Updated Gluon Documentation for Pike Release
Updated documentation includes: - doc/source/devref * Update on Gluon Authentication and Authorization * Version Management in Gluon API Specification and updated examples * Updated examples for Proton Version Management * Updated repo structure - doc/source/installation * Updated installation guide for etcd and gluon - doc/source/usage.rst * Updated user guide - releasenotes/source * Updated release notes Change-Id: I836690ccb5c538031e624f5f547b5f2c594ca4ad Signed-off-by: Bin Hu <bh526r@att.com>
This commit is contained in:
parent
ee99e05e3c
commit
0e99426b9e
|
@ -0,0 +1,47 @@
|
|||
{
|
||||
"COMMENT": "This file is no longer needed, but for historical record !!!",
|
||||
"COMMENT": "The policy.json file in /etc/proton directory should contain",
|
||||
"COMMENT": "empty json object: {}",
|
||||
|
||||
"COMMENT": "This first part is moved to code in gluon/policies/base.py",
|
||||
"context_is_admin": "role:admin",
|
||||
"owner": "tenant_id:%(tenant_id)s",
|
||||
"admin_or_owner": "rule:context_is_admin or rule:owner",
|
||||
"context_is_advsvc": "role:advsvc",
|
||||
"admin_or_network_owner": "rule:context_is_admin or tenant_id:%(network:tenant_id)s",
|
||||
"admin_owner_or_network_owner": "rule:owner or rule:admin_or_network_owner",
|
||||
"admin_only": "rule:context_is_admin",
|
||||
"regular_user": "",
|
||||
"default": "rule:admin_or_owner",
|
||||
|
||||
"COMMENT": "The rest of policies are defined in gluon/models/base/base.yaml file",
|
||||
"create_port": "rule:admin_or_network_owner",
|
||||
"list_ports": "rule:admin",
|
||||
"get_port": "rule:admin_or_owner",
|
||||
"update_port": "rule:admin_or_network_owner",
|
||||
"delete_port": "rule:admin_or_network_owner",
|
||||
|
||||
"create_interface": "rule:admin_or_network_owner",
|
||||
"list_interfaces": "rule:admin",
|
||||
"get_interface": "rule:admin_or_owner",
|
||||
"update_interface": "rule:admin_or_network_owner",
|
||||
"delete_interface": "rule:admin_or_network_owner",
|
||||
|
||||
"create_vpn": "rule:admin_or_network_owner",
|
||||
"list_vpns": "rule:admin",
|
||||
"get_vpns": "rule:admin_or_owner",
|
||||
"update_vpn": "rule:admin_or_network_owner",
|
||||
"delete_vpn": "rule:admin_or_network_owner",
|
||||
|
||||
"create_vpnbinding": "rule:admin_or_network_owner",
|
||||
"list_vpnbindings": "rule:admin",
|
||||
"get_vpnbinding": "rule:admin_or_owner",
|
||||
"update_vpnbinding": "rule:admin_or_network_owner",
|
||||
"delete_vpnbinding": "rule:admin_or_network_owner",
|
||||
|
||||
"create_vpnafconfig": "rule:admin_or_network_owner",
|
||||
"list_vpnafconfigs": "rule:admin",
|
||||
"get_vpnafconfig": "rule:admin_or_owner",
|
||||
"update_vpnafconfig": "rule:admin_or_network_owner",
|
||||
"delete_vpnafconfig": "rule:admin_or_network_owner",
|
||||
}
|
|
@ -1,20 +1,44 @@
|
|||
====================================
|
||||
Gluon Authentication & Authorization
|
||||
====================================
|
||||
..
|
||||
Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
not use this file except in compliance with the License. You may obtain
|
||||
a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
License for the specific language governing permissions and limitations
|
||||
under the License.
|
||||
|
||||
Convention for heading levels in Gluon devref:
|
||||
======= Heading 0 (reserved for the title in a document)
|
||||
------- Heading 1
|
||||
~~~~~~~ Heading 2
|
||||
+++++++ Heading 3
|
||||
''''''' Heading 4
|
||||
(Avoid deeper levels because they do not render well.)
|
||||
|
||||
======================================
|
||||
Gluon Authentication and Authorization
|
||||
======================================
|
||||
|
||||
Summary
|
||||
-------
|
||||
|
||||
This document explains the integration of Gluon with OpenStack identity service
|
||||
or Keystone. When Keystone is enabled, users that submit requests to Gluon
|
||||
This document explains the integration of Gluon with OpenStack Identity service
|
||||
or Keystone. When Keystone is enabled, users that submit requests to Gluon NFV
|
||||
networking service will have to provide an authentication token in X-Auth-Token
|
||||
request header. The token is obtained by making a call to the Keystone authentication
|
||||
request header. The token is obtained via making a call to the Keystone authentication
|
||||
service by passing in username and password.
|
||||
|
||||
Assumptions
|
||||
-----------
|
||||
|
||||
The document uses the proposed "port and service binding model"[1] to determine the
|
||||
This document conforms to Identity concepts, and the mechanism of managing services,
|
||||
projects, users, and roles described in "OpenStack Keystone Administrator Guide" [2]_.
|
||||
|
||||
The document uses the proposed "Port and Service Binding Model" [3]_ to determine the
|
||||
policy actions (see section on Authorization).
|
||||
|
||||
Authentication
|
||||
|
@ -28,167 +52,175 @@ If the token is valid, Keystone will retrieve additional information from token
|
|||
such as user name, user id, project name, project id etc and send this information
|
||||
to the OpenStack service. Otherwise, the request will be rejected.
|
||||
|
||||
Setting up
|
||||
Setting Up
|
||||
~~~~~~~~~~
|
||||
|
||||
Once Keystone is installed and running, services have to be configured to work with it.
|
||||
This involves setting up projects, roles, users, and services. By default, OpenStack
|
||||
already has several projects, roles and users created.
|
||||
This involves setting up services, projects, and users, and assigning roles to
|
||||
{ project, user } pair. After OpenStack is installed, when Identity (Keystone) is bootstrapped,
|
||||
several services, projects, roles and users will be created by default.
|
||||
|
||||
Following is the normal process to add a service to Keystone.
|
||||
Following is the normal process to add a service, and assign roles to
|
||||
{ project, user } pairs in Keystone.
|
||||
|
||||
- Create a project
|
||||
- Create a user for the service and add the user to the project
|
||||
- Create an admin role and assign to the user
|
||||
- Create service
|
||||
- Create endpoint
|
||||
- Create a **service**
|
||||
- Create **endpoint** of that **service**
|
||||
- Create a **project**
|
||||
- Create a **user** that is expected to use the **service** under the **project**
|
||||
- Assign an ``admin`` **role** to the { **project**, **user** } pair
|
||||
|
||||
For Gluon, we will add these objects.
|
||||
For bootstrapping Gluon with Identity service, we will follow the procedure of:
|
||||
|
||||
- Create a new user called "gluon"
|
||||
- Add "gluon" user to "service" project
|
||||
- Add "service" role to "gluon" user in the "service" project
|
||||
- Create a new service called "gluon"
|
||||
- Create a new endpoint under the service "gluon"
|
||||
* Step 1: Create a new "NFV Networking" **service** named ``gluon`` (or any name) with service type ``nfvnet``
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
$ openstack service create --name gluon --description "NFV Network Service" nfvnet
|
||||
|
||||
* Step 2: Create a new **endpoint** under the **service** ``gluon``
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
# Note: you need to change the IP address 10.0.2.7 to match your environment
|
||||
|
||||
$ openstack endpoint create --region RegionOne gluon public http://10.0.2.7:2705/proton/
|
||||
$ openstack endpoint create --region RegionOne gluon admin http://10.0.2.7:2705/proton/
|
||||
$ openstack endpoint create --region RegionOne gluon internal http://10.0.2.7:2705/proton/
|
||||
|
||||
* Step 3: Either reuse an existing **project** (e.g. a default project named ``service``) or create a new **project**
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
#
|
||||
# We reuse "service" project here.
|
||||
# If you want to create a new project:
|
||||
# $ openstack project create --description <description of your new project> <new-project-name> --domain default
|
||||
#
|
||||
|
||||
* Step 4: Create a new **user** named ``gluon`` (or any name)
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
$ openstack user create --password <password> gluon
|
||||
|
||||
* Step 5: Assign ``admin`` **role** to { ``service``, ``gluon`` } pair
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
$ openstack role add --project service --user gluon admin
|
||||
|
||||
Authorization
|
||||
-------------
|
||||
|
||||
Each OpenSack service has its own role-based access policies to allow/disallow access to
|
||||
specific actions. The policy.json is used to define the access control, which contains
|
||||
each policy defined in the format "<action> : <rule>".
|
||||
specific actions. The access control policy is defined in the format of ``<action> : <rule>``.
|
||||
|
||||
The <action> represents an API call like "create network" whereas <rule> determines
|
||||
under which circumstances API call is permitted. As an example, consider following rule
|
||||
The <action> represents an API call like "create a user" whereas <rule> determines
|
||||
under which circumstances this API call is permitted. For example, consider following policy:
|
||||
|
||||
``"identity:create_user" : "role:admin"``
|
||||
.. code-block:: bash
|
||||
|
||||
This rule allows admin role to create a new user in the identity service.
|
||||
"identity:create_user" : "role:admin"
|
||||
|
||||
This policy allows ``admin`` **role** to create a new user in the Identity service.
|
||||
|
||||
Authorization Scope
|
||||
~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
It will be possible to specify authorization at object level. In the future, we may allow
|
||||
setting access control at the attribute level.
|
||||
Currently, Gluon supports the policy-based authorization at object level. In the future,
|
||||
we may consider to support this role-based access control (RBAC) at the attribute level.
|
||||
|
||||
Defining authorization rules
|
||||
Defining Authorization Rules
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
The YAML model definitions will be enhanced to support authorization rules. We will add a new
|
||||
section for policies.
|
||||
In OpenStack, typically a ``policy.json`` file is used to store those RBAC policies,
|
||||
for example, in ``/etc/nova/policy.json``. Because the APIs of those services (e.g.
|
||||
``nova`` / ``compute``) are fixed, this policy.json mechanism provides flexibility
|
||||
for defining policies for those services.
|
||||
|
||||
The "rules" will be defined at the system level and model authors can use the rules while
|
||||
defining the actions.
|
||||
On the other hand, Gluon provides a model-driven approach to generate
|
||||
NFV Networking Service APIs (including objects, database schema, and
|
||||
RESTful API endpoints) from a YAML file which models the Networking Service.
|
||||
Thus it is natural to define the RBAC policies of a new service with its own YAML
|
||||
model definitions in the same YAML file. Thus a new section for RBAC policies
|
||||
is defined in the YAML of service model.
|
||||
|
||||
Following will be the default rules:
|
||||
A set of default <rules> is defined at the system level (i.e. in ``gluon/policies/base.py``).
|
||||
Model authors can then use those rules to define the actions, and thus the policies in YAML.
|
||||
The default <rules> are defined in ``gluon/policies/base.py``:
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
"context_is_admin": "role:admin",
|
||||
"owner": "tenant_id:%(tenant_id)s",
|
||||
"admin_or_owner": "rule:context_is_admin or rule:owner",
|
||||
"context_is_advsvc": "role:advsvc",
|
||||
"admin_or_network_owner": "rule:context_is_admin or tenant_id:%(network:tenant_id)s",
|
||||
"admin_owner_or_network_owner": "rule:owner or rule:admin_or_network_owner",
|
||||
"admin_only": "rule:context_is_admin",
|
||||
"regular_user": "",
|
||||
"default": "rule:admin_or_owner",
|
||||
|
||||
The actions are defined within the "policies" section as shown below.
|
||||
The default policies are defined at the system level too (i.e. within the ``policies`` section
|
||||
in ``BaseObject`` definition and ``BaseServiceBinding`` definition in
|
||||
``gluon/models/base/base.yaml`` file). Model authors can define own policies for those
|
||||
service objects in its own service YAML, or reuse the default policies if there is no policy
|
||||
definition in service objects. The default policies defined in ``gluon/models/base/base.yaml``
|
||||
are as follows:
|
||||
|
||||
.. code-block:: yaml
|
||||
.. code-block:: bash
|
||||
|
||||
ProtonBasePort:
|
||||
...
|
||||
existing model definition
|
||||
...
|
||||
BasePort:
|
||||
...
|
||||
existing model definition
|
||||
...
|
||||
policies:
|
||||
create:
|
||||
role: "rule:admin_or_owner"
|
||||
delete:
|
||||
role: "rule:admin_or_owner"
|
||||
list:
|
||||
role: "rule:admin"
|
||||
get:
|
||||
role: "rule:admin_or_owner"
|
||||
update:
|
||||
role: "rule:admin_or_owner"
|
||||
|
||||
This policy defines ``create``, ``delete``, ``get``, ``get_one`` and ``update`` actions on
|
||||
the ``BasePort`` object. The rules section can embed any OpenStack policy directive
|
||||
that is supported.
