Re: [openstack-dev] [Openstack-operators] [keystone] RBAC usage at production
Using a middleware is what we are doing also. Can you give more details about your structure? Our middleware is like the Rackspace OpenRepose. What do you use for role definitions? Are you using any backend for Keystone like LDAP? Regards. On Thu, Dec 10, 2015 at 9:55 PM, Jesse Keating <j...@bluebox.net> wrote: > We use RBAC, however we've done it based on roles and some middleware. The > policy files are essentially static. > > > - jlk > > On Wed, Dec 9, 2015 at 12:39 AM, Oguz Yarimtepe <oguzyarimt...@gmail.com> > wrote: > >> Hi, >> >> I am wondering whether there are people using RBAC at production. The >> policy.json file has a structure that requires restart of the service each >> time you edit the file. Is there and on the fly solution or tips about it? >> >> >> >> ___ >> OpenStack-operators mailing list >> openstack-operat...@lists.openstack.org >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators >> > > -- Oğuz Yarımtepe http://about.me/oguzy __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [neutron][fwaas]some architectural advice on fwaas driver writing
I am checking the vyatta driver now and they replaced l3 agent with their own agent and also using a vrouter image for router creation. Our appliance is not virtual :) So for the linkage between services, can service chaining help me? On Mon, Nov 23, 2015 at 8:25 AM, Germy Lure <germy.l...@gmail.com> wrote: > Hi, > Under current FWaaS architecture or framework, only integrating hardware > firewall is not easy. That requires neutron support service level multiple > vendors. In another word, vendors must fit each other for their services > while currently vendors just provides all services through controller. > > I think the root cause is Neutron just doesn't known how the network > devices connect each other. Neutron provides FW, LB, VPN and other > advanced network functionalists as services. But as the implementation > layer, Neutron needs TOPO info to make right decision, routing traffic to > the right device. For example, from namespace router to hardware firewall, > Neutron should add some internal routes even extra L3 interfaces according > to the connection relationship between them. If the firewall service is > integrated with router, like Vyatta, it's simple. The only thing you need > to do is just enable the firewall itself. > > All in all, it requires linkage between services, especially between > advanced services and L3 router. > > Germy > . > > On Fri, Nov 20, 2015 at 9:19 PM, Somanchi Trinath < > trinath.soman...@freescale.com> wrote: > >> Hi- >> >> >> >> As I understand you are not sure on “How to locate the Hardware >> Appliance” which you have as your FW? >> >> >> >> Am I right? If so you can look into, >> https://github.com/jumpojoy/generic_switch kind of approach. >> >> >> >> - >> >> Trinath >> >> >> >> >> >> >> >> *From:* Oguz Yarimtepe [mailto:oguzyarimt...@gmail.com] >> *Sent:* Friday, November 20, 2015 5:52 PM >> *To:* OpenStack Development Mailing List (not for usage questions) < >> openstack-dev@lists.openstack.org> >> *Subject:* Re: [openstack-dev] [neutron][fwaas]some architectural advice >> on fwaas driver writing >> >> >> >> I created a sample driver by looking at vArmour driver that is at the >> Github FWaaS repo. I am planning to call the FW's REST API from the >> suitable functions. >> >> The problem is, i am still not sure how to locate the hardware appliance. >> One of the FWaaS guy says that Service Chaining can help, any body has an >> idea or how to insert the fw to OpenStack? >> >> On 11/02/2015 02:36 PM, Somanchi Trinath wrote: >> >> Hi- >> >> >> >> I’m confused. Do you really have an PoC implementation of what is to be >> achieved? >> >> >> >> As I look into these type of Implementations, I would prefer to have >> proxy driver/plugin to get the configuration from Openstack to external >> controller/device and do the rest of the magic. >> >> >> >> - >> >> Trinath >> >> >> >> __ >> OpenStack Development Mailing List (not for usage questions) >> Unsubscribe: >> openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> >> > > __ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > -- Oğuz Yarımtepe http://about.me/oguzy __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [neutron][fwaas]some architectural advice on fwaas driver writing
Hi, On Mon, Nov 2, 2015 at 11:25 AM, Somanchi Trinath < trinath.soman...@freescale.com> wrote: > Hi – > > > > Based on this “Assuming that, it will not be routing traffic, just > filtering, and that we will be using virtual routers of Openstack” > > > > As I understand from the email, you might be comfortable to configure the > HW-FW using the ReST API. So you can write a proxy driver and connect the > HW-FW in the setup (which you have tested to make it ready to use). The > proxy driver written helps to Configure the HW-FW and the HW-FW filters the > traffic. > > > > Having said that, I assume that the HW-FW has some intelligence to process > the requests from proxy driver and update the FW configuration. > > > To be sure, calling the REST API at https://github.com/openstack/neutron-fwaas/blob/master/neutron_fwaas/services/firewall/drivers/linux/iptables_fwaas.py#L62 for ex to create a firewall is what you are talking about. Instead of iptables, a new driver will be written to handle CRUD operations. To distinguish the tenant networks, i will be using vlan or vxlan ids while entering firewall rules, i think. > *HW-FW – Hardware Firewall. > > > > Hope this helps. > > > > - > > Trinath > > > Did I understand you right, about the proxy driver? __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [neutron][fwaas]some architectural advice on fwaas driver writing
On Mon, Nov 2, 2015 at 1:36 PM, Somanchi Trinath < trinath.soman...@freescale.com> wrote: > Hi- > > > Hi, > I’m confused. Do you really have an PoC implementation of what is to be > achieved? > > No indeed. I am using iptables driver to understand the FWaaS structure and trying to replace it with our hw fw. Now my plan is to just create a fw with some rules defined on it. > > > As I look into these type of Implementations, I would prefer to have proxy > driver/plugin to get the configuration from Openstack to external > controller/device and do the rest of the magic. > Now i am bit confused about that proxy driver. Are we talking about something like https://github.com/openstack/neutron-fwaas/blob/master/neutron_fwaas/services/firewall/drivers/linux/iptables_fwaas.py or another external app to handle the issues? Can you make this proxy part a bit clearer? __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [neutron][fwaas]some architectural advice on fwaas driver writing
Hi, After talking with FWaaS developers at the summit (German and Sridar), i decided to write here also, maybe someone has an idea. I am trying to integrate a hardware firewall to our Openstack environment. It is a custom hardware running BSD on it and has a REST API for configuring. I talked with Sridar, he gave me the brief understanding of how FWaaS driver is working. Either i will be hacking the community driver and calling the REST API or writing the driver and calling the REST API there. The problem is, we couldn't figured it out how will the hardware firewall be working. Assuming that, it will not be routing traffic, just filtering, and that we will be using virtual routers of Openstack, do you have a reference architecture for such a case? It seems everyone has its own way of using firewall appliances in OpenStack. All i need is to create a firewall but instead of using Iptables, i want to use the hardware firewall and be able to define filtering rules. FWaaS guys said that there will be API changes in the future so at Mitaka, it seems the way of FWaaS will be changing and there are some plans about merging FWaaS and security groups. I am now using Kilo, the solution also will be working at Liberty also. Will be great if you give some guidance. Regards. -- Oğuz Yarımtepe http://about.me/oguzy __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [neutron][fwaas] openstack summit meetup
Hi, Will there be a meetup or design session for FWaaS? I just saw the roadmap presentation at the main conf. -- Oğuz Yarımtepe http://about.me/oguzy __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Monasca] Monasca Meeting @ Tokyo Summit
Hi, On Wed, Oct 14, 2015 at 7:36 AM, Fabio Giannetti (fgiannet) < fgian...@cisco.com> wrote: > Guys, >I have a Cisco room S3 to held a Monasca meeting over the Tokyo Summit. > The time slot is Thursday 4:30pm to 6pm. > Please mark your calendar and see you there. > Fabio > > Will this meeting be open to everyone? We are using Monasca at our test environment and planning to use it at out production also, would like to hear the future plans and development process of it. __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [neutron][fwaas] fwaas driver development steps
Hi, I need to write a driver for our friewall hardware to integrate it to our Openstack environment. I checked the Neutron Development wiki page, FWaaS wiki page, fwaas driver codes written at the Github. Since there is no clear documentation about howto write a direwall driver for Neutron i need some guidance. The firewall driver will have a REST API that can be used to configure it so what i need now is how i will debug and develop neutron while writing the driver. What is the suggested way? Which functions should be implemented? I had seen the abstract functions like, create_friewall, update_firewall, the question is what are the context of the parameters coming there. So either i should debug one of them step by step like the iptables driver or some clear definition i should have. What is the right way to do it? -- Oğuz Yarımtepe http://about.me/oguzy __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
