demo2
) View of Networks and SubnetsThis topic explains how to achieve more granular access control for your Neutron networks.
Previously in HPE Helion OpenStack, a network object was either private to a project or could be used by all projects. If the network's shared attribute was True, then the network could be used by every project in the cloud. If false, only the members of the owning project could use it. There was no way for the network to be shared by only a subset of the projects.
Neutron Role Based Access Control (RBAC) solves this problem for networks. Now the network owner can create RBAC policies that give network access to target projects. Members of a targeted project can use the network named in the RBAC policy the same way as if the network was owned by the project. Constraints are described in the section Section 5.10, “Limitations”.
With RBAC you are able to let another tenant use a network that you created, but as the owner of the network, you need to create the subnet and the router for the network.
To use RBAC, Neutron configuration files do not need to be changed.
ardana >
openstack network create demo-net
+---------------------------+--------------------------------------+
| Field | Value |
+---------------------------+--------------------------------------+
| admin_state_up | UP |
| availability_zone_hints | |
| availability_zones | |
| created_at | 2018-07-25T17:43:59Z |
| description | |
| dns_domain | |
| id | 9c801954-ec7f-4a65-82f8-e313120aabc4 |
| ipv4_address_scope | None |
| ipv6_address_scope | None |
| is_default | False |
| is_vlan_transparent | None |
| mtu | 1450 |
| name | demo-net |
| port_security_enabled | False |
| project_id | cb67c79e25a84e328326d186bf703e1b |
| provider:network_type | vxlan |
| provider:physical_network | None |
| provider:segmentation_id | 1009 |
| qos_policy_id | None |
| revision_number | 2 |
| router:external | Internal |
| segments | None |
| shared | False |
| status | ACTIVE |
| subnets | |
| tags | |
| updated_at | 2018-07-25T17:43:59Z |
+---------------------------+--------------------------------------+
Here we will create an RBAC policy where a member of the project called 'demo' will share the network with members of project 'demo2'
To create the RBAC policy, run:
ardana >
openstack network rbac create --target-project DEMO2-PROJECT-ID --type network --action access_as_shared demo-net
Here is an example where the DEMO2-PROJECT-ID is 5a582af8b44b422fafcd4545bd2b7eb5
ardana >
openstack network rbac create --target-tenant 5a582af8b44b422fafcd4545bd2b7eb5 \
--type network --action access_as_shared demo-net
To list all the RBAC rules/policies, execute:
ardana >
openstack network rbac list
+--------------------------------------+-------------+--------------------------------------+
| ID | Object Type | Object ID |
+--------------------------------------+-------------+--------------------------------------+
| 0fdec7f0-9b94-42b4-a4cd-b291d04282c1 | network | 7cd94877-4276-488d-b682-7328fc85d721 |
+--------------------------------------+-------------+--------------------------------------+
To see the attributes of a specific RBAC policy, run
ardana >
openstack network rbac show POLICY-ID
For example:
ardana >
openstack network rbac show 0fd89dcb-9809-4a5e-adc1-39dd676cb386
Here is the output:
+---------------+--------------------------------------+ | Field | Value | +---------------+--------------------------------------+ | action | access_as_shared | | id | 0fd89dcb-9809-4a5e-adc1-39dd676cb386 | | object_id | c3d55c21-d8c9-4ee5-944b-560b7e0ea33b | | object_type | network | | target_tenant | 5a582af8b44b422fafcd4545bd2b7eb5 | | tenant_id | 75eb5efae5764682bca2fede6f4d8c6f | +---------------+--------------------------------------+
To delete an RBAC policy, run openstack network rbac delete
passing the policy id:
ardana >
openstack network rbac delete POLICY-ID
For example:
ardana >
openstack network rbac delete 0fd89dcb-9809-4a5e-adc1-39dd676cb386
Here is the output:
Deleted rbac_policy: 0fd89dcb-9809-4a5e-adc1-39dd676cb386
Either the administrator or the network owner can make a network shareable by all tenants.
The administrator can make a tenant's network shareable by all tenants.
