Re: [openstack-dev] Interconnecting projects
I'll defer to Kevin, the spec author, but you should know that the implementation is not merged yet. - Original Message - Hi Assaf, Now reading the rbac network specs carefully, I believe it does allow private networks to be shared to other tenants by non-admin users. So the command neutron rbac create net - uuid | net - name -- type network -- tenant - id tenant - uuid -- action access_a s_shared - can this be only used by an admin ? From the specs, it did not seem so. Also is the action access_as_external available now ? On Tue, Jun 2, 2015 at 9:14 PM, Assaf Muller amul...@redhat.com wrote: Check out: http://specs.openstack.org/openstack/neutron-specs/specs/liberty/rbac-networks.html If I understand correctly, what Anik is probably asking for is way to connect two OpenStack projects together from a network point of view, where a private network in Project1 can be connected to a Router in Project2. AFAIK, I don't think we are planning to expose such model in RBAC where a tenant (non-admin) has a way control who can see/connect-to his/her resources. @Anik, please correct me if I am wrong. Kevin is trying to solve exactly this problem. We're really hoping to land it in time for Liberty. - Original Message - Hi, Trying to understand if somebody has come across the following scenario: I have a two projects: Project 1 and Project 2 I have a neutron private network in Project 1, that I want to connect that private network to a neutron port in Project 2. This does not seem to be possible without using admin credentials. I am not talking about a shared provider network here. It seems that the problem lies in the fact that there is no data model today that lets one Project have knowledge about any other Project inside the same OpenStack region. Any pointers there will be helpful. Regards, Anik __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Interconnecting projects
Hi, creating rbac entries by non-admins will be controlled by policy.json. So you can enable it or disable it there. Also is the action access_as_external available now ? Not yet. The code is still under review. On Thu, Jun 25, 2015 at 10:15 AM, Assaf Muller amul...@redhat.com wrote: I'll defer to Kevin, the spec author, but you should know that the implementation is not merged yet. - Original Message - Hi Assaf, Now reading the rbac network specs carefully, I believe it does allow private networks to be shared to other tenants by non-admin users. So the command neutron rbac create net - uuid | net - name -- type network -- tenant - id tenant - uuid -- action access_a s_shared - can this be only used by an admin ? From the specs, it did not seem so. Also is the action access_as_external available now ? On Tue, Jun 2, 2015 at 9:14 PM, Assaf Muller amul...@redhat.com wrote: Check out: http://specs.openstack.org/openstack/neutron-specs/specs/liberty/rbac-networks.html If I understand correctly, what Anik is probably asking for is way to connect two OpenStack projects together from a network point of view, where a private network in Project1 can be connected to a Router in Project2. AFAIK, I don't think we are planning to expose such model in RBAC where a tenant (non-admin) has a way control who can see/connect-to his/her resources. @Anik, please correct me if I am wrong. Kevin is trying to solve exactly this problem. We're really hoping to land it in time for Liberty. - Original Message - Hi, Trying to understand if somebody has come across the following scenario: I have a two projects: Project 1 and Project 2 I have a neutron private network in Project 1, that I want to connect that private network to a neutron port in Project 2. This does not seem to be possible without using admin credentials. I am not talking about a shared provider network here. It seems that the problem lies in the fact that there is no data model today that lets one Project have knowledge about any other Project inside the same OpenStack region. Any pointers there will be helpful. Regards, Anik __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Interconnecting projects