|
||||
|
||||
policies:
|
||||
Summary of Gluon Authorization Rules
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
actions:
|
||||
create:
|
||||
role: "rule:admin_or_network_owner"
|
||||
delete:
|
||||
role: "rule:admin_or_network_owner"
|
||||
get:
|
||||
role: "rule:admin_or_owner"
|
||||
get_one:
|
||||
role: "rule:admin_or_owner"
|
||||
update:
|
||||
role: "rule:admin_or_network_owner"
|
||||
Please refer to ``doc/samples/policy.json`` for a summary of default <rules> and default policies
|
||||
used in Gluon. Note that this policy.json is a historical record for informational purpose.
|
||||
The mechanism of how to define those default <rules> and default policies is at system level
|
||||
as described above.
|
||||
|
||||
More Details of OpenStack Policies
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
This policy defines create, delete, get, get_one and update actions on the ProtonBasePort object.
|
||||
The rules section can embed any openstack policy directive that is supported. Please see
|
||||
https://docs.openstack.org/kilo/config-reference/content/policy-json-file.html for complete details
|
||||
of the policy.json file
|
||||
|
||||
Converting to policy.json file
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
During the installation of Gluon, the embedded policies in the YAML model file will be converted
|
||||
to /etc/gluon/policy.json file. This file will have the following format.
|
||||
|
||||
.. code-block:: json
|
||||
|
||||
{
|
||||
"context_is_admin": "role:admin or user_name:gluon",
|
||||
"owner": "tenant_id:%(tenant_id)s",
|
||||
"admin_or_owner": "rule:context_is_admin or rule:owner",
|
||||
"context_is_advsvc": "role:advsvc",
|
||||
"admin_or_network_owner": "rule:context_is_admin or tenant_id:%(network:tenant_id)s",
|
||||
"admin_owner_or_network_owner": "rule:owner or rule:admin_or_network_owner",
|
||||
"admin_only": "rule:context_is_admin",
|
||||
"regular_user": "",
|
||||
"default": "rule:admin_or_owner",
|
||||
|
||||
"create_ports": "rule:admin_or_network_owner",
|
||||
"get_ports": "rule:admin_or_owner",
|
||||
"update_ports": "rule:admin_or_network_owner",
|
||||
"delete_ports": "rule:admin_or_network_owner",
|
||||
|
||||
"create_interfaces": "rule:admin_or_network_owner",
|
||||
"get_interfaces": "rule:admin_or_owner",
|
||||
"update_interfaces": "rule:admin_or_network_owner",
|
||||
"delete_interfaces": "rule:admin_or_network_owner",
|
||||
|
||||
"create_vpns": "rule:admin_or_network_owner",
|
||||
"get_vpns": "rule:admin_or_owner",
|
||||
"update_vpns": "rule:admin_or_network_owner",
|
||||
"delete_vpns": "rule:admin_or_network_owner",
|
||||
|
||||
"create_vpnbindings": "rule:admin_or_network_owner",
|
||||
"get_vpnbindings": "rule:admin_or_owner",
|
||||
"update_vpnbindings": "rule:admin_or_network_owner",
|
||||
"delete_vpnbindings": "rule:admin_or_network_owner",
|
||||
|
||||
"create_vpnafconfigs": "rule:admin_or_network_owner",
|
||||
"get_vpnafconfigs": "rule:admin_or_owner",
|
||||
"update_vpnafconfigs": "rule:admin_or_network_owner",
|
||||
"delete_vpnafconfigs": "rule:admin_or_network_owner",
|
||||
}
|
||||
|
||||
|
||||
Bootstrapping policy.json
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
In the Devstack environment, the gluon software is installed using "python setup.py install"
|
||||
command from the gluon directory. The setup script will be enhanced to support creating
|
||||
/etc/gluon/policy.json file from the YAML model file. Users will be able to edit the generated
|
||||
policy.json file to add their own local rules even though it is not a recommended approach.
|
||||
|
||||
For a production OpenStack environment, the above steps need to be done from the package
|
||||
installation scripts that are supported by tools such as rpm or dpkg.
|
||||
Please refer to "OpenStack Security Guide - Policies" [4]_ for more details of
|
||||
OpenStack policy directive.
|
||||
|
||||
Action to API Mapping
|
||||
~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
Gluon service has to map actions to respective API calls. The OpenStack keystonemiddleware
|
||||
and oslo.policy(https://docs.openstack.org/oslo.policy/latest/) modules will be integrated
|
||||
with Gluon to add keystone authentication and enforce RBAC policies defined in the JSON.policy file.
|
||||
Gluon service has to map actions to respective API calls. The OpenStack ``keystonemiddleware``
|
||||
and ``oslo.policy`` [5]_ modules is integrated with Gluon to add keystone authentication
|
||||
and enforce RBAC policies defined in the YAMl files.
|
||||
|
||||
The pecan-wsgi service in the Neutron will be used as a reference code for Gluon implementation
|
||||
The pecan-wsgi service in the Neutron is used as a reference code for above implementation in Gluon.
|
||||
|
||||
Current implementation in Gluon is at ``gluon/api/hooks/policy_enforcement.py``.
|
||||
|
||||
Configuration
|
||||
~~~~~~~~~~~~~
|
||||
|
||||
The /etc/proton/proton.conf file can be used to configure the authentication details. A sample
|
||||
configuration is shown below. Change 127.0.0.1 to your keystone endpoint.
|
||||
The /etc/proton/proton.conf file is used to configure the authentication details. A sample
|
||||
configuration is shown below. Note that you need to change IP address ``127.0.0.1``
|
||||
to your keystone endpoint.
|
||||
|
||||
.. code-block:: ini
|
||||
|
||||
|
@ -205,49 +237,56 @@ configuration is shown below. Change 127.0.0.1 to your keystone endpoint.
|
|||
auth_url = http://127.0.0.1:35357
|
||||
auth_type = password
|
||||
|
||||
[oslo_policy]
|
||||
policy_file = /etc/proton/policy.json
|
||||
The default ``auth_strategy`` is ``noauth`` in Gluon.
|
||||
|
||||
Please note that:
|
||||
|
||||
* ``auth_uri`` is the **external** or **public** URL that ends up in the
|
||||
``WWW-Authenticate: keystone-uri=<auth_uri>`` header. It is the unversioned public endpoint,
|
||||
which tells someone where they need to go to authenticate.
|
||||
* ``auth_url`` is the **internal** URL that the **auth plugin** is using. It is
|
||||
where the process will authenticate to before it authenticates tokens.
|
||||
|
||||
Set Environment Variables
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
If Keystone is enabled for authentication, some environment variables will need
|
||||
to be set up in order for protonclient commands to work properly. Modify the openrc
|
||||
file in gluon home directory with the appropriate value for you Keystone endpoint.
|
||||
A sample is shown below.
|
||||
Then run ``source openrc <project_name> <user_name> <user_password>`` to set these variables.
|
||||
to be set up in order for ``protonclient`` commands to work properly.
|
||||
|
||||
Modify the ``openrc`` file in Gluon home directory (or in ``devstack`` home directory)
|
||||
with the appropriate value for you Keystone endpoint, your project name/tenant name,
|
||||
your user name and password.
|
||||
|
||||
A sample is shown as follows:
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
#
|
||||
# set Keystone endpoint
|
||||
# Configure a set of credentials for $PROJECT/$USERNAME:
|
||||
# set OS_AUTH_URL to Keystone end point
|
||||
# set OS_PROJECT_NAME to openstack project name
|
||||
# set OS_USERNAME to openstack user name
|
||||
# set ADMIN_PASSWORD to openstack password
|
||||
#
|
||||
# If using devstack:
|
||||
# set both OS_USERNAME and OS_TENANT_NAME to "admin" or "demo"
|
||||
#
|
||||
# Example config for devstack:
|
||||
# export OS_AUTH_URL="http://192.168.56.101:5000"
|
||||
# export OS_TENANT_NAME="admin"
|
||||
# export OS_USERNAME="admin"
|
||||
# export OS_PASSWORD="ubuntu"
|
||||
#
|
||||
export OS_AUTH_URL="http://192.168.56.101:5000"
|
||||
|
||||
Appendix
|
||||
--------
|
||||
Then run the following command to set these variables.
|
||||
|
||||
Configuring identity details for Keystone, change 10.0.2.15 to your gluon endpoint:
|
||||
.. code-block:: bash
|
||||
|
||||
1. Create gluon user:
|
||||
$ source openrc <project_name> <user_name> <user_password>
|
||||
|
||||
> openstack user create --password <password> gluon
|
||||
References
|
||||
|
||||
2. Add the admin role to the gluon user:
|
||||
|
||||
> openstack role add --project service --user gluon admin
|
||||
|
||||
3. Create the gluon service
|
||||
|
||||
> openstack service create --name gluon --description "Gluon" network
|
||||
|
||||
4. Create Gluon API endpoints
|
||||
|
||||
> openstack endpoint create --publicurl http://10.0.2.15:2705 \
|
||||
--adminurl http://10.0.2.15:2705 --internalurl http://10.0.2.15:2705 \
|
||||
--region regionOne gluon
|
||||
|
||||
Reference
|
||||
---------
|
||||
|
||||
1) Port and service binding model - https://review.openstack.org/#/c/392250
|
||||
.. [2] https://docs.openstack.org/keystone/latest/admin/index.html
|
||||
.. [3] ./service_binding_model
|
||||
.. [4] https://docs.openstack.org/security-guide/identity/policies.html
|
||||
.. [5] https://docs.openstack.org/oslo.policy/latest/
|
||||
|
|
|
@ -1,3 +1,24 @@
|
|||
..
|
||||
Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
not use this file except in compliance with the License. You may obtain
|
||||
a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
License for the specific language governing permissions and limitations
|
||||
under the License.
|
||||
|
||||
Convention for heading levels in Gluon devref:
|
||||
======= Heading 0 (reserved for the title in a document)
|
||||
------- Heading 1
|
||||
~~~~~~~ Heading 2
|
||||
+++++++ Heading 3
|
||||
''''''' Heading 4
|
||||
(Avoid deeper levels because they do not render well.)
|
||||
|
||||
=======================
|
||||
Gluon API Specification
|
||||
=======================
|
||||
|
@ -23,20 +44,20 @@ endpoints created will support the basic CRUD operations on the object. Each
|
|||
API object will have a corresponding database table. Each API object is
|
||||
required to have a primary key field. The primary key field is used as the
|
||||
identifier in the generated API endpoints. For example, if we define an API
|
||||
object for a Port with a path name of *ports* the following API URL endpoints
|
||||
object for a Port with a path name of ``ports``, the following API URL endpoints
|
||||
will be generated where <port_id> is the primary key.
|
||||
|
||||
.. csv-table::
|
||||
:header: "Operation", "URL", "Description"
|
||||
:widths: 5, 15, 15
|
||||
|
||||
POST, /proton/<api_name>/ports, Create Port object
|
||||
PUT, /proton/<api_name>/ports/<port_id>, Modify Port object
|
||||
GET, /proton/<api_name>/ports, Get all Port objects
|
||||
GET, /proton/<api_name>/ports/<port_id>, Get one Port object
|
||||
DELETE, /proton/<api_name>/ports/<port_id>, Delete a Port object
|
||||
POST, /proton/<api_name>/<version>/ports, Create Port object
|
||||
PUT, /proton/<api_name>/<version>/ports/<port_id>, Modify Port object
|
||||
GET, /proton/<api_name>/<version>/ports, Get all Port objects
|
||||
GET, /proton/<api_name>/<version>/ports/<port_id>, Get one Port object
|
||||
DELETE, /proton/<api_name>/<version>/ports/<port_id>, Delete a Port object
|
||||
|
||||
The content type for all of the operations is *application/json*.
|
||||
The content type for all of the operations is ``application/json``.
|
||||
|
||||
The API objects can have pointer relationships and parent/child relationships
|
||||
to other API objects. A pointer relationship can be created by defining a
|
||||
|
@ -51,7 +72,7 @@ is automatically created using the primary key of the parent.
|
|||
In addition, different API endpoints are generated to manipulate the child
|
||||
object. For example, assume we define an API object for Port and another API
|
||||
object for Interface where the Interface is a child of the Port. If the path
|
||||
names are *ports* and *interfaces*, the following API URL endpoints for the
|
||||
names are ``ports`` and ``interfaces``, the following API URL endpoints for the
|
||||
Interface object would be generated.
|
||||
|
||||
.. list-table::
|
||||
|
@ -62,24 +83,24 @@ Interface object would be generated.
