Hi,
We have compared the API the is in the blue print to the one described in
Stephen documents.
Follows the differences we have found:
1) L7PolicyVipAssoc is gone, this means that L7 policy reuse is not
possible. I have added use cases 42 and 43 to show where such reuse makes sense.
2) There is a mix between L7 content switching and L7 content
modification, the API in the blue print only addresses L7 content switching. I
think that we should separate the APIs from each other. I think that we should
review/add use cases targeting L7 content modifications to the use cases
document.
a. You can see this in L7Policy: APPEND_HEADER, DELETE_HEADER
actions
3) The action to redirect to a URL is missing in Stephen’s document. The
'redirect' action in Stephen’s document is equivalent to the “pool” action in
the blue print/code.
4) All the objects have their parent id as an optional argument
(L7Rule.l7_policy_id, L7Policy.listener_id), is this a mistake?
5) There is also the additional behavior based on L3 information (matching
the client/source IP to a subnet). This is addressed by L7Rule.type with a
value of 'CLIENT_IP' and L7Rule.compare_type with a value of 'SUBNET'. I think
that using Layer 3 type information should not be part of L7 content switching
as the use cases I am aware of, might require more than just selecting a
different pool (ex: user with ip from internet browsing to an https based
application, might need to be secured using 2K SSL keys while internal users
could use weaker keys)
I would like to state that although the WIKI describes the solution from a high
level it is not totally in sync with the actual code.
The key thing which is missing is that, L7 Policies in a specific listener/vip
are ordered (ordered list) and are processed in order so that the 1st policy
that has a match will be activated and traversal of the L7 policy list is
topped as the processing is final (ex: redirect, pool, reject).
This in effect means that L7 Policy form an ‘or’ condition between them.
L7 Policies have an ordered list of L7 Rules, L7 Rules are processed by this
order and also form an ‘or’ condition.
Regards,
-Avishay, Evgeny and Sam
From: Samuel Bercovici [mailto:samu...@radware.com]
Sent: Sunday, April 27, 2014 1:53 PM
To: OpenStack Development Mailing List (not for usage questions)
Subject: Re: [openstack-dev] [Neutron][LBaaS]SSL and L7 conent switching APIs
Hi,
The work to design the APIs concerning L7 content switching and SSL termination
has started a bit before the Icehouse summit, it involved the ML in a very
active fashion.
The ML was silent on this because we have completed the discussion and moved to
implementation.
We got to a very advanced state in completing the code which got stopped due to
the discussion about the core model (VIPs, Pools, etc.)
The blue prints WIKIs and code are public
(https://blueprints.launchpad.net/neutron/+spec/lbaas-l7-rules and
https://blueprints.launchpad.net/neutron/+spec/lbaas-ssl-termination ).
Please take the time to review and discuss on ML if something is missing so we
can talk about this at the summit.
-Sam.
_______________________________________________
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