Hi Assaf, Now reading the rbac network specs carefully, I believe it does allow private networks to be shared to other tenants by non-admin users. So the command neutron rbac create net-uuid|net-name --type network --tenant-id tenant-uuid --action access_as_shared - can this be only used by an admin ? From the specs, it did not seem so. Also is the action access_as_external available now ? On Tue, Jun 2, 2015 at 9:14 PM, Assaf Muller amul...@redhat.com wrote: Check out: http://specs.openstack.org/openstack/neutron-specs/specs/liberty/rbac-networks.html If I understand correctly, what Anik is probably asking for is way to connect two OpenStack projects together from a network point of view, where a private network in Project1 can be connected to a Router in Project2. AFAIK, I don't think we are planning to expose such model in RBAC where a tenant (non-admin) has a way control who can see/connect-to his/her resources. @Anik, please correct me if I am wrong. Kevin is trying to solve exactly this problem. We're really hoping to land it in time for Liberty. - Original Message - Hi, Trying to understand if somebody has come across the following scenario: I have a two projects: Project 1 and Project 2 I have a neutron private network in Project 1, that I want to connect that private network to a neutron port in Project 2. This does not seem to be possible without using admin credentials. I am not talking about a shared provider network here. It seems that the problem lies in the fact that there is no data model today that lets one Project have knowledge about any other Project inside the same OpenStack region. Any pointers there will be helpful. Regards, Anik __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] Interconnecting projects
Hi, Trying to understand if somebody has come across the following scenario: I have a two projects: Project 1 and Project 2 I have a neutron private network in Project 1, that I want to connect that private network to a neutron port in Project 2. This does not seem to be possible without using admin credentials. I am not talking about a shared provider network here. It seems that the problem lies in the fact that there is no data model today that lets one Project have knowledge about any other Project inside the same OpenStack region. Any pointers there will be helpful. Regards, Anik 201-245-1569__ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Interconnecting projects
Check out: http://specs.openstack.org/openstack/neutron-specs/specs/liberty/rbac-networks.html Kevin is trying to solve exactly this problem. We're really hoping to land it in time for Liberty. - Original Message - Hi, Trying to understand if somebody has come across the following scenario: I have a two projects: Project 1 and Project 2 I have a neutron private network in Project 1, that I want to connect that private network to a neutron port in Project 2. This does not seem to be possible without using admin credentials. I am not talking about a shared provider network here. It seems that the problem lies in the fact that there is no data model today that lets one Project have knowledge about any other Project inside the same OpenStack region. Any pointers there will be helpful. Regards, Anik 201-245-1569 __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Interconnecting projects
On Tue, Jun 2, 2015 at 9:14 PM, Assaf Muller amul...@redhat.com wrote: Check out: http://specs.openstack.org/openstack/neutron-specs/specs/liberty/rbac-networks.html If I understand correctly, what Anik is probably asking for is way to connect two OpenStack projects together from a network point of view, where a private network in Project1 can be connected to a Router in Project2. AFAIK, I don't think we are planning to expose such model in RBAC where a tenant (non-admin) has a way control who can see/connect-to his/her resources. @Anik, please correct me if I am wrong. Kevin is trying to solve exactly this problem. We're really hoping to land it in time for Liberty. - Original Message - Hi, Trying to understand if somebody has come across the following scenario: I have a two projects: Project 1 and Project 2 I have a neutron private network in Project 1, that I want to connect that private network to a neutron port in Project 2. This does not seem to be possible without using admin credentials. I am not talking about a shared provider network here. It seems that the problem lies in the fact that there is no data model today that lets one Project have knowledge about any other Project inside the same OpenStack region. Any pointers there will be helpful. Regards, Anik 201-245-1569 __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Interconnecting projects
Great! A correction here: RBAC proposal does address some of the use cases on interconnecting tenants. Fawad Khaliq On Tue, Jun 2, 2015 at 9:41 PM, Anik anik...@yahoo.com wrote: That's exactly what I was asking for. Thanks Fawad. Regards, Anik 201-245-1569 -- *From:* Fawad Khaliq fa...@plumgrid.com *To:* OpenStack Development Mailing List (not for usage questions) openstack-dev@lists.openstack.org *Cc:* Anik anik...@yahoo.com *Sent:* Tuesday, June 2, 2015 9:29 AM *Subject:* Re: [openstack-dev] Interconnecting projects On Tue, Jun 2, 2015 at 9:14 PM, Assaf Muller amul...