|
|||
- URL
|
||||
- Description
|
||||
* - POST
|
||||
- /proton/<api_name>/ports/<port_id>/interfaces
|
||||
- /proton/<api_name>/<version>/ports/<port_id>/interfaces
|
||||
- Create Interface object
|
||||
* - PUT
|
||||
- /proton/<api_name>/ports/<port_id>/interfaces/<interface_id>
|
||||
- /proton/<api_name>/<version>/ports/<port_id>/interfaces/<interface_id>
|
||||
- Modify Interface object
|
||||
* - GET
|
||||
- /proton/<api_name>/ports/<port_id>/interfaces
|
||||
- /proton/<api_name>/<version>/ports/<port_id>/interfaces
|
||||
- Get all Interface objects for Port
|
||||
* - GET
|
||||
- /proton/<api_name>/ports/<port_id>/interfaces/<interface_id>
|
||||
- /proton/<api_name>/<version>/ports/<port_id>/interfaces/<interface_id>
|
||||
- Get one Interface object
|
||||
* - DELETE
|
||||
- /proton/<api_name>/ports/<port_id>/interfaces/<interface_id>
|
||||
- /proton/<api_name>/<version>/ports/<port_id>/interfaces/<interface_id>
|
||||
- Delete an Interface object
|
||||
|
||||
This document describes the specification for defining an API. Further
|
||||
guidance on how to design an API using the Service Binding Model can be found
|
||||
`here <https://github.com/openstack/gluon/blob/master/doc/source/devref/service_binding_model.rst>`_.
|
||||
guidance on how to design an API can be found in the
|
||||
"Port and Service Binding Model" [3]_.
|
||||
|
||||
Schema Definition
|
||||
-----------------
|
||||
|
@ -92,8 +113,8 @@ an JSON object. The JSON objects are very similar to the Schema Object found
|
|||
in Swagger. However, some extensions are added and only a small subset of the
|
||||
properties are supported.
|
||||
|
||||
Primitive Data Types
|
||||
---------------------
|
||||
Primitive Data Types
|
||||
--------------------
|
||||
|
||||
.. list-table::
|
||||
:widths: 15 20 30
|
||||
|
@ -105,14 +126,14 @@ Primitive Data Types
|
|||
* - integer
|
||||
- Integer number
|
||||
- - format: int32, int64 (default: int32)
|
||||
- min: *integer*
|
||||
- max: *integer*
|
||||
- min: <integer>
|
||||
- max: <integer>
|
||||
* - number
|
||||
- Floating point number
|
||||
- n/a
|
||||
* - string
|
||||
- Text String
|
||||
- - length: *integer* (default: 255)
|
||||
- - length: <integer> (default: 255)
|
||||
- format: date-time, json, ipv4, ipv6, mac, url, email
|
||||
* - boolean
|
||||
- Boolean value (true/false)
|
||||
|
@ -122,7 +143,7 @@ Primitive Data Types
|
|||
- n/a
|
||||
* - enum
|
||||
- Text string from a list of values
|
||||
- - values: [*string*]
|
||||
- - values: [<string>]
|
||||
|
||||
File Structure
|
||||
--------------
|
||||
|
@ -170,9 +191,9 @@ ProtonDef
|
|||
description: "Alarm summary for port"
|
||||
...
|
||||
|
||||
The ProtonDef is the root object for the API specification. The *file_version*
|
||||
is used to identify the format used to create this file. The *info* field
|
||||
contains the metadata about the API. The *objects* field contains the base
|
||||
The ProtonDef is the root object for the API specification. The ``file_version``
|
||||
is used to identify the format used to create this file. The ``info`` field
|
||||
contains the metadata about the API. The ``objects`` field contains the base
|
||||
and API object definitions for the API.
|
||||
|
||||
InfoDef
|
||||
|
@ -188,7 +209,7 @@ InfoDef
|
|||
author, AuthorDef_, false, Information about API authorship
|
||||
|
||||
The InfoDef is where metadata about the API can be specified. At a minimum the
|
||||
*name* and *version* of the API must be specified.
|
||||
``name`` and ``version`` of the API must be specified.
|
||||
|
||||
**Example**
|
||||
|
||||
|
@ -272,12 +293,19 @@ ObjectDef
|
|||
attributes, AttributesDef_, true, Attribute definitions of object
|
||||
policies, PolicyDef_, false, Access rules for this API object
|
||||
|
||||
The ObjectDef defines either a base object or an API object. If the *api*
|
||||
field is present, it is an API object. If the *api* field is omitted, it is a
|
||||
base object. The *extends* field (if present) must specify the ObjectDef name
|
||||
of another base object. The *policies* field is only allowed for an API
|
||||
object. If the *policies* field is omitted, no access control is applied to
|
||||
the object.
|
||||
The ObjectDef defines either a base object or an API object. If the ``api``
|
||||
field is present, it is an API object. If the ``api`` field is omitted, it is a
|
||||
base object. The ``extends`` field (if present) must specify the ObjectDef name
|
||||
of another base object. The ``policies`` field is only allowed for an API
|
||||
object except that default policies are defined in ``BaseObject`` and
|
||||
``BaseServiceBinding`` base objects in ``gluon/models/base/base.yaml`` file
|
||||
at system level. This is because both ``BaseObject`` and ``BaseServiceBinding``
|
||||
base objects are expected to be extended by other user-defined API objects.
|
||||
If the ``policies`` field is omitted in those API objects, default policies
|
||||
that are inherited from super class will apply. Or in rare cases, if a user-defined
|
||||
API object does not extend ``BaseObject`` or ``BaseServiceBinding`` base object,
|
||||
and no ``policies`` field is defined in the API object either,
|
||||
no access control is applied to the API object.
|
||||
|
||||
**Example**
|
||||
|
||||
|
@ -293,11 +321,11 @@ the object.
|
|||
length: 255
|
||||
description: "Alarm summary for port"
|
||||
policies:
|
||||
create: "rule:admin_or_network_owner"
|
||||
delete: "rule:admin_or_network_owner"
|
||||
create: "rule:admin_or_owner"
|
||||
delete: "rule:admin_or_owner"
|
||||
list: "rule:admin"
|
||||
get: "rule:admin_or_owner"
|
||||
get_one: "rule:admin_or_owner"
|
||||
update: "rule:admin_or_network_owner"
|
||||
update: "rule:admin_or_owner"
|
||||
|
||||
|
||||
ApiDef
|
||||
|
@ -312,11 +340,11 @@ ApiDef
|
|||
parent, string, false, Name of an ObjectDef specification
|
||||
|
||||
The ApiDef defines the API path and optionally a parent/child relationship for
|
||||
the object. The *parent* field (if present) must specify the ObjectDef name
|
||||
of another API object. The *name* field is used by the generated CLI code to
|
||||
identify the object to be manipulated. The *plural_name* field is used by the
|
||||
the object. The ``parent`` field (if present) must specify the ObjectDef name
|
||||
of another API object. The ``name`` field is used by the generated CLI code to
|
||||
identify the object to be manipulated. The ``plural_name`` field is used by the
|
||||
generated API code as part of the path to identify the object to be manipulated.
|
||||
If the *plural_name* field is omitted, an 's' character is added to the name
|
||||
If the ``plural_name`` field is omitted, an 's' character is added to the name
|
||||
for the API path during code generation.
|
||||
|
||||
**Example**
|
||||
|
@ -336,14 +364,15 @@ PolicyDef
|
|||
|
||||
create, string, false, Rule specifier string
|
||||
delete, string, false, Rule specifier string
|
||||
list, string, false, Rule specifier string
|
||||
get, string, false, Rule specifier string
|
||||
get_one, string, false, Rule specifier string
|
||||
update, string, false, Rule specifier string
|
||||
|
||||
The PolicyDef defines the Role-Based Access Control (RBAC) for the object. The
|
||||
access to the object can be controlled for each generated action. The syntax
|
||||
of the rule specifier string is defined in the Openstack Policy
|
||||
`document <https://docs.openstack.org/newton/config-reference/policy-json-file.html>`_.
|
||||
access to the object can be controlled for each generated action. Please refer to
|
||||
"Gluon Authentication and Authorization" [6]_ for more details of how
|
||||
RBAC is applied in Gluon. Please refer to "OpenStack Security Guide - Policies" [4]_
|
||||
for more details of OpenStack policy directive.
|
||||
|
||||
**Example**
|
||||
|
||||
|
@ -351,8 +380,8 @@ of the rule specifier string is defined in the Openstack Policy
|
|||
|
||||
create: "rule:admin_or_network_owner"
|
||||
delete: "rule:admin_or_network_owner"
|
||||
list: "rule:admin"
|
||||
get: "rule:admin_or_owner"
|
||||
get_one: "rule:admin_or_owner"
|
||||
update: "rule:admin_or_network_owner"
|
||||
|
||||
AttributesDef
|
||||
|
@ -396,23 +425,24 @@ AttributeSchemaDef
|
|||
min, integer, false, Min value if type is integer
|
||||
max, integer, false, Max value if type is integer
|
||||
|
||||
Each attribute is defined by an AttributeSchemaDef. The *type* field is
|
||||
Each attribute is defined by an AttributeSchemaDef. The ``type`` field is
|
||||
mandatory and can specify a primitive data type or it can be the name of an
|
||||
ObjectDef. The ObjectDef name must be for an API object. One attribute for
|
||||
an object must have the *primary* field specified. The *required* field is
|
||||
an object must have the ``primary`` field specified. The ``required`` field is
|
||||
used to specify if the attribute must be present when creating an object. If
|
||||
the *type* is enum, the *values* field must be present and define an array of
|
||||
the ``type`` is enum, the ``values`` field must be present and define an array of
|
||||
valid strings for the enumeration.
|
||||
|
||||
If the *type* is integer:
|
||||
If the ``type`` is integer:
|
||||
|
||||
* The *format* field can specify if the integer is 32 or 64 bit. Default is int32
|
||||
* The *min* field can specify the valid minimum value
|
||||
* The *max* field can specify the valid maximum value
|
||||
* The ``format`` field can specify if the integer is 32 or 64 bit. Default is int32
|
||||
* The ``min`` field can specify the valid minimum value
|
||||
* The ``max`` field can specify the valid maximum value
|
||||
|
||||
If the *type* is string:
|
||||
If the ``type`` is string:
|
||||
|
||||
* The *format* field can specify the formatting that will be validated for the string. The string formatting validations supported are:
|
||||
* The ``format`` field can specify the formatting that will be validated for the string.
|
||||
The string formatting validations supported are:
|
||||
|
||||
* date-time - Validated according to Date_Time_
|
||||
* json - Valid JSON string
|
||||
|
@ -421,7 +451,7 @@ If the *type* is string:
|
|||
* mac - Valid MAC address according to IEEE 802
|
||||
* uri - Validated according to URI_
|
||||
* email - Validated according to EMAIL_
|
||||
* The *length* field can specify the size of the string. Default is 255
|
||||
* The ``length`` field can specify the size of the string. Default is 255
|
||||
|
||||
**Example**
|
||||
|
||||
|
@ -477,236 +507,321 @@ Base Objects
|
|||
|
||||
::
|
||||
|
||||
file_version: 1.0
|
||||
objects:
|
||||
BasePort:
|
||||
attributes:
|
||||
id:
|
||||
type: uuid
|
||||
primary: true:
|
||||
description: "UUID of Port instance"
|
||||
name:
|
||||
type: string
|
||||
length: 64
|
||||
description: "Descriptive name for Port"
|
||||
tenant_id:
|
||||
type: uuid
|
||||
required: true
|
||||
description: "UUID of Tenant owning this Port"
|
||||
mac_address:
|
||||
type: string
|
||||
length: 17
|
||||
required: true
|
||||
description: "MAC address for Port"
|
||||
validate: mac_address
|
||||
admin_state_up:
|
||||
type: boolean
|
||||
required: true
|
||||
description: "Admin state of Port"
|
||||
status:
|
||||
type: enum
|
||||
required: true
|
||||
description: "Operational status of Port"
|
||||
values:
|
||||
- 'ACTIVE'
|
||||
- 'DOWN'
|
||||
vnic_type:
|
||||
type: enum
|
||||
required: true
|
||||
description: "Port should be attache to this VNIC type"
|
||||
values:
|
||||
- 'normal'
|
||||
- 'virtual'
|
||||
- 'direct'
|
||||
- 'macvtap'
|
||||
- 'sriov'
|
||||
- 'whole-dev'
|
||||
mtu:
|
||||
type: integer
|
||||
description: "MTU"
|
||||
required: true
|
||||
vlan_transparency:
|
||||
type: boolean
|
||||
description: "Allow VLAN tagged traffic on Port"
|
||||
required: true
|
||||
profile:
|
||||
type: string # JSON Format
|
||||
length: 128
|
||||
description: "JSON string for binding profile dictionary"
|
||||
format: json
|
||||
device_id:
|
||||
type: uuid
|
||||
description: "UUID of bound VM"
|
||||
device_owner:
|
||||
type: string
|
||||
length: 128
|
||||
description: "Name of compute or network service (if bound)"
|
||||
host_id:
|
||||
type: string
|
||||
length: 32
|
||||
description: "binding:host_id: Name of bound host"
|
||||
vif_details:
|
||||
type: string # JSON Format
|
||||
length: 128
|
||||
description: "binding:vif_details: JSON string for VIF details"
|
||||
format: json
|
||||
vif_type:
|
||||
type: string
|
||||
length: 32
|
||||
description: "binding:vif_type: binding type for VIF"
|
||||
BaseInterface:
|
||||
attributes:
|
||||
id:
|
||||
type: uuid
|
||||
required: true
|
||||
primary: true
|
||||
description: "UUID of Interface instance"
|
||||
port_id:
|
||||
type: uuid
|
||||
required: true
|
||||
description: "Pointer to Port instance"
|
||||
segmentation_type:
|
||||
type: enum
|
||||
required: true
|
||||
description: "Type of segmentation for this interface"
|
||||
values:
|
||||
- 'none'
|
||||
- 'vlan'
|
||||
- 'tunnel_vxlan'
|
||||
- 'tunnel_gre'
|
||||
- 'mpls'
|
||||
segmentation_id:
|
||||
type: integer
|
||||
required: true
|
||||
description: "Segmentation identifier"
|
||||
BaseService:
|
||||
attributes:
|
||||
id:
|
||||
type: uuid
|
||||
required: true
|
||||
primary: true
|
||||
description: "UUID of Service instance"
|
||||
name:
|
||||
type: string
|
||||
length: 64
|
||||
description: "Descriptive name of Service"
|
||||
description:
|
||||
type: string
|
||||
length: 256
|
||||
description: "Description of Service"
|
||||
BaseServiceBinding:
|
||||
attributes:
|
||||
interface_id:
|
||||
type: uuid
|
||||
required: true
|
||||
primary: true
|
||||
description: "Pointer to Interface instance"
|
||||
service_id:
|
||||
type: uuid
|
||||
required: true
|
||||
description: "Pointer to Service instance"
|
||||
file_version: "1.0"
|
||||
objects:
|
||||
BaseObject:
|
||||
attributes:
|
||||
id:
|
||||
type: uuid
|
||||
primary: true
|
||||
description: "UUID of Object"
|
||||
tenant_id:
|
||||
type: uuid
|
||||
required: true
|
||||
description: "UUID of Tenant"
|
||||
name:
|
||||
type: string
|
||||
length: 64
|
||||
description: "Descriptive name of Object"
|
||||
policies:
|
||||
create:
|
||||
role: "rule:admin_or_owner"
|
||||
delete:
|
||||
role: "rule:admin_or_owner"
|
||||
list:
|
||||
role: "rule:admin"
|
||||
get:
|
||||
role: "rule:admin_or_owner"
|
||||
update:
|
||||
role: "rule:admin_or_owner"
|
||||
BasePort:
|
||||
extends: BaseObject
|
||||
attributes:
|
||||
mac_address:
|
||||
type: string
|
||||
length: 18
|
||||
required: true
|
||||
format: mac
|
||||
description: "MAC address for Port"
|
||||
admin_state_up:
|
||||
type: boolean
|
||||
required: true
|
||||
description: "Admin state of Port"
|
||||
status:
|
||||
type: enum
|
||||
required: true
|
||||
description: "Operational status of Port"
|
||||
values:
|
||||
- 'ACTIVE'
|
||||
- 'DOWN'
|
||||
vnic_type:
|
||||
type: enum
|
||||
required: true
|
||||
description: "Port should be attached to this VNIC type"
|
||||
values:
|
||||
- 'normal'
|
||||
- 'virtual'
|
||||
- 'direct'
|
||||
- 'macvtap'
|
||||
- 'sriov'
|
||||
- 'whole-dev'
|
||||
mtu:
|
||||
type: integer
|
||||
description: "MTU"
|
||||
required: true
|
||||
vlan_transparency:
|
||||
type: boolean
|
||||
description: "Allow VLAN tagged traffic on Port"
|
||||
required: true
|
||||
profile:
|
||||
type: string # JSON Format
|
||||
length: 128
|
||||
description: "JSON string for binding profile dictionary"
|
||||
format: json
|
||||
device_id:
|
||||
type: uuid
|
||||
description: "UUID of bound VM"
|
||||
device_owner:
|
||||
type: string
|
||||
length: 128
|
||||
description: "Name of compute or network service (if bound)"
|
||||
host_id:
|
||||
type: string
|
||||
length: 64
|
||||
description: "binding:host_id: Name of bound host"
|
||||
vif_details:
|
||||
type: string # JSON Format
|
||||
length: 128
|
||||
description: "binding:vif_details: JSON string for VIF details"
|
||||
format: json
|
||||
vif_type:
|
||||
type: string
|
||||
length: 32
|
||||
description: "binding:vif_type: binding type for VIF"
|
||||
BaseInterface:
|
||||
extends: BaseObject
|
||||
attributes:
|
||||
port_id:
|
||||
type: uuid
|
||||
required: true
|
||||
description: "Pointer to Port instance"
|
||||
segmentation_type:
|
||||
type: enum
|
||||
required: true
|
||||
description: "Type of segmentation for this interface"
|
||||
values:
|
||||
- 'none'
|
||||
- 'vlan'
|
||||
- 'tunnel_vxlan'
|
||||
- 'tunnel_gre'
|
||||
- 'mpls'
|
||||
segmentation_id:
|
||||
type: integer
|
||||
required: true
|
||||
description: "Segmentation identifier"
|
||||
BaseService:
|
||||
extends: BaseObject
|
||||
attributes:
|
||||
description:
|
||||
type: string
|
||||
length: 256
|
||||
description: "Description of Service"
|
||||
BaseServiceBinding:
|
||||
attributes:
|
||||
tenant_id:
|
||||
type: uuid
|
||||
required: true
|
||||
description: "UUID of Tenant"
|
||||
interface_id:
|
||||
type: uuid
|
||||
required: true
|
||||
primary: true
|
||||
description: "Pointer to Interface instance"
|
||||
service_id:
|
||||
type: uuid
|
||||
required: true
|
||||
description: "Pointer to Service instance"
|
||||
policies:
|
||||
create:
|
||||
role: "rule:admin_or_owner"
|
||||
delete:
|
||||
role: "rule:admin_or_owner"
|
||||
list:
|
||||
role: "rule:admin"
|
||||
get:
|
||||
role: "rule:admin_or_owner"
|
||||
update:
|
||||
role: "rule:admin_or_owner"
|
||||
|
||||
API Specification
|
||||
*****************
|
||||
|
||||
::
|
||||
|
||||
file_version: 1.0
|
||||
imports: base/base.yaml
|
||||
info:
|
||||
name: net-l3vpn
|
||||
version: 1.0
|
||||
description "L3VPN API Specification"
|
||||
author:
|
||||
name: "Gluon Team"
|
||||
url: https://wiki.openstack.org/wiki/Gluon
|
||||
email: bh526r@att.com
|
||||
objects:
|
||||
Port:
|
||||
api:
|
||||
name: port
|
||||
plural_name: ports
|
||||
extends: BasePort
|
||||
attributes:
|
||||
alarms:
|
||||
type: string
|
||||
length: 255
|
||||
description: "Alarm summary for port"
|
||||
Interface:
|
||||
api:
|
||||
name: interface
|
||||
plural_name: interfaces
|
||||
parent: Port
|
||||
extends: BaseInterface
|
||||
VpnService:
|
||||
api:
|
||||
name: vpn
|
||||
plural_name: vpns
|
||||
extends: BaseService
|
||||
attributes:
|
||||
ipv4_family:
|
||||
type: string
|
||||
length: 255
|
||||
description: "Comma separated list of route target strings"
|
||||
ipv6_family:
|
||||
type: string
|
||||
length: 255
|
||||
description: "Comma separated list of route target strings"
|
||||
route_distinguishers:
|
||||
type: string
|
||||
length: 32
|
||||
description: "Route distinguisher for this VPN"
|
||||
VpnBinding:
|
||||
extends: BaseServiceBinding
|
||||
api:
|
||||
name: vpnbinding
|
||||
plural_name: vpnbindings
|
||||
attributes:
|
||||
service_id: # Override from base object for specific Service type
|
||||
type: VpnService
|
||||
required: true
|
||||
primary: true
|
||||
description: "Pointer to VpnService instance"
|
||||
ipaddress:
|
||||
type: string
|
||||
length: 23
|
||||
description: "IP Address of port"
|
||||
format: ipv4
|
||||
subnet_prefix:
|
||||
type: integer
|
||||
description: "Subnet mask"
|
||||
format: int32
|
||||
min: 1
|
||||
max: 31
|
||||
gateway:
|
||||
type: string
|
||||
length: 32
|
||||
description: "Default gateway"
|
||||
format: ipv4
|
||||
VpnAfConfig:
|
||||
api:
|
||||
name: vpnafconfig
|
||||
plural_name: vpnafconfigs
|
||||
attributes:
|
||||
vrf_rt_value:
|
||||
required: True
|
||||
type: string
|
||||
length: 32
|
||||
primary: 'True'
|
||||
description: "Route target string"
|
||||
vrf_rt_type:
|
||||
type: enum
|
||||
required: True
|
||||
description: "Route target type"
|
||||
values:
|
||||
- export_extcommunity
|
||||
- import_extcommunity
|
||||
- both
|
||||
import_route_policy:
|
||||
type: string
|
||||
length: 32
|
||||
description: "Route target import policy"
|
||||
export_route_policy:
|
||||
type: string
|
||||
length: 32
|
||||
description: "Route target export policy"
|
||||
file_version: "1.0"
|
||||
imports: base/base.yaml
|
||||
info:
|
||||
name: net-l3vpn
|
||||
version: 1.0
|
||||
description: "L3VPN API Specification"
|
||||
author:
|
||||
name: "Gluon Team"
|
||||
url: https://wiki.openstack.org/wiki/Gluon
|
||||
email: bh526r@att.com
|
||||
objects:
|
||||
Port:
|
||||
api:
|
||||
name: port
|
||||
plural_name: ports
|
||||
extends: BasePort
|
||||
Interface:
|
||||
api:
|
||||
name: interface
|
||||
plural_name: interfaces
|
||||
parent: Port
|
||||
parent_key: port_id
|
||||
extends: BaseInterface
|
||||
attributes:
|
||||
port_id:
|
||||
type: Port # Override from base object for specific Service type
|
||||
VpnService:
|
||||
api:
|
||||
name: vpn
|
||||
plural_name: vpns
|
||||
extends: BaseService
|
||||
attributes:
|
||||
ipv4_family:
|
||||
type: string
|
||||
length: 255
|
||||
description: "Comma separated list of route target strings"
|
||||
ipv6_family:
|
||||
type: string
|
||||
length: 255
|
||||
description: "Comma separated list of route target strings"
|
||||
route_distinguishers:
|
||||
type: string
|
||||
length: 32
|
||||
description: "Route distinguisher for this VPN"
|
||||
VpnBinding:
|
||||
extends: BaseServiceBinding
|
||||
api:
|
||||
name: vpnbinding
|
||||
plural_name: vpnbindings
|
||||
attributes:
|
||||
service_id: # Override from base object for specific Service type
|
||||
type: VpnService
|
||||
interface_id: # Override from base object for specific Interface type
|
||||
type: Interface
|
||||
ipaddress:
|
||||
type: string
|
||||
length: 16
|
||||
description: "IP Address of port"
|
||||
format: ipv4
|
||||
subnet_prefix:
|
||||
type: integer
|
||||
description: "Subnet mask"
|
||||
format: int32
|
||||
min: 1
|
||||
max: 31
|
||||
gateway:
|
||||
type: string
|
||||
length: 16
|
||||
description: "Default gateway"
|
||||
format: ipv4
|
||||
VpnAfConfig:
|
||||
api:
|
||||
name: vpnafconfig
|
||||
plural_name: vpnafconfigs
|
||||
attributes:
|
||||
tenant_id:
|
||||
type: uuid
|
||||
required: true
|
||||
description: "UUID of Tenant"
|
||||
vrf_rt_value:
|
||||
required: true
|
||||
type: string
|
||||
length: 32
|
||||
primary: true
|
||||
description: "Route target string"
|
||||
vrf_rt_type:
|
||||
type: enum
|
||||
required: true
|
||||
description: "Route target type"
|
||||
values:
|
||||
- export_extcommunity
|
||||
- import_extcommunity
|
||||
- both
|
||||
import_route_policy:
|
||||
type: string
|
||||
length: 32
|
||||
description: "Route target import policy"
|
||||
export_route_policy:
|
||||
type: string
|
||||
length: 32
|
||||
description: "Route target export policy"
|
||||
policies:
|
||||
create:
|
||||
role: "rule:admin_or_owner"
|
||||
delete:
|
||||
role: "rule:admin_or_owner"
|
||||
get:
|
||||
role: "rule:admin_or_owner"
|
||||
list:
|
||||
role: "rule:admin"
|
||||
update:
|
||||
role: "rule:admin_or_owner"
|
||||
BGPPeering:
|
||||
api:
|
||||
name: bgppeering
|
||||
plural_name: bgppeerings
|
||||
extends: BaseObject
|
||||
attributes:
|
||||
local_ip_address:
|
||||
required: true
|
||||
type: string
|
||||
format: ipv4
|
||||
length: 16
|
||||
description: "Local IP of the SDN controller which is supposed to
|
||||
create a new BGP peering with a remote SDN controller
|
||||
or data center gateway. This local IP is used as a
|
||||
unique identifier to allow the SDN controllers / shim
|
||||
layers to determine if a new peering which has been
|
||||
pushed to etcd is meant for them."
