6.7 KiB
Introduce globally shared resources
Launchpad blueprint:
https://blueprints.launchpad.net/group-based-policy/+spec/introduce-shared-attribute
Today, it's not possible to create shared GBP resources. This is especially useful in order to avoid duplication of policies among tenants.
This blueprint introduces a "shared" attribute to certain GBP resources.
Problem description
In the context of concerns separation, it's very important that a user (e.g. the admin) shares some of the resources he created in order for different kind of users to be able to consume them.
To achieve this, the API should be able to offer a way to specify whether a resource is shared or not. This behavior doesn't exist in our current Group Based Policy implementation.
Proposed change
This change proposes the introduction of a "shared" attribute for the following GBP resources:
- Policy Rule Sets;
- Policy Target Groups;
- L2 Policies;
- L3 Policies;
- Network Service policies;
- Policy Rules;
- Policy Classifiers.
- Policy Actions.
The behavior will be consistent with Neutron's already existing sharing policy. Which means that a given resource can be either consumable by a single tenant or shared globally. Shared resources will be modifiable only by the owner or the admin when applied. The Policy Target resource has been excluded from the list above since it is intrinsically something that the user creates and consumes for himself.
The sharing constraints are the following:
- A shared resource can only be associated with other shared resources. For example, a shared L2_Policy can only exist on a shared L3_Policy;
- A shared resource can be CRUD based on the rules described by the policy.json file;
- A shared resource can't be reverted to non shared if being used by either shared or other tenants' resources.
- Although the model provides as much flexibility as possible (constrained by the above rules) each driver should limit the sharing capabilities based on their own implementations.
The proposed default policy.json follows:
{
"context_is_admin": "role:admin",
"admin_or_owner": "rule:context_is_admin or tenant_id:%(tenant_id)s",
"admin_only": "rule:context_is_admin",
"regular_user": "",
"default": "rule:admin_or_owner",
"gbp_shared": "field:policy_target_groups:shared=True",
"create_policy_target_group": "",
"create_policy_target_group:shared": "rule:admin_only",
"get_policy_target_group": "rule:admin_or_owner or rule:gbp_shared",
"update_policy_target_group:shared": "rule:admin_only",
"create_l2_policy": "",
"create_l2_policy:shared": "rule:admin_only",
"get_l2_policy": "rule:admin_or_owner or rule:gbp_shared",
"update_l2_policy:shared": "rule:admin_only",
"create_l3_policy": "",
"create_l3_policy:shared": "rule:admin_only",
"get_l3_policy": "rule:admin_or_owner or rule:gbp_shared",
"update_l3_policy:shared": "rule:admin_only",
"create_policy_classifier": "",
"create_policy_classifier:shared": "rule:admin_only",
"get_policy_classifier": "rule:admin_or_owner or rule:gbp_shared",
"update_policy_classifier:shared": "rule:admin_only",
"create_policy_action": "",
"create_policy_action:shared": "rule:admin_only",
"get_policy_action": "rule:admin_or_owner or rule:gbp_shared",
"update_policy_action:shared": "rule:admin_only",
"create_policy_rule": "",
"create_policy_rule:shared": "rule:admin_only",
"get_policy_rule": "rule:admin_or_owner or rule:gbp_shared",
"update_policy_rule:shared": "rule:admin_only",
"create_policy_rule_set": "",
"create_policy_rule_set:shared": "rule:admin_only",
"get_policy_rule_set": "rule:admin_or_owner or rule:gbp_shared",
"update_policy_rule_set:shared": "rule:admin_only",
"create_network_service_policy": "",
"create_network_service_policy:shared": "rule:admin_only",
"get_network_service_policy": "rule:admin_or_owner or rule:gbp_shared",
"update_network_service_policy:shared": "rule:admin_only"
}Any datapath impact caused by a shared resource has to be defined by the driver itself.
The Neutron mapping driver refactor will include sharing of the following resources:
- L3_Policy: only usable by the same tenant;
- L2_Policy: only usable by the same tenant;
- PTG: usable by any tenant when shared for PT placement;
- Policy Classifiers: usable by any tenant when shared;
- Policy Actions: usable by any tenant when shared;
- Policy Rules: usable by any tenant when shared.
L3 and L2 policies need to be sharable to allow PTG sharing. However, no external tenant could use them because there's no way today in Neutron to share a Router. Security groups are also not sharable in Neutron, therefore PRS is not listed above.
One use case for sharing PTG is when the could admin provides a common management PTG to all the tenants. They could then create multi-homed VMs and use it according to the policies.
Alternatives
At this time there's no alternative proposal.
Data model impact
A "shared" field is added to the resources listed in the "Proposed change" section.
REST API impact
The REST API will show the "shared" attribute for the resource listed in the "Proposed change" section.
Security impact
This blueprint has no security impact.
Notifications impact
This blueprint has no impact on notifications.
Other end user impact
The end user will now be able to see and consume shared resources.
Performance impact
This blueprint does not have significant impact on performance.
Other deployer impact
This blueprint does not have deployment impact
Developer impact
GBP driver's developers should now be aware that some resources could be shared among tenants and therefore should program accordingly.
Implementation
Assignee(s)
- Primary assignee:
-
mmaleckk
- Other contributors:
-
None
Work items
- Add resource attribute to REST API;
- Add model fields to the proper resources;
- Refactor Neutron resource mapping driver to support shared resources.
Dependencies
None
Testing
Unit tests will be added to verify the resource visibility and usability.
Documentation impact
Eventual GBP documentation will need to provide explanations on how the "shared" attribute works and examples on how to use it.
References
None