@redhat.com wrote: Check out: http://specs.openstack.org/openstack/neutron-specs/specs/liberty/rbac-networks.html If I understand correctly, what Anik is probably asking for is way to connect two OpenStack projects together from a network point of view, where a private network in Project1 can be connected to a Router in Project2. AFAIK, I don't think we are planning to expose such model in RBAC where a tenant (non-admin) has a way control who can see/connect-to his/her resources. @Anik, please correct me if I am wrong. Kevin is trying to solve exactly this problem. We're really hoping to land it in time for Liberty. - Original Message - Hi, Trying to understand if somebody has come across the following scenario: I have a two projects: Project 1 and Project 2 I have a neutron private network in Project 1, that I want to connect that private network to a neutron port in Project 2. This does not seem to be possible without using admin credentials. I am not talking about a shared provider network here. It seems that the problem lies in the fact that there is no data model today that lets one Project have knowledge about any other Project inside the same OpenStack region. Any pointers there will be helpful. Regards, Anik 201-245-1569 __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://openstack-dev-requ...@lists.openstack.org/?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://openstack-dev-requ...@lists.openstack.org/?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Interconnecting projects
I suspect a BaaS (Bridge-as-a-service) proposal is lurking in this thread. While the idea of yet-another-aas is probably not desirable at this time, it might be worth trying and understand - from an exclusively logical perspective (ie: the API consumer point of view) - what would be the difference between having a single logical network shared across a number of tenants, and a group of distinct networks interconnected by bridge ports. I've tried in the past to look at unique use cases for a network bridge feature; it might seem important to enforce that all the traffic between two network goes through a predefined channel where security and traffic shaping policies might be applied. On the other hand, I believe the same result can be achieved - in the logical model - with features such as security groups. This unless the Neutron API consumer explicitly wants to describe a topology where all the traffic is forced to flow through a specific logical appliance, but then we'll descend in the NFV/SFC/etc area. Another thing to keep in mind is that routers can be used to this aim, but - as Anik correctly noted - this is an admin-only feature at the moment. Allowing router owners to interconnect other tenants' networks, leveraging concepts such as keystone groups, is something that should be a natural evolution of the RBAC work. Still, this will leave us with a L3 interconnection, and not a direct L2 network-network connection. Salvatore On 2 June 2015 at 18:58, Fawad Khaliq fa...@plumgrid.com wrote: Great! A correction here: RBAC proposal does address some of the use cases on interconnecting tenants. Fawad Khaliq On Tue, Jun 2, 2015 at 9:41 PM, Anik anik...@yahoo.com wrote: That's exactly what I was asking for. Thanks Fawad. Regards, Anik 201-245-1569 -- *From:* Fawad Khaliq fa...@plumgrid.com *To:* OpenStack Development Mailing List (not for usage questions) openstack-dev@lists.openstack.org *Cc:* Anik anik...@yahoo.com *Sent:* Tuesday, June 2, 2015 9:29 AM *Subject:* Re: [openstack-dev] Interconnecting projects On Tue, Jun 2, 2015 at 9:14 PM, Assaf Muller amul...@redhat.com wrote: Check out: http://specs.openstack.org/openstack/neutron-specs/specs/liberty/rbac-networks.html If I understand correctly, what Anik is probably asking for is way to connect two OpenStack projects together from a network point of view, where a private network in Project1 can be connected to a Router in Project2. AFAIK, I don't think we are planning to expose such model in RBAC where a tenant (non-admin) has a way control who can see/connect-to his/her resources. @Anik, please correct me if I am wrong. Kevin is trying to solve exactly this problem. We're really hoping to land it in time for Liberty. - Original Message - Hi, Trying to understand if somebody has come across the following scenario: I have a two projects: Project 1 and Project 2 I have a neutron private network in Project 1, that I want to connect that private network to a neutron port in Project 2. This does not seem to be possible without using admin credentials. I am not talking about a shared provider network here. It seems that the problem lies in the fact that there is no data model today that lets one Project have knowledge about any other Project inside the same OpenStack region. Any pointers there will be helpful. Regards, Anik 201-245-1569 __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://openstack-dev-requ...@lists.openstack.org/?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://openstack-dev-requ...@lists.openstack.org/?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev