The Role-Based Access Control (RBAC) policy framework enables both operators and users to grant access to resources for specific projects.
Currently, the access that can be granted using this feature is supported by:
Sharing an object with a specific project is accomplished by creating
a policy entry that permits the target project the access_as_shared
action on that object.
Create a network to share:
$ neutron net-create secret_network
Created a new network:
+---------------------------+--------------------------------------+
| Field | Value |
+---------------------------+--------------------------------------+
| admin_state_up | True |
| id | 6532a265-43fb-4c8c-8edb-e26b39f2277c |
| mtu | 1450 |
| name | secret_network |
| port_security_enabled | True |
| provider:network_type | vxlan |
| provider:physical_network | |
| provider:segmentation_id | 1031 |
| router:external | False |
| shared | False |
| status | ACTIVE |
| subnets | |
| tenant_id | de56db175c1d48b0bbe72f09a24a3b66 |
+---------------------------+--------------------------------------+
Create the policy entry using the neutron rbac-create command (in
this example, the ID of the project we want to share with is
e28769db97d9449da658bc6931fcb683
):
$ neutron rbac-create --target-tenant e28769db97d9449da658bc6931fcb683 \
--action access_as_shared --type network 6532a265-43fb-4c8c-8edb-e26b39f2277c
Created a new rbac_policy:
+---------------+--------------------------------------+
| Field | Value |
+---------------+--------------------------------------+
| action | access_as_shared |
| id | 1edebaf8-3fa5-47b9-b3dd-ccce2bd44411 |
| object_id | 6532a265-43fb-4c8c-8edb-e26b39f2277c |
| object_type | network |
| target_tenant | e28769db97d9449da658bc6931fcb683 |
| tenant_id | de56db175c1d48b0bbe72f09a24a3b66 |
+---------------+--------------------------------------+
The target-tenant
parameter specifies the project that requires
access to the network. The action
parameter specifies what
the project is allowed to do. The type
parameter says
that the target object is a network. The final parameter is the ID of
the network we are granting access to.
Project e28769db97d9449da658bc6931fcb683
will now be able to see
the network when running neutron net-list and neutron net-show
and will also be able to create ports on that network. No other users
(other than admins and the owner) will be able to see the network.
To remove access for that project, delete the policy that allows it using the neutron rbac-delete command:
$ neutron rbac-delete 1edebaf8-3fa5-47b9-b3dd-ccce2bd44411
Deleted rbac_policy: 1edebaf8-3fa5-47b9-b3dd-ccce2bd44411
If that project has ports on the network, the server will prevent the policy from being deleted until the ports have been deleted:
$ neutron rbac-delete 1edebaf8-3fa5-47b9-b3dd-ccce2bd44411
RBAC policy on object 6532a265-43fb-4c8c-8edb-e26b39f2277c
cannot be removed because other objects depend on it.
This process can be repeated any number of times to share a network with an arbitrary number of projects.
Create a QoS policy to share:
$ neutron qos-policy-create secret_policy
Created a new policy:
+-------------+--------------------------------------+
| Field | Value |
+-------------+--------------------------------------+
| description | |
| id | e45e6917-3f3f-4835-ad54-d12c9151541d |
| name | secret_policy |
| rules | |
| shared | False |
| tenant_id | 5b32b072f8354942ab13b6decb1294b3 |
+-------------+--------------------------------------+
Create the RBAC policy entry using the neutron rbac-create command
(in this example, the ID of the project we want to share with is
a6bf6cfbcd1f4e32a57d2138b6bd41d1
):
$ neutron rbac-create --target-tenant a6bf6cfbcd1f4e32a57d2138b6bd41d1 \
--action access_as_shared --type qos-policy e45e6917-3f3f-4835-ad54-d12c9151541d
Created a new rbac_policy:
+---------------+--------------------------------------+
| Field | Value |
+---------------+--------------------------------------+
| action | access_as_shared |
| id | ec2e3db1-de5b-4043-9d95-156f582653d0 |
| object_id | e45e6917-3f3f-4835-ad54-d12c9151541d |
| object_type | qos_policy |
| target_tenant | a6bf6cfbcd1f4e32a57d2138b6bd41d1 |
| tenant_id | 5b32b072f8354942ab13b6decb1294b3 |
+---------------+--------------------------------------+
The target-tenant
parameter specifies the project that requires
access to the QoS policy. The action
parameter specifies what
the project is allowed to do. The type
parameter says
that the target object is a QoS policy. The final parameter is the ID of
the QoS policy we are granting access to.
Project a6bf6cfbcd1f4e32a57d2138b6bd41d1
will now be able to see
the QoS policy when running neutron qos-policy-list and
neutron qos-policy-show and will also be able to bind it to
its ports or networks. No other users (other than admins and the owner)
will be able to see the QoS policy.
To remove access for that project, delete the RBAC policy that allows it using the neutron rbac-delete command:
$ neutron rbac-delete e45e6917-3f3f-4835-ad54-d12c9151541d
Deleted rbac_policy: e45e6917-3f3f-4835-ad54-d12c9151541d
If that project has ports or networks with the QoS policy applied to them, the server will not delete the RBAC policy until the QoS policy is no longer in use:
$ neutron rbac-delete e45e6917-3f3f-4835-ad54-d12c9151541d
RBAC policy on object e45e6917-3f3f-4835-ad54-d12c9151541d
cannot be removed because other objects depend on it.
