no-gateway --disable-dhcp GluonNetwork 0.0.0.0/1
|
||||||
|
|
||||||
**STEP-12**: Restart ``neutron-server``
|
**STEP-12**: Restart ``neutron-server``
|
||||||
|
|
||||||
|
@ -162,6 +182,9 @@ Or in a devstack environment, do the following:
|
||||||
|
|
||||||
service neutron-server restart
|
service neutron-server restart
|
||||||
|
|
||||||
|
# Or in Devstack:
|
||||||
|
$ service devstack@q-svc restart
|
||||||
|
|
||||||
** The controller should be setup now**
|
** The controller should be setup now**
|
||||||
|
|
||||||
**STEP-13**: Running the Sample Shim Layer Server
|
**STEP-13**: Running the Sample Shim Layer Server
|
||||||
|
@ -176,7 +199,134 @@ A test shim server is included in the gluon package. You need to:
|
||||||
# Modify host list for shim server
|
# Modify host list for shim server
|
||||||
# Create br-gluon bridge
|
# Create br-gluon bridge
|
||||||
|
|
||||||
|
Role-based Access Control of Gluon
|
||||||
|
----------------------------------
|
||||||
|
|
||||||
|
After we complete the basic setups as instructed above,
|
||||||
|
Advanced users may also want to enable RBAC feature in Gluon.
|
||||||
|
Please refer to [2]_ for the basic concept, and how to configure
|
||||||
|
and enable RBAC in Gluon. Here is the summary of steps:
|
||||||
|
|
||||||
|
* RBAC-1: Create a new "NFV Networking" **service** named ``gluon``
|
||||||
|
with service type ``nfvnet``
|
||||||
|
|
||||||
|
.. code-block:: bash
|
||||||
|
|
||||||
|
$ openstack service create --name gluon --description "NFV Network Service" nfvnet
|
||||||
|
|
||||||
|
* RBAC-2: Create a new **endpoint** under the **service** ``gluon``
|
||||||
|
|
||||||
|
.. code-block:: bash
|
||||||
|
|
||||||
|
# Note: you need to change the IP address 10.0.2.7 to match your environment
|
||||||
|
|
||||||
|
$ openstack endpoint create --region RegionOne gluon public http://10.0.2.7:2705/proton/
|
||||||
|
$ openstack endpoint create --region RegionOne gluon admin http://10.0.2.7:2705/proton/
|
||||||
|
$ openstack endpoint create --region RegionOne gluon internal http://10.0.2.7:2705/proton/
|
||||||
|
|
||||||
|
* RBAC-3: We reuse an existing **project** named ``service``
|
||||||
|
|
||||||
|
.. code-block:: bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# If you want to create a new project:
|
||||||
|
# $ openstack project create --description <description of your new project> <new-project-name> --domain default
|
||||||
|
#
|
||||||
|
|
||||||
|
* RBAC-4: Create a new **user** named ``gluon`` and password ``gluon``
|
||||||
|
|
||||||
|
.. code-block:: bash
|
||||||
|
|
||||||
|
$ openstack user create --password gluon gluon
|
||||||
|
|
||||||
|
* RBAC-5: Assign ``admin`` **role** to { ``service``, ``gluon`` } pair
|
||||||
|
|
||||||
|
.. code-block:: bash
|
||||||
|
|
||||||
|
$ openstack role add --project service --user gluon admin
|
||||||
|
|
||||||
|
* RBAC-6: Set environment variables
|
||||||
|
|
||||||
|
.. code-block:: bash
|
||||||
|
|
||||||
|
# Modify the ``openrc`` file in Gluon home directory (or in``devstack`` home directory)
|
||||||
|
# with the appropriate value for you Keystone endpoint, your project name/tenant name,
|
||||||
|
# your user name and password. Then run the following command to set these variables.
|
||||||
|
#
|
||||||
|
# $ source openrc <project_name> <user_name> <user_password>
|
||||||
|
|
||||||
|
$ source openrc service gluon gluon
|
||||||
|
|
||||||
|
* RBAC-7: Add the following configuration in ``/etc/proton/proton.conf``. Note that the
|
||||||
|
``project_name``, ``username`` and ``password`` must match what you have created/used
|
||||||
|
in prior steps.
|
||||||
|
|
||||||
|
.. code-block:: ini
|
||||||
|
|
||||||
|
[api]
|
||||||
|
auth_strategy = keystone
|
||||||
|
|
||||||
|
[keystone_authtoken]
|
||||||
|
auth_uri = http://10.0.2.7:5000
|
||||||
|
project_domain_name = Default
|
||||||
|
project_name = service
|
||||||
|
user_domain_name = Default
|
||||||
|
password = gluon
|
||||||
|
username = gluon
|
||||||
|
auth_url = http://10.0.2.7:35357
|
||||||
|
auth_type = password
|
||||||
|
|
||||||
|
* RBAC-8: If policies are defined in YAML, those policies will be applied.