|
||||
peer_ip_address:
|
||||
required: true
|
||||
type: string
|
||||
format: ipv4
|
||||
length: 16
|
||||
description: "IP of the BGP neighbor to establish a peering with."
|
||||
as_number:
|
||||
required: true
|
||||
type: integer
|
||||
format: int32
|
||||
description: "Autonomous system number used by the local BGP stack."
|
||||
DataplaneTunnel:
|
||||
api:
|
||||
name: dataplanetunnel
|
||||
plural_name: dataplanetunnels
|
||||
extends: BaseObject
|
||||
attributes:
|
||||
local_tunnel_endpoint:
|
||||
required: true
|
||||
type: string
|
||||
format: ipv4
|
||||
length: 16
|
||||
description: "Local tunnel endpoint IP. This IP is used as a unique
|
||||
identifier to allow the SDN controller / shim layer to
|
||||
determine if this dataplane tunnel is supposed to be
|
||||
handled by them."
|
||||
remote_tunnel_endpoint:
|
||||
required: true
|
||||
type: string
|
||||
format: ipv4
|
||||
length: 16
|
||||
description: "Remote tunnel endpoint IP of the virtual switch or data
|
||||
center gateway."
|
||||
|
||||
References
|
||||
|
||||
.. [6] ./gluon-auth
|
||||
|
||||
|
|
|
@ -1,3 +1,24 @@
|
|||
..
|
||||
Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
not use this file except in compliance with the License. You may obtain
|
||||
a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
License for the specific language governing permissions and limitations
|
||||
under the License.
|
||||
|
||||
Convention for heading levels in Gluon devref:
|
||||
======= Heading 0 (reserved for the title in a document)
|
||||
------- Heading 1
|
||||
~~~~~~~ Heading 2
|
||||
+++++++ Heading 3
|
||||
''''''' Heading 4
|
||||
(Avoid deeper levels because they do not render well.)
|
||||
|
||||
=============================
|
||||
Proton API Version Management
|
||||
=============================
|
||||
|
@ -22,136 +43,177 @@ When the Proton root URI "/proton/" is accessed it will return a list of Proton
|
|||
$ curl http://192.168.59.103:2705/proton/
|
||||
{
|
||||
"protons":
|
||||
[
|
||||
{ "status": "CURRENT",
|
||||
"proton_service": "net-l3vpn",
|
||||
"links":
|
||||
[
|
||||
{"id": "net-l3vpn",
|
||||
"status": "CURRENT",
|
||||
"links":
|
||||
[
|
||||
{"href": "http://192.168.59.103:2705/proton/net-l3vpn/",
|
||||
"rel": "self"
|
||||
}
|
||||
]
|
||||
},
|
||||
{"id": "bgp",
|
||||
"status": "CURRENT",
|
||||
"links":
|
||||
[
|
||||
{"href": "http://192.168.59.103:2705/proton/bgp/",
|
||||
"rel": "self"
|
||||
}
|
||||
]
|
||||
}
|
||||
...
|
||||
{ "href": "http://192.168.59.103:2705/proton/net-l3vpn",
|
||||
"rel": "self"
|
||||
}
|
||||
]
|
||||
},
|
||||
{ "status": "CURRENT",
|
||||
"proton_service": "test",
|
||||
"links":
|
||||
[
|
||||
{ "href": "http://192.168.59.103:2705/proton/test",
|
||||
"rel": "self"
|
||||
}
|
||||
]
|
||||
},
|
||||
{ "status": "CURRENT",
|
||||
"proton_service": "ietf-sfc",
|
||||
"links":
|
||||
[
|
||||
{ "href": "http://192.168.59.103:2705/proton/ietf-sfc",
|
||||
"rel": "self"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
Proton Version Management
|
||||
-------------------------
|
||||
|
||||
Proton providers can specify version info in the proton model's YAML file.
|
||||
|
||||
**Example**
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
file_version: 1.0
|
||||
imports: base/base.yaml
|
||||
info:
|
||||
name: net-l3vpn
|
||||
version: 1.0
|
||||
description "L3VPN API Specification"
|
||||
...
|
||||
|
||||
Version information is appended to the root URL of a particular Proton, e.g. L3VPN.
|
||||
For example, <some URL>/proton/net-l3vpn/v1.
|
||||
For example, http://192.168.59.103:2705/proton/net-l3vpn/v1.0/.
|
||||
|
||||
When accessing the root URL of a particular Proton without version information, all
|
||||
available versions of this Proton will be returned so that users can choose to use
|
||||
a particular version of this Proton.
|
||||
|
||||
When accessing the root URL of a particular Proton with version information, all
|
||||
available resources in this version of Proton will be returned.
|
||||
|
||||
Proton providers can specify version info in the proton model's yaml file.
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
$ curl http://192.168.59.103:2705/proton/net-l3vpn/
|
||||
{
|
||||
"default_version":
|
||||
{"id": "v1",
|
||||
"status": "CURRENT",
|
||||
"links":
|
||||
[
|
||||
{"href":"http://192.168.59.103:2705/proton/net-l3vpn/v1/",
|
||||
"rel": "self"
|
||||
}
|
||||
]
|
||||
},
|
||||
"versions":
|
||||
[
|
||||
{"id": "v1",
|
||||
"status": "CURRENT",
|
||||
"links":
|
||||
[
|
||||
{"href":"http://192.168.59.103:2705/proton/net-l3vpn/v1/",
|
||||
"rel": "self"
|
||||
}
|
||||
]
|
||||
{ "status": "CURRENT",
|
||||
"proton_service": "net-l3vpn",
|
||||
"links":
|
||||
[
|
||||
{ "href": "http://192.168.59.103:2705/proton/net-l3vpn/v1.0",
|
||||
"rel": "self"
|
||||
}
|
||||
],
|
||||
"name": "net-l3vpn",
|
||||
"description": "net-l3vpn description..."
|
||||
],
|
||||
"version_id": "v1.0"
|
||||
},
|
||||
"versions":
|
||||
[
|
||||
{ "status": "CURRENT",
|
||||
"proton_service": "net-l3vpn",
|
||||
"links":
|
||||
[
|
||||
{ "href": "http://192.168.59.103:2705/proton/net-l3vpn/v1.0",
|
||||
"rel": "self"
|
||||
}
|
||||
],
|
||||
"version_id": "v1.0"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
When accessing the root URL of a particular Proton with version information, all
|
||||
available resources in this version of Proton will be returned.
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
$ curl http://192.168.59.103:2705/proton/net-l3vpn/v1/
|
||||
$ curl http://192.168.59.103:2705/proton/net-l3vpn/v1.0/
|
||||
{
|
||||
"resources":
|
||||
[
|
||||
{"id": "interface",
|
||||
"status": "CURRENT",
|
||||
"links":
|
||||
[
|
||||
{"href":"http://192.168.59.103:2705/proton/net-l3vpn/v1/interface/",
|
||||
"rel": "self"
|
||||
}
|
||||
]
|
||||
},
|
||||
{"id": "port",
|
||||
"status": "CURRENT",
|
||||
"links":
|
||||
[
|
||||
{"href":"http://192.168.59.103:2705/proton/net-l3vpn/v1/port/",
|
||||
"rel": "self"
|
||||
}
|
||||
]
|
||||
},
|
||||
{"id": "vpn",
|
||||
"status": "CURRENT",
|
||||
"links":
|
||||
[
|
||||
{"href":"http://192.168.59.103:2705/proton/net-l3vpn/v1/vpn/",
|
||||
"rel": "self"
|
||||
}
|
||||
]
|
||||
},
|
||||
{"id": "vpnafconfig",
|
||||
"status": "CURRENT",
|
||||
"links":
|
||||
[
|
||||
{"href":"http://192.168.59.103:2705/proton/net-l3vpn/v1/vpnafconfig/",
|
||||
"rel": "self"
|
||||
}
|
||||
]
|
||||
},
|
||||
{"id": "vpnbinding",
|
||||
"status": "CURRENT",
|
||||
"links":
|
||||
[
|
||||
{"href":"http://192.168.59.103:2705/proton/net-l3vpn/v1/binding/",
|
||||
"rel": "self"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
[
|
||||
{ "status": "CURRENT",
|
||||
"proton_service": "net-l3vpn",
|
||||
"resource_name": "dataplanetunnels",
|
||||
"links":
|
||||
[
|
||||
{ "href": "http://192.168.59.103:2705/proton/net-l3vpn/v1.0/dataplanetunnels",
|
||||
"rel": "self"
|
||||
}
|
||||
],
|
||||
"version_id": "v1.0"
|
||||
},
|
||||
{ "status": "CURRENT",
|
||||
"proton_service": "net-l3vpn",
|
||||
"resource_name": "bgppeerings",
|
||||
"links":
|
||||
[
|
||||
{ "href": "http://192.168.59.103:2705/proton/net-l3vpn/v1.0/bgppeerings",
|
||||
"rel": "self"
|
||||
}
|
||||
],
|
||||
"version_id": "v1.0"
|
||||
},
|
||||
{ "status": "CURRENT",
|
||||
"proton_service": "net-l3vpn",
|
||||
"resource_name": "vpnafconfigs",
|
||||
"links":
|
||||
[
|
||||
{ "href": "http://192.168.59.103:2705/proton/net-l3vpn/v1.0/vpnafconfigs",
|
||||
"rel": "self"
|
||||
}
|
||||
],
|
||||
"version_id": "v1.0"
|
||||
},
|
||||
{ "status": "CURRENT",
|
||||
"proton_service": "net-l3vpn",
|
||||
"resource_name": "vpns",
|
||||
"links":
|
||||
[
|
||||
{ "href": "http://192.168.59.103:2705/proton/net-l3vpn/v1.0/vpns",
|
||||
"rel": "self"
|
||||
}
|
||||
],
|
||||
"version_id": "v1.0"
|
||||
},
|
||||
{ "status": "CURRENT",
|
||||
"proton_service": "net-l3vpn",
|
||||
"resource_name": "interfaces",
|
||||
"links":
|
||||
[
|
||||
{ "href": "http://192.168.59.103:2705/proton/net-l3vpn/v1.0/interfaces",
|
||||
"rel": "self"
|
||||
}
|
||||
],
|
||||
"version_id": "v1.0"
|
||||
},
|
||||
{ "status": "CURRENT",
|
||||
"proton_service": "net-l3vpn",
|
||||
"resource_name": "vpnbindings",
|
||||
"links":
|
||||
[
|
||||
{ "href": "http://192.168.59.103:2705/proton/net-l3vpn/v1.0/vpnbindings",
|
||||
"rel": "self"
|
||||
}
|
||||
],
|
||||
"version_id": "v1.0"
|
||||
},
|
||||
{ "status": "CURRENT",
|
||||
"proton_service": "net-l3vpn",
|
||||
"resource_name": "ports",
|
||||
"links":
|
||||
[
|
||||
{ "href": "http://192.168.59.103:2705/proton/net-l3vpn/v1.0/ports",
|
||||
"rel": "self"
|
||||
}
|
||||
],
|
||||
"version_id": "v1.0"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
**Example**
|
||||
|
||||
::
|
||||
|
||||
file_version: 1.0
|
||||
imports: base/base.yaml
|
||||
info:
|
||||
name: net-l3vpn
|
||||
version: 1.0
|
||||
description "L3VPN API Specification"
|
||||
...