To make the network demo-shareall-net
accessible by all
tenants in the cloud:
To share a network with all tenants:
Get a list of all projects
ardana >
~/service.osrcardana >
openstack project list
which produces the list:
+----------------------------------+------------------+ | ID | Name | +----------------------------------+------------------+ | 1be57778b61645a7a1c07ca0ac488f9e | demo | | 5346676226274cd2b3e3862c2d5ceadd | admin | | 749a557b2b9c482ca047e8f4abf348cd | swift-monitor | | 8284a83df4df429fb04996c59f9a314b | swift-dispersion | | c7a74026ed8d4345a48a3860048dcb39 | demo-sharee | | e771266d937440828372090c4f99a995 | glance-swift | | f43fb69f107b4b109d22431766b85f20 | services | +----------------------------------+------------------+
Get a list of networks:
ardana >
openstack network list
This produces the following list:
+--------------------------------------+-------------------+----------------------------------------------------+ | id | name | subnets | +--------------------------------------+-------------------+----------------------------------------------------+ | f50f9a63-c048-444d-939d-370cb0af1387 | ext-net | ef3873db-fc7a-4085-8454-5566fb5578ea 172.31.0.0/16 | | 9fb676f5-137e-4646-ac6e-db675a885fd3 | demo-net | 18fb0b77-fc8b-4f8d-9172-ee47869f92cc 10.0.1.0/24 | | 8eada4f7-83cf-40ba-aa8c-5bf7d87cca8e | demo-shareall-net | 2bbc85a9-3ffe-464c-944b-2476c7804877 10.0.250.0/24 | | 73f946ee-bd2b-42e9-87e4-87f19edd0682 | demo-share-subset | c088b0ef-f541-42a7-b4b9-6ef3c9921e44 10.0.2.0/24 | +--------------------------------------+-------------------+----------------------------------------------------+
Set the network you want to share to a shared value of True:
ardana >
openstack network set --share 8eada4f7-83cf-40ba-aa8c-5bf7d87cca8e
You should see the following output:
Updated network: 8eada4f7-83cf-40ba-aa8c-5bf7d87cca8e
Check the attributes of that network by running the following command using the ID of the network in question:
ardana >
openstack network show 8eada4f7-83cf-40ba-aa8c-5bf7d87cca8e
The output will look like this:
+---------------------------+--------------------------------------+ | Field | Value | +---------------------------+--------------------------------------+ | admin_state_up | UP | | availability_zone_hints | | | availability_zones | | | created_at | 2018-07-25T17:43:59Z | | description | | | dns_domain | | | id | 8eada4f7-83cf-40ba-aa8c-5bf7d87cca8e | | ipv4_address_scope | None | | ipv6_address_scope | None | | is_default | None | | is_vlan_transparent | None | | mtu | 1450 | | name | demo-net | | port_security_enabled | False | | project_id | cb67c79e25a84e328326d186bf703e1b | | provider:network_type | vxlan | | provider:physical_network | None | | provider:segmentation_id | 1009 | | qos_policy_id | None | | revision_number | 2 | | router:external | Internal | | segments | None | | shared | False | | status | ACTIVE | | subnets | | | tags | | | updated_at | 2018-07-25T17:43:59Z | +---------------------------+--------------------------------------+
As the owner of the demo-shareall-net
network, view
the RBAC attributes for
demo-shareall-net
(id=8eada4f7-83cf-40ba-aa8c-5bf7d87cca8e
) by first
getting an RBAC list:
ardana >
echo $OS_USERNAME ; echo $OS_PROJECT_NAME demo demoardana >
openstack network rbac list
This produces the list:
+--------------------------------------+--------------------------------------+ | id | object_id | +--------------------------------------+--------------------------------------+ | ... | | 3e078293-f55d-461c-9a0b-67b5dae321e8 | 8eada4f7-83cf-40ba-aa8c-5bf7d87cca8e | +--------------------------------------+--------------------------------------+
View the RBAC information:
ardana >
openstack network rbac show 3e078293-f55d-461c-9a0b-67b5dae321e8
+---------------+--------------------------------------+
| Field | Value |
+---------------+--------------------------------------+
| action | access_as_shared |
| id | 3e078293-f55d-461c-9a0b-67b5dae321e8 |
| object_id | 8eada4f7-83cf-40ba-aa8c-5bf7d87cca8e |
| object_type | network |
| target_tenant | * |
| tenant_id | 1be57778b61645a7a1c07ca0ac488f9e |
+---------------+--------------------------------------+
With network RBAC, the owner of the network can also make the network shareable by all tenants. First create the network:
ardana >
echo $OS_PROJECT_NAME ; echo $OS_USERNAME demo demoardana >
openstack network create test-net
The network is created:
+---------------------------+--------------------------------------+ | Field | Value | +---------------------------+--------------------------------------+ | admin_state_up | UP | | availability_zone_hints | | | availability_zones | | | created_at | 2018-07-25T18:04:25Z | | description | | | dns_domain | | | id | a4bd7c3a-818f-4431-8cdb-fedf7ff40f73 | | ipv4_address_scope | None | | ipv6_address_scope | None | | is_default | False | | is_vlan_transparent | None | | mtu | 1450 | | name | test-net | | port_security_enabled | False | | project_id | cb67c79e25a84e328326d186bf703e1b | | provider:network_type | vxlan | | provider:physical_network | None | | provider:segmentation_id | 1073 | | qos_policy_id | None | | revision_number | 2 | | router:external | Internal | | segments | None | | shared | False | | status | ACTIVE | | subnets | | | tags | | | updated_at | 2018-07-25T18:04:25Z | +---------------------------+--------------------------------------+
Create the RBAC. It is important that the asterisk is surrounded by single-quotes to prevent the shell from expanding it to all files in the current directory.