|
||||||
|
Otherwise, default policies defined in ``gluon/models/base/base.yaml`` will be used.
|
||||||
|
|
||||||
|
* RBAC-9: Restart ``proton-server``
|
||||||
|
|
||||||
|
.. code-block:: bash
|
||||||
|
|
||||||
|
$ sudo /usr/local/bin/proton-server --config-file /etc/proton/proton.conf --logfile /var/log/proton/api.log
|
||||||
|
|
||||||
|
* RBAC-10: Get token using curl or OpenStack CLI:
|
||||||
|
|
||||||
|
.. code-block:: bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# Use curl
|
||||||
|
#
|
||||||
|
$ curl -s -X POST http://192.0.2.4:5000/v2.0/tokens \
|
||||||
|
-H "Content-Type: application/json" \
|
||||||
|
-d '{"auth": {"tenantName": "'"$OS_TENANT_NAME"'", \
|
||||||
|
"passwordCredentials": {"username": "'"$OS_USERNAME"'", \
|
||||||
|
"password": "'"$OS_PASSWORD"'"}}}' \
|
||||||
|
| python -m json.tool
|
||||||
|
|
||||||
|
#
|
||||||
|
# Or use OpenStack CLI
|
||||||
|
#
|
||||||
|
|
||||||
|
$ openstack token issue
|
||||||
|
|
||||||
|
* RBAC-10: Now you can access Proton server with token
|
||||||
|
|
||||||
|
.. code-block:: bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# Note: you need to replace the exemplary token value with your own token value
|
||||||
|
# and replace the Proton server URL with your own URL
|
||||||
|
#
|
||||||
|
|
||||||
|
$ curl -s -H "X-Auth-Token: 1678f8ef3a97497b842f0f7088b0b090" http://192.0.2.4:2705 | python -m json.tool
|
||||||
|
|
||||||
|
#
|
||||||
|
# Get a specific port information
|
||||||
|
# Note you also need to replace the exemplary port-id with your own port-id
|
||||||
|
#
|
||||||
|
|
||||||
|
$ curl -s -H "X-Auth-Token: 1678f8ef3a97497b842f0f7088b0b090" http://192.0.2.4:2705/proton/net-l3vpn/v1.0/ports/30f12741-ffe8-4c85-819b-04a496251f00
|
||||||
|
|
||||||
|
* RBAC-11: At this moment, RBAC should work fine now. You need to make sure that
|
||||||
|
"X-Auth-Token: <auth-token>" header is always added in your RESTful http request.
|
||||||
|
|
||||||
References
|
References
|
||||||
|
|
||||||
.. [1] install_etcd
|
.. [1] install_etcd
|
||||||
|
.. [2] ../devref/gluon-auth.inc
|
||||||
|
|
|
@ -30,6 +30,16 @@ and then use ``nova boot`` to bind the port to a VM. It is assumed that you
|
||||||
have already installed ``etcd`` and **Gluon Plugin**, and started
|
have already installed ``etcd`` and **Gluon Plugin**, and started
|
||||||
**Proton Server**. If not, please refer to [1]_.
|
**Proton Server**. If not, please refer to [1]_.
|
||||||
|
|
||||||
|
Advanced users may also want to enable RBAC feature in Gluon. Please refer to
|
||||||
|
"Gluon Authentication and Authorization" [2]_ for the basic concept,
|
||||||
|
and how to configure and enable RBAC in Gluon. The setup steps are also described
|
||||||
|
in [1]_.
|
||||||
|
|
||||||
|
This User Guide provides CLI examples. The RESTful API is specified in
|
||||||
|
"Gluon API Specification" [3]_. If RBAC is enabled, you need to make sure
|
||||||
|
that "X-Auth-Token: <auth-token>" header is always added in your
|
||||||
|
RESTful HTTP request.
|
||||||
|
|
||||||
Getting Help
|
Getting Help
|
||||||
------------
|
------------
|
||||||
|
|
||||||
|
@ -38,12 +48,16 @@ information:
|
||||||
|
|
||||||
.. code-block:: bash
|
.. code-block:: bash
|
||||||
|
|
||||||
|
# The equivalent RESTful API is
|
||||||
|
# GET /proton HTTP/1.1
|
||||||
|
|
||||||
$ protonclient --help
|
$ protonclient --help
|
||||||
|
--api is not specified!
|
||||||
|
|
||||||
Usage: protonclient --api <api_name> [OPTIONS] COMMAND[ARGS]...
|
Usage: protonclient --api <api_name> [OPTIONS] COMMAND[ARGS]...
|
||||||
|
|
||||||
Options:
|
Options:
|
||||||
--api TEXT Name of API, one of ['net-l3vpn', 'test']
|
--api TEXT Name of API, one of ['ietf-sfc', 'net-l3vpn', 'test']
|
||||||
--port INTEGER Port of endpoint (OS_PROTON_PORT)
|
--port INTEGER Port of endpoint (OS_PROTON_PORT)
|
||||||
--host TEXT Host of endpoint (OS_PROTON_HOST)
|
--host TEXT Host of endpoint (OS_PROTON_HOST)
|
||||||
--help Show this message and exit.