|
||||
|
||||
|
|
|
@ -30,28 +30,32 @@ Current Repository Structure
|
|||
----------------------------
|
||||
|
||||
- **doc**
|
||||
- samples # Sample policy.json and proton.conf files
|
||||
- source # All documentation
|
||||
- devref # Developer Guides
|
||||
- testcase # Test Case proposals
|
||||
- doc/samples # Sample policy.json.sample and proton.conf.sample files
|
||||
- doc/source # All documentation
|
||||
- doc/source/devref # Developer Guides
|
||||
- doc/source/installation # Installation Guides
|
||||
- doc/source/testcase # Test Case proposals
|
||||
|
||||
- **etc** # Config options for model handlers and backends
|
||||
- proton # Config options for Protons
|
||||
- shim # Config options for Shims
|
||||
- **etc** # Config options for model handlers and backends
|
||||
- etc/proton # Config options for Protons
|
||||
- etc/shim # Config options for Shims
|
||||
|
||||
- **gluon** # Gluon code base
|
||||
- api # Proton API model and control
|
||||
- backends # Proton backend handlers, including ``net_l3vpn`` model handler
|
||||
- cmd # CLI API generator and other tools
|
||||
- common # Common libraries
|
||||
- db # Database handler
|
||||
- managers # API manager, including ``net_l3vpn`` API manager
|
||||
- models # Proton data model, including base model and ``net_l3vpn`` model
|
||||
- particleGenerator # Particle Generator to generate APIs from YAML
|
||||
- plugin # Extended ML2 Plugin for Gluon, a.k.a. Gluon Wrapper Plugin
|
||||
- shim # Shim Layer, including ``net-l3vpn`` model, sample backend and ODL backend
|
||||
- sync_etcd # Make hosts of ``etcd`` configurable
|
||||
- tests # Unit tests
|
||||
- **gluon** # Gluon code base
|
||||
- gluon/api # Proton API model and control
|
||||
- gluon/api/hooks # Policy enforcement is included here
|
||||
- gluon/backends # Proton backend handlers, including ``net_l3vpn`` model handler
|
||||
- gluon/cmd # CLI API generator and other tools
|
||||
- gluon/conf # Handling configuration options in /etc/proton/proton.conf
|
||||
- gluon/common # Common libraries
|
||||
- gluon/db # Database handler, e.g. managing database /opt/proton/gluon.sqlite
|
||||
- gluon/managers # API and model manager, including ``net_l3vpn`` API manager
|
||||
- gluon/models # Proton data model, including base model ``net_l3vpn`` model, and ``ietf-sfc`` model
|
||||
- gluon/particleGenerator # Particle Generator to generate APIs from YAML
|
||||
- gluon/plugin # Extended ML2 Plugin for Gluon, a.k.a. Gluon Wrapper Plugin
|
||||
- gluon/policies # Default rules definition at system level
|
||||
- gluon/shim # Shim Layer, including ``net-l3vpn`` model, sample backend and ODL backend
|
||||
- gluon/sync_etcd # Make hosts of ``etcd`` configurable
|
||||
- gluon/tests # Unit tests
|
||||
|
||||
- **releasenotes** # Enable release notes translation. Initiated by cookiecutter when repo was created
|
||||
|
||||
|
|
|
@ -21,6 +21,42 @@
|
|||
''''''' Heading 4
|
||||
(Avoid deeper levels because they do not render well.)
|
||||
|
||||
=================
|
||||
Install OpenStack
|
||||
=================
|
||||
|
||||
Before you start installing ``etcd``, please make sure that you have installed
|
||||
OpenStack Pike Release. For example, to install ``devstack`` Pike release:
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
$ git clone https://github.com/openstack-dev/devstack -b stable/pike
|
||||
|
||||
# Then generate local.conf in devstack directory, then run
|
||||
$ ./stack.sh
|
||||
|
||||
=======================================
|
||||
Stop ``etcd3`` in Devstack Pike Release
|
||||
=======================================
|
||||
|
||||
OpenStack Pike Release starts ``etcd3`` by default when user starts stack,
|
||||
while Gluon is based on ``etcd-v2.3.6``. This will cause issue for Gluon.
|
||||
Thus you need to stop ``etcd3`` that is started by OpenStack Pike.
|
||||
|
||||
For Devstack Pike Release:
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
$ sudo systemctl stop devstack@etcd.service
|
||||
|
||||
You may double check to make sure there is no etcd3 running:
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
$ ps -aef | grep etcd
|
||||
|
||||
You should not see any etcd process running.
|
||||
|
||||
==========================
|
||||
Install ``etcd`` for Gluon
|
||||
==========================
|
||||
|
@ -37,22 +73,23 @@ On Each Node
|
|||
|
||||
.. code-block:: bash
|
||||
|
||||
curl -L https://github.com/coreos/etcd/releases/download/v2.3.6/etcd-v2.3.6-linux-amd64.tar.gz -o etcd-v2.3.6-linux-amd64.tar.gz
|
||||
Unzip/Untar the downloaded file
|
||||
$ curl -L https://github.com/coreos/etcd/releases/download/v2.3.6/etcd-v2.3.6-linux-amd64.tar.gz -o etcd-v2.3.6-linux-amd64.tar.gz
|
||||
|
||||
# Then Unzip/Untar the downloaded file
|
||||
|
||||
**STEP-2**: Copy executables to ``/usr/local/bin``
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
cd etcd-v2.3.6-linux-amd64
|
||||
sudo cp etcd /usr/local/bin
|
||||
sudo cp etcdctl /usr/local/bin
|
||||
$ cd etcd-v2.3.6-linux-amd64
|
||||
$ sudo cp etcd /usr/local/bin
|
||||
$ sudo cp etcdctl /usr/local/bin
|
||||
|
||||
**STEP-3**: Create a directory for ``etcd`` data
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
sudo mkdir /var/etcd
|
||||
$ sudo mkdir /var/etcd
|
||||
|
||||
**STEP-4**: Create upstart ``init`` file:
|
||||
|
||||
|
@ -135,8 +172,12 @@ For instance, the files on the other two nodes would look like:
|
|||
|
||||
.. code-block:: bash
|
||||
|
||||
sudo iptables -A INPUT -p tcp -m multiport --ports 2380,2379 -m comment --comment "etcd" -j ACCEPT
|
||||
sudo invoke-rc.d iptables-persistent save
|
||||
$ sudo iptables -A INPUT -p tcp -m multiport --ports 2380,2379 -m comment --comment "etcd" -j ACCEPT
|
||||
$ sudo invoke-rc.d iptables-persistent save
|
||||
|
||||
# Note: for Ubuntu 16.04, you may have to use netfilter-persistent as follows:
|
||||
# sudo apt-get install netfilter-persistent
|
||||
# sudo invoke-rc.d netfilter-persistent save
|
||||
|
||||
**STEP-7**: Start the ``etcd`` server:
|
||||
|
||||
|
@ -144,15 +185,15 @@ As root:
|
|||
|
||||
.. code-block:: bash
|
||||
|
||||
initctl start etcd
|
||||
$ initctl start etcd
|
||||
|
||||
Or on ``ubuntu 14.04``, run:
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
sudo start etcd
|
||||
$ sudo start etcd
|
||||
|
||||
**STEP-8**: Verify the cluster is healty:
|
||||
**STEP-8**: Verify the cluster is healthy:
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
|
|
|
@ -33,12 +33,12 @@ On Controller
|
|||
|
||||
Assume the user logged in with sudo privileges. On an Ubuntu system:
|
||||
|
||||
**STEP-1**: Clone Gluon Repository ``stable/ocata`` branch:
|
||||
**STEP-1**: Clone Gluon Repository ``stable/pike`` branch:
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
$ cd ~
|
||||
$ git clone https://github.com/openstack/gluon.git -b stable/ocata
|
||||
$ git clone https://github.com/openstack/gluon.git -b stable/pike
|
||||
|
||||
**STEP-2**: Create user and group for gluon and proton users
|
||||
|
||||
|
@ -50,9 +50,9 @@ Assume the user logged in with sudo privileges. On an Ubuntu system:
|
|||
|
||||
.. code-block:: bash
|
||||
|
||||
$ sudo mkdir /opt/proton
|
||||
$ sudo mkdir /etc/proton
|
||||
$ sudo mkdir /var/log/proton
|
||||
$ sudo mkdir /opt/proton # Proton working directory, for such as gluon.sqlite
|
||||
$ sudo mkdir /etc/proton # Proton configuration directory, for such as proton.conf
|
||||
$ sudo mkdir /var/log/proton # Proton logs
|
||||
|
||||
**STEP-4**: Setup ``iptables``
|
||||
|
||||
|
@ -69,16 +69,27 @@ Assume the user logged in with sudo privileges. On an Ubuntu system:
|
|||
|
||||
.. code-block:: bash
|
||||
|
||||
$ sudo cat > /etc/proton/proton.conf <<EOF
|
||||
[DEFAULT]
|
||||
state_path = /opt/proton
|
||||
EOF
|
||||
#
|
||||
# Copy ~/gluon/etc/proton/proton.conf to /etc/proton/proton.conf
|
||||
# Copy ~/gluon/etc/proton/policy.json to /etc/proton/policy.json
|
||||
#
|
||||
|
||||
$ sudo cp ~/gluon/etc/proton/proton.conf /etc/proton/
|
||||
$ sudo cp ~/gluon/etc/proton/policy.json /etc/proton/
|
||||
|
||||
# After copying proton.conf, if you do not plan to use RBAC (Role-based Access Control) in Gluon,
|
||||
# please modify proton.conf by changing "auth_strategy" to "noauth" in [api] section. i.e:
|
||||
#
|
||||
# [api]
|
||||
# auth_strategy = noauth
|
||||
#
|
||||
|
||||
$ sudo chown -R proton:proton /opt/proton
|
||||
$ sudo chown -R proton:proton /etc/proton
|
||||
$ sudo chown -R proton:proton /var/log/proton
|
||||
$ sudo chmod 750 /etc/proton
|
||||
$ sudo chmod 644 /etc/proton/proton.conf
|
||||
$ sudo chmod 644 /etc/proton/policy.json
|
||||
$ sudo chmod 750 /var/log/proton
|
||||
|
||||
**STEP-6**: Install Gluon package
|
||||
|
@ -86,7 +97,7 @@ Assume the user logged in with sudo privileges. On an Ubuntu system:
|
|||
.. code-block:: bash
|
||||
|
||||
$ cd ~/gluon
|
||||
$ pip install -r requirements.txt
|
||||
$ sudo pip install -r requirements.txt
|
||||
$ python setup.py build
|
||||
$ sudo python setup.py develop
|
||||
$ sudo python setup.py install
|
||||
|
@ -123,7 +134,7 @@ following command:
|
|||
"ports": []
|
||||
}
|
||||
|
||||
**STEP-9**: Modify ``neutron.conf`` to point to the ``gluon plugin``
|
||||
**STEP-9**: Modify ``neutron.conf`` to point ``core_plugin`` to the ``gluon.plugin.core.GluonPlugin``
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
|
@ -140,6 +151,9 @@ Or in a devstack environment, do the following:
|
|||
|
||||
.. code-block:: bash
|
||||
|
||||
$ service devstack@q-svc restart
|
||||
|
||||
# Alternatively, you can do:
|
||||
# do "screen -x"
|
||||
# goto the screen for q-svc
|
||||
# do "Ctrl C" to kill the service
|
||||
|
@ -151,10 +165,16 @@ Or in a devstack environment, do the following:
|
|||
|
||||
# Source the openrc file for the admin user (depends on your system)
|
||||
# Create the dummy Gluon Network:
|
||||
$ neutron net-create --shared --provider:network_type local GluonNetwork
|
||||
$ openstack network create --share --provider-network-type local GluonNetwork
|
||||
|
||||
# Or legacy way:
|
||||
# neutron net-create --shared --provider:network_type local GluonNetwork
|
||||
|
||||
# Create the dummy GluonSubnet:
|
||||
$ neutron subnet-create --name GluonSubnet --no-gateway --disable-dhcp GluonNetwork 0.0.0.0/1
|
||||
$ openstack subnet create --network GluonNetwork --no-dhcp --gateway none --subnet-range 0.0.0.0/1 GluonSubnet
|
||||
|
||||
# Or legacy way:
|
||||
# neutron subnet-create --name GluonSubnet --no-gateway --disable-dhcp GluonNetwork 0.0.0.0/1
|
||||
|
||||
**STEP-12**: Restart ``neutron-server``
|
||||
|
||||
|
@ -162,6 +182,9 @@ Or in a devstack environment, do the following:
|
|||
|
||||
service neutron-server restart
|
||||
|
||||
# Or in Devstack:
|
||||
$ service devstack@q-svc restart
|
||||
|
||||
** The controller should be setup now**
|
||||
|
||||
**STEP-13**: Running the Sample Shim Layer Server
|
||||
|
@ -176,7 +199,134 @@ A test shim server is included in the gluon package. You need to:
|
|||
# Modify host list for shim server
|
||||
# Create br-gluon bridge
|
||||
|
||||
Role-based Access Control of Gluon
|
||||
----------------------------------
|
||||
|
||||
After we complete the basic setups as instructed above,
|
||||
Advanced users may also want to enable RBAC feature in Gluon.
|
||||
Please refer to [2]_ for the basic concept, and how to configure
|
||||
and enable RBAC in Gluon. Here is the summary of steps:
|
||||
|
||||
* RBAC-1: Create a new "NFV Networking" **service** named ``gluon``
|
||||
with service type ``nfvnet``
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
$ openstack service create --name gluon --description "NFV Network Service" nfvnet
|
||||
|
||||
* RBAC-2: Create a new **endpoint** under the **service** ``gluon``
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
# Note: you need to change the IP address 10.0.2.7 to match your environment
|
||||
|
||||
$ openstack endpoint create --region RegionOne gluon public http://10.0.2.7:2705/proton/
|
||||
$ openstack endpoint create --region RegionOne gluon admin http://10.0.2.7:2705/proton/
|
||||
$ openstack endpoint create --region RegionOne gluon internal http://10.0.2.7:2705/proton/
|
||||
|
||||
* RBAC-3: We reuse an existing **project** named ``service``
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
#
|
||||
# If you want to create a new project:
|
||||
# $ openstack project create --description <description of your new project> <new-project-name> --domain default
|
||||
#
|
||||
|
||||
* RBAC-4: Create a new **user** named ``gluon`` and password ``gluon``
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
$ openstack user create --password gluon gluon
|
||||
|
||||
* RBAC-5: Assign ``admin`` **role** to { ``service``, ``gluon`` } pair
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
$ openstack role add --project service --user gluon admin
|
||||
|
||||
* RBAC-6: Set environment variables
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
# Modify the ``openrc`` file in Gluon home directory (or in``devstack`` home directory)
|
||||
# with the appropriate value for you Keystone endpoint, your project name/tenant name,
|
||||
# your user name and password. Then run the following command to set these variables.
|
||||
#
|
||||
# $ source openrc <project_name> <user_name> <user_password>
|
||||
|
||||
$ source openrc service gluon gluon
|
||||
|
||||
* RBAC-7: Add the following configuration in ``/etc/proton/proton.conf``. Note that the
|
||||
``project_name``, ``username`` and ``password`` must match what you have created/used
|
||||
in prior steps.
