The normal tenant will see the external network if it is shared so the are allowed to get floating ips
Inviato da iPhone () > Il giorno 02/ott/2014, alle ore 20:06, James Denton > <[email protected]> ha scritto: > > Hi Danny, > > When 'admin' creates a network they are able to specify the following > attributes: > > - provider:network_type (ie. vxlan, gre, vlan, flat, local) > - provider:segmentation_id (ie. 802.1q tag, gre key, vxlan vni) > - provider:physical_network (ie. provider label of the physical interface - > physnet1, ph-eth1, etc) > > The following attribute that allows the network to be used as an external > network of a router: > - router:external (ie. true/false) > > The following attribute that allows the network to be shared amongst tenants: > - shared (ie. true/false) > > A tenant does not have the ability to specify any of those attributes. If > they try, they will be rejected. Tenants should have no visibility into the > 'type' of networks they create, and are in fact limited to particular network > types and IDs that are specified in the plugin configuration file or > ml2_conf.ini. I believe the configuration options are 'tenant_network_type' > and 'network_vlan_ranges'. That is why you do not see the provider attributes > as the tenant, even though they technically exist for ALL networks, > regardless of who created them. > > Admin users are not restricted by the options in the config file, and can > create a network using any network type or segmentation ID that they choose. > > In Horizon, you will likely only see networks owned by the tenant when you go > to the 'Project' tab. In the 'Admin' tab, you would see all networks. > > Hope that helps, > James > > From: Danny Choi (dannchoi) [[email protected]] > Sent: Thursday, October 02, 2014 8:14 PM > To: [email protected] > Cc: bxb-openstack-dev(mailer list) > Subject: [Openstack] What is the difference between provider network and > tenant network? > > Hi, > > I used devstack to deploy Juno OpenStack. > > By default, devstack created 2 users: admin (with role “admin”) and demo. > > ubuntu@trusty1:~/devstack$ source openrc admin admin > ubuntu@trusty1:~/devstack$ keystone user-list > +----------------------------------+---------+---------+------------------+ > | id | name | enabled | email | > +----------------------------------+---------+---------+------------------+ > | 3f09f4a2e2e5476681f7726d1bd7a238 | admin | True | | > <<<<< > | f9b63fc02a2c41c4a99508215d34698e | cinder | True | | > | b31235476f904c968a48a6ed13a4423d | demo | True | [email protected] | > <<<<< > | 1379192fe5f7427db0b9550f31ae3c8d | glance | True | | > | 349ef723ec7e40c6bd4b8d8284696a04 | heat | True | | > | db2c4d82c9154d4eb58b3308041e8280 | neutron | True | | > | 87becace86e2459493a5e692b47374a8 | nova | True | | > +----------------------------------+---------+---------+—————————+ > ubuntu@trusty1:~/devstack$ keystone user-role-list --user admin --tenant admin > +----------------------------------+------------------+----------------------------------+----------------------------------+ > | id | name | user_id > | tenant_id | > +----------------------------------+------------------+----------------------------------+----------------------------------+ > | 9fe2ff9ee4384b1894a90878d3e92bab | _member_ | > 3f09f4a2e2e5476681f7726d1bd7a238 | db81f81239f54d5d89293dacc7a284d2 | > | 2c9362c08a224154bdcaeee35d740ddc | admin | > 3f09f4a2e2e5476681f7726d1bd7a238 | db81f81239f54d5d89293dacc7a284d2 | <<<<< > | b2419a321cae46ab9d11d2e126502271 | heat_stack_owner | > 3f09f4a2e2e5476681f7726d1bd7a238 | db81f81239f54d5d89293dacc7a284d2 | > +----------------------------------+------------------+----------------------------------+----------------------------------+ > ubuntu@trusty1:~/devstack$ keystone user-role-list --user demo --tenant demo > +----------------------------------+------------------+----------------------------------+----------------------------------+ > | id | name | user_id > | tenant_id | > +----------------------------------+------------------+----------------------------------+----------------------------------+ > | 12ff05c09c5d4d1a8cf15d35f84f7a75 | Member | > b31235476f904c968a48a6ed13a4423d | 181003e05ad44b688925372d97b985c0 | > | 9fe2ff9ee4384b1894a90878d3e92bab | _member_ | > b31235476f904c968a48a6ed13a4423d | 181003e05ad44b688925372d97b985c0 | > | 21fcd6d7847f44e6a3b9ad777a27f811 | anotherrole | > b31235476f904c968a48a6ed13a4423d | 181003e05ad44b688925372d97b985c0 | > | b2419a321cae46ab9d11d2e126502271 | heat_stack_owner | > b31235476f904c968a48a6ed13a4423d | 181003e05ad44b688925372d97b985c0 | > +----------------------------------+------------------+----------------------------------+----------------------------------+ > > There are 2 networks created, public (tenant = admin) and private (tenant = > demo). > > ubuntu@trusty1:~/devstack$ keystone tenant-list > +----------------------------------+--------------------+---------+ > | id | name | enabled | > +----------------------------------+--------------------+---------+ > | db81f81239f54d5d89293dacc7a284d2 | admin | True | <<<<< > | 181003e05ad44b688925372d97b985c0 | demo | True | <<<<< > | f170d762ab2c471d9a9f522116f8a178 | invisible_to_admin | True | > | d500c4a4ec3d459abfe665bfb886a881 | service | True | > +----------------------------------+--------------------+---------+ > > ubuntu@trusty1:~/devstack$ neutron net-list > +--------------------------------------+---------+----------------------------------------------------+ > | id | name | subnets > | > +--------------------------------------+---------+----------------------------------------------------+ > | 5e05170c-ae6c-4b60-8f59-8a6988705ff2 | public | > 3eb289a4-9686-4a94-a928-8d5ae23b1dd6 172.24.4.0/24 | > | b18a4a3f-7167-4c61-87f5-b21f87118160 | private | > 3f5b84c5-937e-44ae-b645-64758386a501 10.0.0.0/24 | > +--------------------------------------+---------+----------------------------------------------------+ > ubuntu@trusty1:~/devstack$ neutron net-show public > +---------------------------+--------------------------------------+ > | Field | Value | > +---------------------------+--------------------------------------+ > | admin_state_up | True | > | id | 5e05170c-ae6c-4b60-8f59-8a6988705ff2 | > | name | public | > | provider:network_type | vlan | > | provider:physical_network | physnet1 | > | provider:segmentation_id | 391 | > | router:external | True | > | shared | False | > | status | ACTIVE | > | subnets | 3eb289a4-9686-4a94-a928-8d5ae23b1dd6 | > | tenant_id | db81f81239f54d5d89293dacc7a284d2 | <<<<< > +---------------------------+--------------------------------------+ > ubuntu@trusty1:~/devstack$ neutron net-show private > +---------------------------+--------------------------------------+ > | Field | Value | > +---------------------------+--------------------------------------+ > | admin_state_up | True | > | id | b18a4a3f-7167-4c61-87f5-b21f87118160 | > | name | private | > | provider:network_type | vlan | > | provider:physical_network | physnet1 | > | provider:segmentation_id | 390 | > | router:external | False | > | shared | False | > | status | ACTIVE | > | subnets | 3f5b84c5-937e-44ae-b645-64758386a501 | > | tenant_id | 181003e05ad44b688925372d97b985c0 | <<<<< > +---------------------------+--------------------------------------+ > > Notice both networks contain the provider info: > provider:network_type > provider:physical_network > provider:segmentation_id > > However, if I change the credentials to demo, these provider info disappear. > > ubuntu@trusty1:~/devstack$ source openrc demo demo > ubuntu@trusty1:~/devstack$ neutron net-list > +--------------------------------------+---------+--------------------------------------------------+ > | id | name | subnets > | > +--------------------------------------+---------+--------------------------------------------------+ > | 5e05170c-ae6c-4b60-8f59-8a6988705ff2 | public | > 3eb289a4-9686-4a94-a928-8d5ae23b1dd6 | > | b18a4a3f-7167-4c61-87f5-b21f87118160 | private | > 3f5b84c5-937e-44ae-b645-64758386a501 10.0.0.0/24 | > +--------------------------------------+---------+--------------------------------------------------+ > ubuntu@trusty1:~/devstack$ neutron net-show public > +-----------------+--------------------------------------+ > | Field | Value | > +-----------------+--------------------------------------+ > | admin_state_up | True | > | id | 5e05170c-ae6c-4b60-8f59-8a6988705ff2 | > | name | public | > | router:external | True | > | shared | False | > | status | ACTIVE | > | subnets | 3eb289a4-9686-4a94-a928-8d5ae23b1dd6 | > | tenant_id | db81f81239f54d5d89293dacc7a284d2 | > +-----------------+--------------------------------------+ > ubuntu@trusty1:~/devstack$ neutron net-show private > +-----------------+--------------------------------------+ > | Field | Value | > +-----------------+--------------------------------------+ > | admin_state_up | True | > | id | b18a4a3f-7167-4c61-87f5-b21f87118160 | > | name | private | > | router:external | False | > | shared | False | > | status | ACTIVE | > | subnets | 3f5b84c5-937e-44ae-b645-64758386a501 | > | tenant_id | 181003e05ad44b688925372d97b985c0 | > +-----------------+--------------------------------------+ > > Why the provider info does not exist? > > Also, as user demo, I cannot create a network with the provider info > specified, which is possible if it is user admin. Why? > > ubuntu@trusty1:~/devstack$ source openrc demo demo > ubuntu@trusty1:~/devstack$ neutron net-create demo_network > --provider:network_type vlan --provider:physical_network physnet1 > --provider:segmentation_id 399 > Forbidden (HTTP 403) (Request-ID: req-fd2453a8-f82b-410c-9085-e487a4a29694) > <<<<< > ubuntu@trusty1:~/devstack$ source openrc admin admin > ubuntu@trusty1:~/devstack$ neutron net-create admin_network > --provider:network_type vlan --provider:physical_network physnet1 > --provider:segmentation_id 399 > Created a new network: > +---------------------------+--------------------------------------+ > | Field | Value | > +---------------------------+--------------------------------------+ > | admin_state_up | True | > | id | df176962-8c61-4621-ac3a-e978a56b1933 | > | name | admin_network | > | provider:network_type | vlan | > | provider:physical_network | physnet1 | > | provider:segmentation_id | 399 | > | router:external | False | > | shared | False | > | status | ACTIVE | > | subnets | | > | tenant_id | db81f81239f54d5d89293dacc7a284d2 | > +---------------------------+--------------------------------------+ > ubuntu@trusty1:~/devstack$ neutron net-show admin_network > +---------------------------+--------------------------------------+ > | Field | Value | > +---------------------------+--------------------------------------+ > | admin_state_up | True | > | id | df176962-8c61-4621-ac3a-e978a56b1933 | > | name | admin_network | > | provider:network_type | vlan | > | provider:physical_network | physnet1 | > | provider:segmentation_id | 399 | > | router:external | False | > | shared | False | > | status | ACTIVE | > | subnets | | > | tenant_id | db81f81239f54d5d89293dacc7a284d2 | > +---------------------------+--------------------------------------+ > > Is it true that to create a provider network, the user has to have the > “admin” role? > > ########### > Also, in Horizon dashboard, I logged in as user admin. > > From the Projects pulldown, select admin. > At the left pane, Project->Network->Networks, only the “public" network is > shown. > Admin->System->Networks, both “public” and “private” networks are shown. > > From the Projects pulldown, select demo. > At the left pane, Project->Network->Networks, only the “private" network is > shown. > Admin->System->Networks, both “public” and “private” networks are shown. > > Is this an expected behavior? > > > Thanks, > Danny > !DSPAM:1,542e1494232327216713656! > _______________________________________________ > Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > Post to : [email protected] > Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > > > !DSPAM:1,542e1494232327216713656!
_______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : [email protected] Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