|
--help Show this message and exit.
|
||||||
|
@ -58,13 +72,16 @@ parameters are required, and gives you general help information too:
|
||||||
|
|
||||||
.. code-block:: bash
|
.. code-block:: bash
|
||||||
|
|
||||||
|
# The equivalent RESTful API is
|
||||||
|
# GET /proton HTTP/1.1
|
||||||
|
|
||||||
$ protonclient
|
$ protonclient
|
||||||
--api is not specified!
|
--api is not specified!
|
||||||
|
|
||||||
Usage: protonclient --api <api_name> [OPTIONS] COMMAND[ARGS]...
|
Usage: protonclient --api <api_name> [OPTIONS] COMMAND[ARGS]...
|
||||||
|
|
||||||
Options:
|
Options:
|
||||||
--api TEXT Name of API, one of ['net-l3vpn', 'test']
|
--api TEXT Name of API, one of ['ietf-sfc', 'net-l3vpn', 'test']
|
||||||
--port INTEGER Port of endpoint (OS_PROTON_PORT)
|
--port INTEGER Port of endpoint (OS_PROTON_PORT)
|
||||||
--host TEXT Host of endpoint (OS_PROTON_HOST)
|
--host TEXT Host of endpoint (OS_PROTON_HOST)
|
||||||
--help Show this message and exit.
|
--help Show this message and exit.
|
||||||
|
@ -78,6 +95,9 @@ correct command line usage.
|
||||||
|
|
||||||
.. code-block:: bash
|
.. code-block:: bash
|
||||||
|
|
||||||
|
# The equivalent RESTful API is
|
||||||
|
# GET /proton/net-l3vpn/v1.0 HTTP/1.1
|
||||||
|
|
||||||
$ protonclient --api net-l3vpn
|
$ protonclient --api net-l3vpn
|
||||||
Usage: protonclient [OPTIONS] COMMAND [ARGS]...
|
Usage: protonclient [OPTIONS] COMMAND [ARGS]...
|
||||||
|
|
||||||
|
@ -85,6 +105,16 @@ correct command line usage.
|
||||||
--help Show this message and exit.
|
--help Show this message and exit.
|
||||||
|
|
||||||
Commands:
|
Commands:
|
||||||
|
bgppeering-create
|
||||||
|
bgppeering-delete
|
||||||
|
bgppeering-list
|
||||||
|
bgppeering-show
|
||||||
|
bgppeering-update
|
||||||
|
dataplanetunnel-create
|
||||||
|
dataplanetunnel-delete
|
||||||
|
dataplanetunnel-list
|
||||||
|
dataplanetunnel-show
|
||||||
|
dataplanetunnel-update
|
||||||
interface-create
|
interface-create
|
||||||
interface-delete
|
interface-delete
|
||||||
interface-list
|
interface-list
|
||||||
|
@ -116,6 +146,9 @@ Create ``Interface`` Object
|
||||||
|
|
||||||
.. code-block:: bash
|
.. code-block:: bash
|
||||||
|
|
||||||
|
# The equivalent RESTful API is
|
||||||
|
# POST /proton/net-l3vpn/v1.0/interfaces HTTP/1.1
|
||||||
|
|
||||||
$ protonclient --api net-l3vpn interface-create --help
|
$ protonclient --api net-l3vpn interface-create --help
|
||||||
Usage: protonclient interface-create [OPTIONS]
|
Usage: protonclient interface-create [OPTIONS]
|
||||||
|
|
||||||
|
@ -126,6 +159,7 @@ Create ``Interface`` Object
|
||||||
--segmentation_type [none|vlan|tunnel_vxlan|tunnel_gre|mpls]
|
--segmentation_type [none|vlan|tunnel_vxlan|tunnel_gre|mpls]
|
||||||
Type of segmentation for this interface
|
Type of segmentation for this interface
|
||||||
[required]
|
[required]
|
||||||
|
--tenant_id TEXT UUID of Tenant [required]
|
||||||
--port_id TEXT Pointer to Port instance [required]
|
--port_id TEXT Pointer to Port instance [required]
|
||||||
--port INTEGER Port of endpoint (OS_PROTON_PORT)
|
--port INTEGER Port of endpoint (OS_PROTON_PORT)
|
||||||
--host TEXT Host of endpoint (OS_PROTON_HOST)
|
--host TEXT Host of endpoint (OS_PROTON_HOST)
|
||||||
|
@ -139,6 +173,9 @@ UUID of the parent ``Port``.
|
||||||
|
|
||||||
.. code-block:: bash
|
.. code-block:: bash
|
||||||
|
|
||||||
|
# The equivalent RESTful API is
|
||||||
|
# GET /proton/net-l3vpn/v1.0/interfaces HTTP/1.1
|
||||||
|
|
||||||
$ protonclient --api net-l3vpn interface-list
|
$ protonclient --api net-l3vpn interface-list
|
||||||
{
|
{
|
||||||
"interfaces": [
|
"interfaces": [
|
||||||
|
@ -147,6 +184,7 @@ UUID of the parent ``Port``.