|
||||
|
||||
.. code-block:: ini
|
||||
|
||||
[api]
|
||||
auth_strategy = keystone
|
||||
|
||||
[keystone_authtoken]
|
||||
auth_uri = http://10.0.2.7:5000
|
||||
project_domain_name = Default
|
||||
project_name = service
|
||||
user_domain_name = Default
|
||||
password = gluon
|
||||
username = gluon
|
||||
auth_url = http://10.0.2.7:35357
|
||||
auth_type = password
|
||||
|
||||
* RBAC-8: If policies are defined in YAML, those policies will be applied.
|
||||
Otherwise, default policies defined in ``gluon/models/base/base.yaml`` will be used.
|
||||
|
||||
* RBAC-9: Restart ``proton-server``
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
$ sudo /usr/local/bin/proton-server --config-file /etc/proton/proton.conf --logfile /var/log/proton/api.log
|
||||
|
||||
* RBAC-10: Get token using curl or OpenStack CLI:
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
#
|
||||
# Use curl
|
||||
#
|
||||
$ curl -s -X POST http://192.0.2.4:5000/v2.0/tokens \
|
||||
-H "Content-Type: application/json" \
|
||||
-d '{"auth": {"tenantName": "'"$OS_TENANT_NAME"'", \
|
||||
"passwordCredentials": {"username": "'"$OS_USERNAME"'", \
|
||||
"password": "'"$OS_PASSWORD"'"}}}' \
|
||||
| python -m json.tool
|
||||
|
||||
#
|
||||
# Or use OpenStack CLI
|
||||
#
|
||||
|
||||
$ openstack token issue
|
||||
|
||||
* RBAC-10: Now you can access Proton server with token
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
#
|
||||
# Note: you need to replace the exemplary token value with your own token value
|
||||
# and replace the Proton server URL with your own URL
|
||||
#
|
||||
|
||||
$ curl -s -H "X-Auth-Token: 1678f8ef3a97497b842f0f7088b0b090" http://192.0.2.4:2705 | python -m json.tool
|
||||
|
||||
#
|
||||
# Get a specific port information
|
||||
# Note you also need to replace the exemplary port-id with your own port-id
|
||||
#
|
||||
|
||||
$ curl -s -H "X-Auth-Token: 1678f8ef3a97497b842f0f7088b0b090" http://192.0.2.4:2705/proton/net-l3vpn/v1.0/ports/30f12741-ffe8-4c85-819b-04a496251f00
|
||||
|
||||
* RBAC-11: At this moment, RBAC should work fine now. You need to make sure that
|
||||
"X-Auth-Token: <auth-token>" header is always added in your RESTful http request.
|
||||
|
||||
References
|
||||
|
||||
.. [1] install_etcd
|
||||
|
||||
.. [2] ../devref/gluon-auth.inc
|
||||
|
|
|
@ -30,6 +30,16 @@ and then use ``nova boot`` to bind the port to a VM. It is assumed that you
|
|||
have already installed ``etcd`` and **Gluon Plugin**, and started
|
||||
**Proton Server**. If not, please refer to [1]_.
|
||||
|
||||
Advanced users may also want to enable RBAC feature in Gluon. Please refer to
|
||||
"Gluon Authentication and Authorization" [2]_ for the basic concept,
|
||||
and how to configure and enable RBAC in Gluon. The setup steps are also described
|
||||
in [1]_.
|
||||
|
||||
This User Guide provides CLI examples. The RESTful API is specified in
|
||||
"Gluon API Specification" [3]_. If RBAC is enabled, you need to make sure
|
||||
that "X-Auth-Token: <auth-token>" header is always added in your
|
||||
RESTful HTTP request.
|
||||
|
||||
Getting Help
|
||||
------------
|
||||
|
||||
|
@ -38,12 +48,16 @@ information:
|
|||
|
||||
.. code-block:: bash
|
||||
|
||||
# The equivalent RESTful API is
|
||||
# GET /proton HTTP/1.1
|
||||
|
||||
$ protonclient --help
|
||||
--api is not specified!
|
||||
|
||||
Usage: protonclient --api <api_name> [OPTIONS] COMMAND[ARGS]...
|
||||
|
||||
Options:
|
||||
--api TEXT Name of API, one of ['net-l3vpn', 'test']
|
||||
--api TEXT Name of API, one of ['ietf-sfc', 'net-l3vpn', 'test']
|
||||
--port INTEGER Port of endpoint (OS_PROTON_PORT)
|
||||
--host TEXT Host of endpoint (OS_PROTON_HOST)
|
||||
--help Show this message and exit.
|
||||
|
@ -58,13 +72,16 @@ parameters are required, and gives you general help information too:
|
|||
|
||||
.. code-block:: bash
|
||||
|
||||
# The equivalent RESTful API is
|
||||
# GET /proton HTTP/1.1
|
||||
|
||||
$ protonclient
|
||||
--api is not specified!
|
||||
|
||||
Usage: protonclient --api <api_name> [OPTIONS] COMMAND[ARGS]...
|
||||
|
||||
Options:
|
||||
--api TEXT Name of API, one of ['net-l3vpn', 'test']
|
||||
--api TEXT Name of API, one of ['ietf-sfc', 'net-l3vpn', 'test']
|
||||
--port INTEGER Port of endpoint (OS_PROTON_PORT)
|
||||
--host TEXT Host of endpoint (OS_PROTON_HOST)
|
||||
--help Show this message and exit.
|
||||
|
@ -78,6 +95,9 @@ correct command line usage.
|
|||
|
||||
.. code-block:: bash
|
||||
|
||||
# The equivalent RESTful API is
|
||||
# GET /proton/net-l3vpn/v1.0 HTTP/1.1
|
||||
|
||||
$ protonclient --api net-l3vpn
|
||||
Usage: protonclient [OPTIONS] COMMAND [ARGS]...
|
||||
|
||||
|
@ -85,6 +105,16 @@ correct command line usage.
|
|||
--help Show this message and exit.
|
||||
|
||||
Commands:
|
||||
bgppeering-create
|
||||
bgppeering-delete
|
||||
bgppeering-list
|
||||
bgppeering-show
|
||||
bgppeering-update
|
||||
dataplanetunnel-create
|
||||
dataplanetunnel-delete
|
||||
dataplanetunnel-list
|
||||
dataplanetunnel-show
|
||||
dataplanetunnel-update
|
||||
interface-create
|
||||
interface-delete
|
||||
interface-list
|
||||
|
@ -116,6 +146,9 @@ Create ``Interface`` Object
|
|||
|
||||
.. code-block:: bash
|
||||
|
||||
# The equivalent RESTful API is
|
||||
# POST /proton/net-l3vpn/v1.0/interfaces HTTP/1.1
|
||||
|
||||
$ protonclient --api net-l3vpn interface-create --help
|
||||
Usage: protonclient interface-create [OPTIONS]
|
||||
|
||||
|
@ -126,6 +159,7 @@ Create ``Interface`` Object
|
|||
--segmentation_type [none|vlan|tunnel_vxlan|tunnel_gre|mpls]
|
||||
Type of segmentation for this interface
|
||||
[required]
|
||||
--tenant_id TEXT UUID of Tenant [required]
|
||||
--port_id TEXT Pointer to Port instance [required]
|
||||
--port INTEGER Port of endpoint (OS_PROTON_PORT)
|
||||
--host TEXT Host of endpoint (OS_PROTON_HOST)
|
||||
|
@ -139,6 +173,9 @@ UUID of the parent ``Port``.
|
|||
|
||||
.. code-block:: bash
|
||||
|
||||
# The equivalent RESTful API is
|
||||
# GET /proton/net-l3vpn/v1.0/interfaces HTTP/1.1
|
||||
|
||||
$ protonclient --api net-l3vpn interface-list
|
||||
{
|
||||
"interfaces": [
|
||||
|
@ -147,6 +184,7 @@ UUID of the parent ``Port``.
|
|||
"segmentation_id": 0,
|
||||
"created_at": "2017-02-14T20:35:47.760126",
|
||||
"updated_at": "2017-02-14T20:35:47.760126",
|
||||
"tenant_id": "a868a466bca84df18404a77db0ecac72",
|
||||
"port_id": "fe338d4c-2aef-4487-aa25-cb753bf02518",
|
||||
"segmentation_type": "none",
|
||||
"id": "fe338d4c-2aef-4487-aa25-cb753bf02518"
|
||||
|
@ -159,6 +197,9 @@ Create ``VPNAFConfig`` Object
|
|||
|
||||
.. code-block:: bash
|
||||
|
||||
# The equivalent RESTful API is
|
||||
# POST /proton/net-l3vpn/v1.0/vpnafconfigs HTTP/1.1
|
||||
|
||||
$ protonclient --api net-l3vpn vpnafconfig-create --help
|
||||
Usage: protonclient vpnafconfig-create [OPTIONS]
|
||||
|
||||
|
@ -168,6 +209,7 @@ Create ``VPNAFConfig`` Object
|
|||
--import_route_policy TEXT Route target import policy
|
||||
--vrf_rt_type [export_extcommunity|import_extcommunity|both]
|
||||
Route target type [required]
|
||||
--tenant_id TEXT UUID of Tenant [required]
|
||||
--port INTEGER Port of endpoint (OS_PROTON_PORT)
|
||||
--host TEXT Host of endpoint (OS_PROTON_HOST)
|
||||
--help Show this message and exit.
|
||||
|
@ -176,7 +218,10 @@ Create ``VPNAFConfig`` Object
|
|||
|
||||
.. code-block:: bash
|
||||
|
||||
$ protonclient --api net-l3vpn vpnafconfig-create --vrf_rt_type both --vrf_rt_value 1000:1000
|
||||
# The equivalent RESTful API is
|
||||
# POST /proton/net-l3vpn/v1.0/vpnafconfigs HTTP/1.1
|
||||
|
||||
$ protonclient --api net-l3vpn vpnafconfig-create --vrf_rt_type both --vrf_rt_value 1000:1000 --tenant_id a868a466bca84df18404a77db0ecac72
|
||||
{
|
||||
"vrf_rt_type": "both",
|
||||
"vrf_rt_value": "1000:1000"
|
||||
|
@ -187,18 +232,22 @@ Create ``VPN`` Object
|
|||
|
||||
.. code-block:: bash
|
||||
|
||||
# The equivalent RESTful API is
|
||||
# POST /proton/net-l3vpn/v1.0/vpns HTTP/1.1
|
||||
|
||||
$ protonclient --api net-l3vpn vpn-create --help
|
||||
Usage: protonclient vpn-create [OPTIONS]
|
||||
|
||||
Options:
|
||||
--id TEXT UUID of VPN instance
|
||||
--name TEXT Name of VPN [required]
|
||||
--id TEXT UUID of Object
|
||||
--name TEXT Descriptive name of Object
|
||||
--tenant_id TEXT UUID of Tenant [required]
|
||||
--ipv4_family TEXT Comma separated list of route target strings
|
||||
(VpnAfConfig)
|
||||
--ipv6_family TEXT Comma separated list of route target strings
|
||||
(VpnAfConfig)
|
||||
--route_distinguishers TEXT Route distinguisher for this VPN
|
||||
--description TEXT About the VPN
|
||||
--description TEXT Description of Service
|
||||
--port INTEGER Port of endpoint (OS_PROTON_PORT)
|
||||
--host TEXT Host of endpoint (OS_PROTON_HOST)
|
||||
--help Show this message and exit.
|
||||
|
@ -209,10 +258,14 @@ The UUID of VPN instance ``id`` is generated by Proton and returned.