This process can be repeated any number of times to share a qos-policy with an arbitrary number of projects.
To make a network available as an external network for specific projects
rather than all projects, use the access_as_external
action.
Create a network that you want to be available as an external network:
$ neutron net-create secret_external_network
Created a new network:
+---------------------------+--------------------------------------+
| Field | Value |
+---------------------------+--------------------------------------+
| admin_state_up | True |
| availability_zone_hints | |
| availability_zones | |
| created_at | 2016-04-30T06:51:46 |
| description | |
| id | f9e39715-f7da-4bca-a74d-fc3675321661 |
| ipv4_address_scope | |
| ipv6_address_scope | |
| mtu | 1450 |
| name | secret_external_network |
| port_security_enabled | True |
| provider:network_type | vxlan |
| provider:physical_network | |
| provider:segmentation_id | 1073 |
| router:external | False |
| shared | False |
| status | ACTIVE |
| subnets | |
| tags | |
| tenant_id | dfe49b63660e494fbdbf6ad2ca2a810f |
| updated_at | 2016-04-30T06:51:46 |
+---------------------------+--------------------------------------+
Create a policy entry using the neutron rbac-create command (in
this example, the ID of the project we want to share with is
e28769db97d9449da658bc6931fcb683
):
$ neutron rbac-create --target-tenant e28769db97d9449da658bc6931fcb683 \
--action access_as_external --type network f9e39715-f7da-4bca-a74d-fc3675321661
Created a new rbac_policy:
+---------------+--------------------------------------+
| Field | Value |
+---------------+--------------------------------------+
| action | access_as_external |
| id | c26b3b05-5781-48a1-a36a-fb63072b5e56 |
| object_id | f9e39715-f7da-4bca-a74d-fc3675321661 |
| object_type | network |
| target_tenant | e28769db97d9449da658bc6931fcb683 |
| tenant_id | dfe49b63660e494fbdbf6ad2ca2a810f |
+---------------+--------------------------------------+
The target-tenant
parameter specifies the project that requires
access to the network. The action
parameter specifies what
the project is allowed to do. The type
parameter indicates
that the target object is a network. The final parameter is the ID of
the network we are granting external access to.
Now project e28769db97d9449da658bc6931fcb683
is able to see
the network when running neutron net-list
and neutron net-show and can attach router gateway
ports to that network. No other users (other than admins
and the owner) are able to see the network.
To remove access for that project, delete the policy that allows it using the neutron rbac-delete command:
$ neutron rbac-delete c26b3b05-5781-48a1-a36a-fb63072b5e56
Deleted rbac_policy: c26b3b05-5781-48a1-a36a-fb63072b5e56
If that project has router gateway ports attached to that network, the server prevents the policy from being deleted until the ports have been deleted:
$ neutron rbac-delete c26b3b05-5781-48a1-a36a-fb63072b5e56
RBAC policy on object f9e39715-f7da-4bca-a74d-fc3675321661
cannot be removed because other objects depend on it.
This process can be repeated any number of times to make a network available as external to an arbitrary number of projects.
If a network is marked as external during creation, it now implicitly creates a wildcard RBAC policy granting everyone access to preserve previous behavior before this feature was added.
$ neutron net-create global_external_network --router:external
Created a new network:
+---------------------------+--------------------------------------+
| Field | Value |
+---------------------------+--------------------------------------+
| admin_state_up | True |
| availability_zone_hints | |
| availability_zones | |
| created_at | 2016-04-30T07:00:57 |
| description | |
| id | cb78991c-cdde-445b-a8ca-d819b9266756 |
| ipv4_address_scope | |
| ipv6_address_scope | |
| is_default | False |
| mtu | 1450 |
| name | global_external_network |
| port_security_enabled | True |
| provider:network_type | vxlan |
| provider:physical_network | |
| provider:segmentation_id | 1007 |
| router:external | True |
| shared | False |
| status | ACTIVE |
| subnets | |
| tags | |
| tenant_id | dfe49b63660e494fbdbf6ad2ca2a810f |
| updated_at | 2016-04-30T07:00:57 |
+---------------------------+--------------------------------------+
In the output above the standard router:external
attribute is
True
as expected. Now a wildcard policy is visible in the
RBAC policy listings:
$ neutron rbac-list --object_id=cb78991c-cdde-445b-a8ca-d819b9266756 \
-c id -c target_tenant
+--------------------------------------+---------------+
| id | target_tenant |
+--------------------------------------+---------------+
| 2b72fe2e-20cf-4856-af12-3ac0733604d8 | * |
+--------------------------------------+---------------+
You can modify or delete this policy with the same constraints
as any other RBAC access_as_external
policy.
The default policy.json
file will not allow regular
users to share objects with every other project using a wildcard;
however, it will allow them to share objects with specific project
IDs.
If an operator wants to prevent normal users from doing this, the
"create_rbac_policy":
entry in policy.json
can be adjusted
from ""
to "rule:admin_only"
.
Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.