|
||||||
"segmentation_id": 0,
|
"segmentation_id": 0,
|
||||||
"created_at": "2017-02-14T20:35:47.760126",
|
"created_at": "2017-02-14T20:35:47.760126",
|
||||||
"updated_at": "2017-02-14T20:35:47.760126",
|
"updated_at": "2017-02-14T20:35:47.760126",
|
||||||
|
"tenant_id": "a868a466bca84df18404a77db0ecac72",
|
||||||
"port_id": "fe338d4c-2aef-4487-aa25-cb753bf02518",
|
"port_id": "fe338d4c-2aef-4487-aa25-cb753bf02518",
|
||||||
"segmentation_type": "none",
|
"segmentation_type": "none",
|
||||||
"id": "fe338d4c-2aef-4487-aa25-cb753bf02518"
|
"id": "fe338d4c-2aef-4487-aa25-cb753bf02518"
|
||||||
|
@ -159,6 +197,9 @@ Create ``VPNAFConfig`` Object
|
||||||
|
|
||||||
.. code-block:: bash
|
.. code-block:: bash
|
||||||
|
|
||||||
|
# The equivalent RESTful API is
|
||||||
|
# POST /proton/net-l3vpn/v1.0/vpnafconfigs HTTP/1.1
|
||||||
|
|
||||||
$ protonclient --api net-l3vpn vpnafconfig-create --help
|
$ protonclient --api net-l3vpn vpnafconfig-create --help
|
||||||
Usage: protonclient vpnafconfig-create [OPTIONS]
|
Usage: protonclient vpnafconfig-create [OPTIONS]
|
||||||
|
|
||||||
|
@ -168,6 +209,7 @@ Create ``VPNAFConfig`` Object
|
||||||
--import_route_policy TEXT Route target import policy
|
--import_route_policy TEXT Route target import policy
|
||||||
--vrf_rt_type [export_extcommunity|import_extcommunity|both]
|
--vrf_rt_type [export_extcommunity|import_extcommunity|both]
|
||||||
Route target type [required]
|
Route target type [required]
|
||||||
|
--tenant_id TEXT UUID of Tenant [required]
|
||||||
--port INTEGER Port of endpoint (OS_PROTON_PORT)
|
--port INTEGER Port of endpoint (OS_PROTON_PORT)
|
||||||
--host TEXT Host of endpoint (OS_PROTON_HOST)
|
--host TEXT Host of endpoint (OS_PROTON_HOST)
|
||||||
--help Show this message and exit.
|
--help Show this message and exit.
|
||||||
|
@ -176,7 +218,10 @@ Create ``VPNAFConfig`` Object
|
||||||
|
|
||||||
.. code-block:: bash
|
.. code-block:: bash
|
||||||
|
|
||||||
$ protonclient --api net-l3vpn vpnafconfig-create --vrf_rt_type both --vrf_rt_value 1000:1000
|
# The equivalent RESTful API is
|
||||||
|
# POST /proton/net-l3vpn/v1.0/vpnafconfigs HTTP/1.1
|
||||||
|
|
||||||
|
$ protonclient --api net-l3vpn vpnafconfig-create --vrf_rt_type both --vrf_rt_value 1000:1000 --tenant_id a868a466bca84df18404a77db0ecac72
|
||||||
{
|
{
|
||||||
"vrf_rt_type": "both",
|
"vrf_rt_type": "both",
|
||||||
"vrf_rt_value": "1000:1000"
|
"vrf_rt_value": "1000:1000"
|
||||||
|
@ -187,18 +232,22 @@ Create ``VPN`` Object
|
||||||
|
|
||||||
.. code-block:: bash
|
.. code-block:: bash
|
||||||
|
|
||||||
|
# The equivalent RESTful API is
|
||||||
|
# POST /proton/net-l3vpn/v1.0/vpns HTTP/1.1
|
||||||
|
|
||||||
$ protonclient --api net-l3vpn vpn-create --help
|
$ protonclient --api net-l3vpn vpn-create --help
|
||||||
Usage: protonclient vpn-create [OPTIONS]
|
Usage: protonclient vpn-create [OPTIONS]
|
||||||
|
|
||||||
Options:
|
Options:
|
||||||
--id TEXT UUID of VPN instance
|
--id TEXT UUID of Object
|
||||||
--name TEXT Name of VPN [required]
|
--name TEXT Descriptive name of Object
|
||||||
|
--tenant_id TEXT UUID of Tenant [required]
|
||||||
--ipv4_family TEXT Comma separated list of route target strings
|
--ipv4_family TEXT Comma separated list of route target strings
|
||||||
(VpnAfConfig)
|
(VpnAfConfig)
|
||||||
--ipv6_family TEXT Comma separated list of route target strings
|
--ipv6_family TEXT Comma separated list of route target strings
|
||||||
(VpnAfConfig)
|
(VpnAfConfig)
|
||||||
--route_distinguishers TEXT Route distinguisher for this VPN
|
--route_distinguishers TEXT Route distinguisher for this VPN
|
||||||
--description TEXT About the VPN
|
--description TEXT Description of Service
|
||||||
--port INTEGER Port of endpoint (OS_PROTON_PORT)
|
--port INTEGER Port of endpoint (OS_PROTON_PORT)
|
||||||
--host TEXT Host of endpoint (OS_PROTON_HOST)
|
--host TEXT Host of endpoint (OS_PROTON_HOST)
|
||||||
--help Show this message and exit.