|
|||
|
||||
.. code-block:: bash
|
||||
|
||||
$ protonclient --api net-l3vpn vpn-create --name "TestVPN" --ipv4_family 1000:1000 --ipv6_family 1000:1000 --route_distinguishers 1000:1000 --description "My Test VPN"
|
||||
# The equivalent RESTful API is
|
||||
# POST /proton/net-l3vpn/v1.0/vpns HTTP/1.1
|
||||
|
||||
$ protonclient --api net-l3vpn vpn-create --name "TestVPN" --ipv4_family 1000:1000 --ipv6_family 1000:1000 --route_distinguishers 1000:1000 --tenant_id a868a466bca84df18404a77db0ecac72 --description "My Test VPN"
|
||||
{
|
||||
"description": "My Test VPN",
|
||||
"route_distinguishers": "1000:1000",
|
||||
"tenant_id": "a868a466bca84df18404a77db0ecac72",
|
||||
"created_at": "2017-02-14T20:37:58.592999",
|
||||
"updated_at": "2017-02-14T20:37:58.592999",
|
||||
"ipv6_family": "1000:1000",
|
||||
|
@ -226,6 +279,9 @@ Create ``Port`` Object
|
|||
|
||||
.. code-block:: bash
|
||||
|
||||
# The equivalent RESTful API is
|
||||
# POST /proton/net-l3vpn/v1.0/ports HTTP/1.1
|
||||
|
||||
$ protonclient --api net-l3vpn port-create --help
|
||||
Usage: protonclient port-create [OPTIONS]
|
||||
|
||||
|
@ -244,7 +300,7 @@ Create ``Port`` Object
|
|||
[required]
|
||||
--vif_details TEXT binding:vif_details: JSON string for VIF
|
||||
details
|
||||
--tenant_id TEXT UUID of Tenant owning this Port [required]
|
||||
--tenant_id TEXT UUID of Tenant [required]
|
||||
--admin_state_up BOOLEAN Admin state of Port [required]
|
||||
--name TEXT Descriptive name of Object
|
||||
--vif_type TEXT binding:vif_type: binding type for VIF
|
||||
|
@ -256,7 +312,7 @@ Create ``Port`` Object
|
|||
|
||||
These values should be specified.
|
||||
|
||||
The ``tenant_id`` should be obtained from OpenStack.
|
||||
The ``tenant_id`` should be a ``project-id`` obtained from OpenStack.
|
||||
|
||||
The UUID of the object ``id`` is generated by the Proton and returned.
|
||||
|
||||
|
@ -264,6 +320,9 @@ The UUID of the object ``id`` is generated by the Proton and returned.
|
|||
|
||||
.. code-block:: bash
|
||||
|
||||
# The equivalent RESTful API is
|
||||
# POST /proton/net-l3vpn/v1.0/ports HTTP/1.1
|
||||
|
||||
$ protonclient --api net-l3vpn port-create --mac_address c8:2a:14:04:43:80 --mtu 1500 --admin_state_up True --name "TestVPNPort" --vlan_transparency True --vnic_type normal --vif_type ovs --status ACTIVE --tenant_id 5205b400fa6c4a888a0b229200562229
|
||||
{
|
||||
"profile": null,
|
||||
|
@ -272,7 +331,7 @@ The UUID of the object ``id`` is generated by the Proton and returned.
|
|||
"name": "TestVPNPort",
|
||||
"device_owner": null,
|
||||
"admin_state_up": true,
|
||||
"tenant_id": "5205b400fa6c4a888a0b229200562229",
|
||||
"tenant_id": "a868a466bca84df18404a77db0ecac72",
|
||||
"created_at": "2017-02-14T20:35:47.749427",
|
||||
"vif_details": null,
|
||||
"updated_at": "2017-02-14T20:35:47.749427",
|
||||
|
@ -298,12 +357,16 @@ You can view the values with the following commands:
|
|||
|
||||
.. code-block:: bash
|
||||
|
||||
# The equivalent RESTful API is
|
||||
# GET /proton/net-l3vpn/v1.0/vpns HTTP/1.1
|
||||
|
||||
$ protonclient --api net-l3vpn vpn-list
|
||||
{
|
||||
"vpns": [
|
||||
{
|
||||
"description": "My Test VPN",
|
||||
"route_distinguishers": "1000:1000",
|
||||
"tenant_id": "a868a466bca84df18404a77db0ecac72",
|
||||
"created_at": "2017-02-14T20:37:58.592999",
|
||||
"updated_at": "2017-02-14T20:37:58.592999",
|
||||
"ipv6_family": "1000:1000",
|
||||
|
@ -313,7 +376,11 @@ You can view the values with the following commands:
|
|||
}
|
||||
]
|
||||
}
|
||||
$
|
||||
$
|
||||
|
||||
# The equivalent RESTful API is
|
||||
# GET /proton/net-l3vpn/v1.0/ports HTTP/1.1
|
||||
|
||||
$ protonclient --api net-l3vpn port-list
|
||||
{
|
||||
"ports": [
|
||||
|
@ -324,7 +391,7 @@ You can view the values with the following commands:
|
|||
"name": "TestVPNPort",
|
||||
"device_owner": null,
|
||||
"admin_state_up": true,
|
||||
"tenant_id": "5205b400fa6c4a888a0b229200562229",
|
||||
"tenant_id": "a868a466bca84df18404a77db0ecac72",
|
||||
"created_at": "2017-02-14T20:35:47.749427",
|
||||
"vif_details": null,
|
||||
"updated_at": "2017-02-14T20:35:47.749427",
|
||||
|
@ -347,6 +414,9 @@ You need to create a ``vpnbinding`` object to tie the ``Interface`` and the
|
|||
|
||||
.. code-block:: bash
|
||||
|
||||
# The equivalent RESTful API is
|
||||
# POST /proton/net-l3vpn/v1.0/vpnbindings HTTP/1.1
|
||||
|
||||
$ protonclient --api net-l3vpn vpnbinding-create --help
|
||||
Usage: protonclient vpnbinding-create [OPTIONS]
|
||||
|
||||
|
@ -356,6 +426,7 @@ You need to create a ``vpnbinding`` object to tie the ``Interface`` and the
|
|||
--ipaddress TEXT IP Address of port
|
||||
--subnet_prefix INTEGER Subnet mask
|
||||
--service_id TEXT Pointer to Service instance [required]
|
||||
--tenant_id TEXT UUID of Tenant [required]
|
||||
--port INTEGER Port of endpoint (OS_PROTON_PORT)
|
||||
--host TEXT Host of endpoint (OS_PROTON_HOST)
|
||||
--help Show this message and exit.
|
||||
|
@ -370,8 +441,12 @@ default ``interface`` object, and the ``id`` of the ``vpn`` object.
|
|||
|
||||
.. code-block:: bash
|
||||
|
||||
$ protonclient --api net-l3vpn vpnbinding-create --interface_id fe338d4c-2aef-4487-aa25-cb753bf02518 --service_id b70b4bbd-aa40-48d7-aa4b-57cc2fd34010 --ipaddress 10.10.0.2 --subnet_prefix 24 --gateway 10.10.0.1
|
||||
# The equivalent RESTful API is
|
||||
# POST /proton/net-l3vpn/v1.0/vpnbindings HTTP/1.1
|
||||
|
||||
$ protonclient --api net-l3vpn vpnbinding-create --interface_id fe338d4c-2aef-4487-aa25-cb753bf02518 --service_id b70b4bbd-aa40-48d7-aa4b-57cc2fd34010 --ipaddress 10.10.0.2 --subnet_prefix 24 --gateway 10.10.0.1 --tenant_id a868a466bca84df18404a77db0ecac72
|
||||
{
|
||||
"tenant_id": "a868a466bca84df18404a77db0ecac72",
|
||||
"created_at": "2017-02-14T20:39:52.382433",
|
||||
"subnet_prefix": 24,
|
||||
"updated_at": "2017-02-14T20:39:52.382433",
|
||||
|
@ -386,10 +461,14 @@ View ``VPNBinding`` Objects
|
|||
|
||||
.. code-block:: bash
|
||||
|
||||
# The equivalent RESTful API is
|
||||
# GET /proton/net-l3vpn/v1.0/vpnbindings HTTP/1.1
|
||||
|
||||
$ protonclient --api net-l3vpn vpnbinding-list
|
||||
{
|
||||
"vpnbindings": [
|
||||
{
|
||||
"tenant_id": "a868a466bca84df18404a77db0ecac72",
|
||||
"created_at": "2017-02-14T20:39:52.382433",
|
||||
"subnet_prefix": 24,
|
||||
"updated_at": "2017-02-14T20:39:52.382433",
|
||||
|
@ -409,7 +488,9 @@ Create VM and Bind our L3VPN Port
|
|||
|
||||
.. code-block:: bash
|
||||
|
||||
$ nova --debug boot --flavor 1 --image cirros --nic port-id=fe338d4c-2aef-4487-aa25-cb753bf02518 TestGluon
|
||||
# Refer to Nova documentation for RESTful APIs
|
||||
|
||||
$ nova --debug boot --flavor m1.tiny --image cirros --nic port-id=fe338d4c-2aef-4487-aa25-cb753bf02518 TestGluon
|
||||
|
||||
When bound, the ``etcd`` data will look like:
|
||||
|
||||
|
@ -446,5 +527,6 @@ To Use Gluon in a Project
|
|||
|
||||
References
|
||||
|
||||
.. [1] installation
|
||||
|
||||
.. [1] installation.rst
|
||||
.. [2] devref/gluon-auth.inc
|
||||
.. [3] devref/gluon_api_spec.inc
|
||||
|
|
|
@ -1,42 +1,2 @@
|
|||
{
|
||||
"COMMENT": "This file is no longer needed, but for historical record !!!",
|
||||
"COMMENT": "The policy.json file in /etc/proton directory should contain",
|
||||
"COMMENT": "empty json object: {}",
|
||||
|
||||
"COMMENT": "This first part is moved to code in policies/base.py",
|
||||
"context_is_admin": "role:admin",
|
||||
"owner": "tenant_id:%(tenant_id)s",
|
||||
"admin_or_owner": "rule:context_is_admin or rule:owner",
|
||||
"context_is_advsvc": "role:advsvc",
|
||||
"admin_or_network_owner": "rule:context_is_admin or tenant_id:%(network:tenant_id)s",
|
||||
"admin_owner_or_network_owner": "rule:owner or rule:admin_or_network_owner",
|
||||
"admin_only": "rule:context_is_admin",
|
||||
"regular_user": "",
|
||||
"default": "rule:admin_or_owner",
|
||||
|
||||
"COMMENT": "The rest of policies are defined in YAML",
|
||||
"create_ports": "rule:admin_or_network_owner",
|
||||
"get_ports": "rule:admin_or_owner",
|
||||
"update_ports": "rule:admin_or_network_owner",
|
||||
"delete_ports": "rule:admin_or_network_owner",
|
||||
|
||||
"create_interfaces": "rule:admin_or_network_owner",
|
||||
"get_interfaces": "rule:admin_or_owner",
|
||||
"update_interfaces": "rule:admin_or_network_owner",
|
||||
"delete_interfaces": "rule:admin_or_network_owner",
|
||||
|
||||
"create_vpns": "rule:admin_or_network_owner",
|
||||
"get_vpns": "rule:admin_or_owner",
|
||||
"update_vpns": "rule:admin_or_network_owner",
|
||||
"delete_vpns": "rule:admin_or_network_owner",
|
||||
|
||||
"create_vpnbindings": "rule:admin_or_network_owner",
|
||||
"get_vpnbindings": "rule:admin_or_owner",
|
||||
"update_vpnbindings": "rule:admin_or_network_owner",
|
||||
"delete_vpnbindings": "rule:admin_or_network_owner",
|
||||
|
||||
"create_vpnafconfigs": "rule:admin_or_network_owner",
|
||||
"get_vpnafconfigs": "rule:admin_or_owner",
|
||||
"update_vpnafconfigs": "rule:admin_or_network_owner",
|
||||
"delete_vpnafconfigs": "rule:admin_or_network_owner",
|
||||
}
|
||||
|
|
|
@ -14,15 +14,24 @@ auth_strategy = keystone
|
|||
auth_uri = http://127.0.0.1/5000
|
||||
|
||||
project_domain_name = Default
|
||||
|
||||
# OpenStack project name. Please make sure that the *project_name* used here
|
||||
# is consistent with the *project* name used/created at step RBAC-3 in
|
||||
# "Install Gluon Plugin and Proton Server" (doc/source/installation/install_gluon.rst)
|
||||
project_name = service
|
||||
|
||||
user_domain_name = Default
|
||||
password = welcome
|
||||
|
||||
# keystone login username and password.
|
||||
# Please make sure that the *username* and *password* used here are consistent with
|
||||
# the *user* name and *password* created/used at step RBAC-4 in
|
||||
# "Install Gluon Plugin and Proton Server" (doc/source/installation/install_gluon.rst)
|
||||
password = gluon
|
||||
username = gluon
|
||||
|
||||
# keystone identity_admin, change 127.0.0.1 to keystone endpoint
|
||||
auth_url = http://127.0.0.1/35357
|
||||
|
||||
|
||||
auth_type = password
|
||||
|
||||
[oslo_policy]
|
||||
|
|
|
@ -1,9 +1,10 @@
|
|||
============================================
|
||||
gluon Release Notes
|
||||
============================================
|
||||
===================
|
||||
Gluon Release Notes
|
||||
===================
|
||||
|
||||
.. toctree::
|
||||
:maxdepth: 1
|
||||
|
||||
unreleased
|
||||
ocata
|
||||
pike
|
||||
|
|
|
@ -0,0 +1,6 @@
|
|||
=========================
|
||||
Pike Series Release Notes
|
||||
=========================
|
||||
|
||||
.. release-notes::
|
||||
:branch: origin/stable/pike
|
Loading…
Reference in New Issue