|
--help Show this message and exit.
|
||||||
|
@ -209,10 +258,14 @@ The UUID of VPN instance ``id`` is generated by Proton and returned.
|
||||||
|
|
||||||
.. code-block:: bash
|
.. code-block:: bash
|
||||||
|
|
||||||
$ protonclient --api net-l3vpn vpn-create --name "TestVPN" --ipv4_family 1000:1000 --ipv6_family 1000:1000 --route_distinguishers 1000:1000 --description "My Test VPN"
|
# The equivalent RESTful API is
|
||||||
|
# POST /proton/net-l3vpn/v1.0/vpns HTTP/1.1
|
||||||
|
|
||||||
|
$ protonclient --api net-l3vpn vpn-create --name "TestVPN" --ipv4_family 1000:1000 --ipv6_family 1000:1000 --route_distinguishers 1000:1000 --tenant_id a868a466bca84df18404a77db0ecac72 --description "My Test VPN"
|
||||||
{
|
{
|
||||||
"description": "My Test VPN",
|
"description": "My Test VPN",
|
||||||
"route_distinguishers": "1000:1000",
|
"route_distinguishers": "1000:1000",
|
||||||
|
"tenant_id": "a868a466bca84df18404a77db0ecac72",
|
||||||
"created_at": "2017-02-14T20:37:58.592999",
|
"created_at": "2017-02-14T20:37:58.592999",
|
||||||
"updated_at": "2017-02-14T20:37:58.592999",
|
"updated_at": "2017-02-14T20:37:58.592999",
|
||||||
"ipv6_family": "1000:1000",
|
"ipv6_family": "1000:1000",
|
||||||
|
@ -226,6 +279,9 @@ Create ``Port`` Object
|
||||||
|
|
||||||
.. code-block:: bash
|
.. code-block:: bash
|
||||||
|
|
||||||
|
# The equivalent RESTful API is
|
||||||
|
# POST /proton/net-l3vpn/v1.0/ports HTTP/1.1
|
||||||
|
|
||||||
$ protonclient --api net-l3vpn port-create --help
|
$ protonclient --api net-l3vpn port-create --help
|
||||||
Usage: protonclient port-create [OPTIONS]
|
Usage: protonclient port-create [OPTIONS]
|
||||||
|
|
||||||
|
@ -244,7 +300,7 @@ Create ``Port`` Object
|
||||||
[required]
|
[required]
|
||||||
--vif_details TEXT binding:vif_details: JSON string for VIF
|
--vif_details TEXT binding:vif_details: JSON string for VIF
|
||||||
details
|
details
|
||||||
--tenant_id TEXT UUID of Tenant owning this Port [required]
|
--tenant_id TEXT UUID of Tenant [required]
|
||||||
--admin_state_up BOOLEAN Admin state of Port [required]
|
--admin_state_up BOOLEAN Admin state of Port [required]
|
||||||
--name TEXT Descriptive name of Object
|
--name TEXT Descriptive name of Object
|
||||||
--vif_type TEXT binding:vif_type: binding type for VIF
|
--vif_type TEXT binding:vif_type: binding type for VIF
|
||||||
|
@ -256,7 +312,7 @@ Create ``Port`` Object
|
||||||
|
|
||||||
These values should be specified.
|
These values should be specified.
|
||||||
|
|
||||||
The ``tenant_id`` should be obtained from OpenStack.
|
The ``tenant_id`` should be a ``project-id`` obtained from OpenStack.
|
||||||
|
|
||||||
The UUID of the object ``id`` is generated by the Proton and returned.
|
The UUID of the object ``id`` is generated by the Proton and returned.
|
||||||
|
|
||||||
|
@ -264,6 +320,9 @@ The UUID of the object ``id`` is generated by the Proton and returned.
|
||||||
|
|
||||||
.. code-block:: bash
|
.. code-block:: bash
|
||||||
|
|
||||||
|
# The equivalent RESTful API is
|
||||||
|
# POST /proton/net-l3vpn/v1.0/ports HTTP/1.1
|
||||||
|
|
||||||
$ protonclient --api net-l3vpn port-create --mac_address c8:2a:14:04:43:80 --mtu 1500 --admin_state_up True --name "TestVPNPort" --vlan_transparency True --vnic_type normal --vif_type ovs --status ACTIVE --tenant_id 5205b400fa6c4a888a0b229200562229
|
$ protonclient --api net-l3vpn port-create --mac_address c8:2a:14:04:43:80 --mtu 1500 --admin_state_up True --name "TestVPNPort" --vlan_transparency True --vnic_type normal --vif_type ovs --status ACTIVE --tenant_id 5205b400fa6c4a888a0b229200562229
|
||||||
{
|
{
|
||||||
"profile": null,
|
"profile": null,
|
||||||
|
@ -272,7 +331,7 @@ The UUID of the object ``id`` is generated by the Proton and returned.
|
||||||
"name": "TestVPNPort",
|
"name": "TestVPNPort",
|
||||||
"device_owner": null,
|
"device_owner": null,
|
||||||
"admin_state_up": true,
|
"admin_state_up": true,
|
||||||
"tenant_id": "5205b400fa6c4a888a0b229200562229",
|
"tenant_id": "a868a466bca84df18404a77db0ecac72",
|
||||||
"created_at": "2017-02-14T20:35:47.749427",
|
"created_at": "2017-02-14T20:35:47.749427",
|
||||||
"vif_details": null,
|
"vif_details": null,
|
||||||
"updated_at": "2017-02-14T20:35:47.749427",
|
"updated_at": "2017-02-14T20:35:47.749427",
|
||||||
|
@ -298,12 +357,16 @@ You can view the values with the following commands:
|
||||||
|
|
||||||
.. code-block:: bash
|
.. code-block:: bash
|
||||||
|
|
||||||
|
# The equivalent RESTful API is
|
||||||
|
# GET /proton/net-l3vpn/v1.0/vpns HTTP/1.1
|
||||||
|
|
||||||
$ protonclient --api net-l3vpn vpn-list
|
$ protonclient --api net-l3vpn vpn-list
|
||||||
{
|
{
|
||||||
"vpns": [
|
"vpns": [
|
||||||
{
|
{
|
||||||
"description": "My Test VPN",
|
"description": "My Test VPN",
|
||||||
"route_distinguishers": "1000:1000",
|
"route_distinguishers": "1000:1000",
|
||||||
|
"tenant_id": "a868a466bca84df18404a77db0ecac72",
|
||||||
"created_at": "2017-02-14T20:37:58.592999",
|
"created_at": "2017-02-14T20:37:58.592999",
|
||||||
"updated_at": "2017-02-14T20:37:58.592999",
|
"updated_at": "2017-02-14T20:37:58.592999",
|
||||||
"ipv6_family": "1000:1000",
|
"ipv6_family": "1000:1000",
|
||||||
|
@ -313,7 +376,11 @@ You can view the values with the following commands:
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
$
|
$
|
||||||
|
|
||||||
|
# The equivalent RESTful API is
|
||||||
|
# GET /proton/net-l3vpn/v1.0/ports HTTP/1.1
|
||||||
|
|
||||||
$ protonclient --api net-l3vpn port-list
|
$ protonclient --api net-l3vpn port-list
|
||||||
{
|
{
|
||||||
"ports": [
|
"ports": [
|
||||||
|
@ -324,7 +391,7 @@ You can view the values with the following commands:
|
||||||
"name": "TestVPNPort",
|
"name": "TestVPNPort",
|
||||||
"device_owner": null,
|
"device_owner": null,
|
||||||
"admin_state_up": true,
|
"admin_state_up": true,
|
||||||
"tenant_id": "5205b400fa6c4a888a0b229200562229",
|
"tenant_id": "a868a466bca84df18404a77db0ecac72",
|
||||||
"created_at": "2017-02-14T20:35:47.749427",
|
"created_at": "2017-02-14T20:35:47.749427",
|
||||||
"vif_details": null,
|
"vif_details": null,
|
||||||
"updated_at": "2017-02-14T20:35:47.749427",
|
"updated_at": "2017-02-14T20:35:47.749427",
|
||||||
|
@ -347,6 +414,9 @@ You need to create a ``vpnbinding`` object to tie the ``Interface`` and the
|
||||||
|
|
||||||
.. code-block:: bash
|
.. code-block:: bash
|
||||||
|
|
||||||
|
# The equivalent RESTful API is
|
||||||
|
# POST /proton/net-l3vpn/v1.0/vpnbindings HTTP/1.1
|
||||||
|
|
||||||
$ protonclient --api net-l3vpn vpnbinding-create --help
|
$ protonclient --api net-l3vpn vpnbinding-create --help
|
||||||
Usage: protonclient vpnbinding-create [OPTIONS]
|
Usage: protonclient vpnbinding-create [OPTIONS]
|
||||||
|
|
||||||
|
@ -356,6 +426,7 @@ You need to create a ``vpnbinding`` object to tie the ``Interface`` and the
|
||||||
--ipaddress TEXT IP Address of port
|
--ipaddress TEXT IP Address of port
|
||||||
--subnet_prefix INTEGER Subnet mask
|
--subnet_prefix INTEGER Subnet mask
|
||||||
--service_id TEXT Pointer to Service instance [required]
|
--service_id TEXT Pointer to Service instance [required]
|
||||||
|
--tenant_id TEXT UUID of Tenant [required]
|
||||||
--port INTEGER Port of endpoint (OS_PROTON_PORT)
|
--port INTEGER Port of endpoint (OS_PROTON_PORT)
|
||||||
--host TEXT Host of endpoint (OS_PROTON_HOST)
|
--host TEXT Host of endpoint (OS_PROTON_HOST)
|
||||||
--help Show this message and exit.
|
--help Show this message and exit.
|
||||||
|
@ -370,8 +441,12 @@ default ``interface`` object, and the ``id`` of the ``vpn`` object.
|
||||||
|
|
||||||
.. code-block:: bash
|
.. code-block:: bash
|
||||||
|
|
||||||
$ protonclient --api net-l3vpn vpnbinding-create --interface_id fe338d4c-2aef-4487-aa25-cb753bf02518 --service_id b70b4bbd-aa40-48d7-aa4b-57cc2fd34010 --ipaddress 10.10.0.2 --subnet_prefix 24 --gateway 10.10.0.1
|
# The equivalent RESTful API is
|
||||||
|
# POST /proton/net-l3vpn/v1.0/vpnbindings HTTP/1.1
|
||||||
|
|
||||||
|
$ protonclient --api net-l3vpn vpnbinding-create --interface_id fe338d4c-2aef-4487-aa25-cb753bf02518 --service_id b70b4bbd-aa40-48d7-aa4b-57cc2fd34010 --ipaddress 10.10.0.2 --subnet_prefix 24 --gateway 10.10.0.1 --tenant_id a868a466bca84df18404a77db0ecac72
|
||||||
{
|
{
|
||||||
|
"tenant_id": "a868a466bca84df18404a77db0ecac72",
|
||||||
"created_at": "2017-02-14T20:39:52.382433",
|
"created_at": "2017-02-14T20:39:52.382433",
|
||||||
"subnet_prefix": 24,
|
"subnet_prefix": 24,
|
||||||
"updated_at": "2017-02-14T20:39:52.382433",
|
"updated_at": "2017-02-14T20:39:52.382433",
|
||||||
|
@ -386,10 +461,14 @@ View ``VPNBinding`` Objects
|
||||||
|
|
||||||
.. code-block:: bash
|
.. code-block:: bash
|
||||||
|
|
||||||
|
# The equivalent RESTful API is
|
||||||
|
# GET /proton/net-l3vpn/v1.0/vpnbindings HTTP/1.1
|
||||||
|
|
||||||
$ protonclient --api net-l3vpn vpnbinding-list
|
$ protonclient --api net-l3vpn vpnbinding-list
|
||||||
{
|
{
|
||||||
"vpnbindings": [
|
"vpnbindings": [
|
||||||
{
|
{
|
||||||
|
"tenant_id": "a868a466bca84df18404a77db0ecac72",
|
||||||
"created_at": "2017-02-14T20:39:52.382433",
|
"created_at": "2017-02-14T20:39:52.382433",
|
||||||
"subnet_prefix": 24,
|
"subnet_prefix": 24,
|
||||||
"updated_at": "2017-02-14T20:39:52.382433",
|
"updated_at": "2017-02-14T20:39:52.382433",
|
||||||
|
@ -409,7 +488,9 @@ Create VM and Bind our L3VPN Port
|
||||||
|
|
||||||
.. code-block:: bash
|
.. code-block:: bash
|
||||||
|
|
||||||
$ nova --debug boot --flavor 1 --image cirros --nic port-id=fe338d4c-2aef-4487-aa25-cb753bf02518 TestGluon
|
# Refer to Nova documentation for RESTful APIs
|
||||||
|
|
||||||
|
$ nova --debug boot --flavor m1.tiny --image cirros --nic port-id=fe338d4c-2aef-4487-aa25-cb753bf02518 TestGluon
|
||||||
|
|
||||||
When bound, the ``etcd`` data will look like:
|
When bound, the ``etcd`` data will look like:
|
||||||
|
|
||||||
|
@ -446,5 +527,6 @@ To Use Gluon in a Project
|
||||||
|
|
||||||
References
|
References
|
||||||
|
|
||||||
.. [1] installation
|
.. [1] installation.rst
|
||||||
|
.. [2] devref/gluon-auth.inc
|
||||||
|
.. [3] devref/gluon_api_spec.inc
|
||||||
|
|
|
@ -1,42 +1,2 @@
|
||||||
{
|
{
|
||||||
"COMMENT": "This file is no longer needed, but for historical record !!!",
|
|
||||||
"COMMENT": "The policy.json file in /etc/proton directory should contain",
|
|
||||||
"COMMENT": "empty json object: {}",
|
|
||||||
|
|
||||||
"COMMENT": "This first part is moved to code in policies/base.py",
|
|
||||||
"context_is_admin": "role:admin",
|
|
||||||
"owner": "tenant_id:%(tenant_id)s",
|
|
||||||
"admin_or_owner": "rule:context_is_admin or rule:owner",
|
|
||||||
"context_is_advsvc": "role:advsvc",
|
|
||||||
"admin_or_network_owner": "rule:context_is_admin or tenant_id:%(network:tenant_id)s",
|
|
||||||
"admin_owner_or_network_owner": "rule:owner or rule:admin_or_network_owner",
|
|
||||||
"admin_only": "rule:context_is_admin",
|
|
||||||
"regular_user": "",
|
|
||||||
"default": "rule:admin_or_owner",
|
|
||||||
|
|
||||||
"COMMENT": "The rest of policies are defined in YAML",
|
|
||||||
"create_ports": "rule:admin_or_network_owner",
|
|
||||||
"get_ports": "rule:admin_or_owner",
|
|
||||||
"update_ports": "rule:admin_or_network_owner",
|
|
||||||
"delete_ports": "rule:admin_or_network_owner",
|
|
||||||
|
|
||||||
"create_interfaces": "rule:admin_or_network_owner",
|
|
||||||
"get_interfaces": "rule:admin_or_owner",
|
|
||||||
"update_interfaces": "rule:admin_or_network_owner",
|
|
||||||
"delete_interfaces": "rule:admin_or_network_owner",
|
|
||||||
|
|
||||||
"create_vpns": "rule:admin_or_network_owner",
|
|
||||||
"get_vpns": "rule:admin_or_owner",
|
|
||||||
"update_vpns": "rule:admin_or_network_owner",
|
|
||||||
"delete_vpns": "rule:admin_or_network_owner",
|
|
||||||
|
|
||||||
"create_vpnbindings": "rule:admin_or_network_owner",
|
|
||||||
"get_vpnbindings": "rule:admin_or_owner",
|
|
||||||
"update_vpnbindings": "rule:admin_or_network_owner",
|
|
||||||
"delete_vpnbindings": "rule:admin_or_network_owner",
|
|
||||||
|
|
||||||
"create_vpnafconfigs": "rule:admin_or_network_owner",
|
|
||||||
"get_vpnafconfigs": "rule:admin_or_owner",
|
|
||||||
"update_vpnafconfigs": "rule:admin_or_network_owner",
|
|
||||||
"delete_vpnafconfigs": "rule:admin_or_network_owner",
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -14,15 +14,24 @@ auth_strategy = keystone
|
||||||
auth_uri = http://127.0.0.1/5000
|
auth_uri = http://127.0.0.1/5000
|
||||||
|
|
||||||
project_domain_name = Default
|
project_domain_name = Default
|
||||||
|
|
||||||
|
# OpenStack project name. Please make sure that the *project_name* used here
|
||||||
|
# is consistent with the *project* name used/created at step RBAC-3 in
|
||||||
|
# "Install Gluon Plugin and Proton Server" (doc/source/installation/install_gluon.rst)
|
||||||
project_name = service
|
project_name = service
|
||||||
|
|
||||||
user_domain_name = Default
|
user_domain_name = Default
|
||||||
password = welcome
|
|
||||||
|
# keystone login username and password.
|
||||||
|
# Please make sure that the *username* and *password* used here are consistent with
|
||||||
|
# the *user* name and *password* created/used at step RBAC-4 in
|
||||||
|
# "Install Gluon Plugin and Proton Server" (doc/source/installation/install_gluon.rst)
|
||||||
|
password = gluon
|
||||||
username = gluon
|
username = gluon
|
||||||
|
|
||||||
# keystone identity_admin, change 127.0.0.1 to keystone endpoint
|
# keystone identity_admin, change 127.0.0.1 to keystone endpoint
|
||||||
auth_url = http://127.0.0.1/35357
|
auth_url = http://127.0.0.1/35357
|
||||||
|
|
||||||
|
|
||||||
auth_type = password
|
auth_type = password
|
||||||
|
|
||||||
[oslo_policy]
|
[oslo_policy]
|
||||||
|
|
|
@ -1,9 +1,10 @@
|
||||||
============================================
|
===================
|
||||||
gluon Release Notes
|
Gluon Release Notes
|
||||||
============================================
|
===================
|
||||||
|
|
||||||
.. toctree::
|
.. toctree::
|
||||||
:maxdepth: 1
|
:maxdepth: 1
|
||||||
|
|
||||||
unreleased
|
unreleased
|
||||||
ocata
|
ocata
|
||||||
|
pike
|
||||||
|
|
|
@ -0,0 +1,6 @@
|
||||||
|
=========================
|
||||||
|
Pike Series Release Notes
|
||||||
|
=========================
|
||||||
|
|
||||||
|
.. release-notes::
|
||||||
|
:branch: origin/stable/pike
|
Loading…
Reference in New Issue