ardana >
openstack network rbac create --type network \
--action access_as_shared --target-project '*' test-net
Here are the resulting RBAC attributes:
+---------------+--------------------------------------+ | Field | Value | +---------------+--------------------------------------+ | action | access_as_shared | | id | 0b797cc6-debc-48a1-bf9d-d294b077d0d9 | | object_id | a4bd7c3a-818f-4431-8cdb-fedf7ff40f73 | | object_type | network | | target_tenant | * | | tenant_id | 1be57778b61645a7a1c07ca0ac488f9e | +---------------+--------------------------------------+
demo2
) View of Networks and Subnets #
Note that the owner of the network and subnet is not the tenant named
demo2
. Both the network and subnet are owned by tenant demo
.
Demo2
members cannot create subnets of the network. They also cannot
modify or delete subnets owned by demo
.
As the tenant demo2
, you can get a list of neutron networks:
ardana >
openstack network list
+--------------------------------------+-----------+--------------------------------------------------+ | id | name | subnets | +--------------------------------------+-----------+--------------------------------------------------+ | f60f3896-2854-4f20-b03f-584a0dcce7a6 | ext-net | 50e39973-b2e3-466b-81c9-31f4d83d990b | | c3d55c21-d8c9-4ee5-944b-560b7e0ea33b | demo-net | d9b765da-45eb-4543-be96-1b69a00a2556 10.0.1.0/24 | ... +--------------------------------------+-----------+--------------------------------------------------+
And get a list of subnets:
ardana >
openstack subnet list --network c3d55c21-d8c9-4ee5-944b-560b7e0ea33b
+--------------------------------------+---------+--------------------------------------+---------------+ | ID | Name | Network | Subnet | +--------------------------------------+---------+--------------------------------------+---------------+ | a806f28b-ad66-47f1-b280-a1caa9beb832 | ext-net | c3d55c21-d8c9-4ee5-944b-560b7e0ea33b | 10.0.1.0/24 | +--------------------------------------+---------+--------------------------------------+---------------+
To show details of the subnet:
ardana >
openstack subnet show d9b765da-45eb-4543-be96-1b69a00a2556
+-------------------+--------------------------------------------+ | Field | Value | +-------------------+--------------------------------------------+ | allocation_pools | {"start": "10.0.1.2", "end": "10.0.1.254"} | | cidr | 10.0.1.0/24 | | dns_nameservers | | | enable_dhcp | True | | gateway_ip | 10.0.1.1 | | host_routes | | | id | d9b765da-45eb-4543-be96-1b69a00a2556 | | ip_version | 4 | | ipv6_address_mode | | | ipv6_ra_mode | | | name | sb-demo-net | | network_id | c3d55c21-d8c9-4ee5-944b-560b7e0ea33b | | subnetpool_id | | | tenant_id | 75eb5efae5764682bca2fede6f4d8c6f | +-------------------+--------------------------------------------+
The owner of the port is demo2
. Members of the network owner project
(demo
) will not see this port.
Running the following command:
ardana >
openstack port create c3d55c21-d8c9-4ee5-944b-560b7e0ea33b
Creates a new port:
+-----------------------+-----------------------------------------------------------------------------------------------------+ | Field | Value | +-----------------------+-----------------------------------------------------------------------------------------------------+ | admin_state_up | True | | allowed_address_pairs | | | binding:vnic_type | normal | | device_id | | | device_owner | | | dns_assignment | {"hostname": "host-10-0-1-10", "ip_address": "10.0.1.10", "fqdn": "host-10-0-1-10.openstacklocal."} | | dns_name | | | fixed_ips | {"subnet_id": "d9b765da-45eb-4543-be96-1b69a00a2556", "ip_address": "10.0.1.10"} | | id | 03ef2dce-20dc-47e5-9160-942320b4e503 | | mac_address | fa:16:3e:27:8d:ca | | name | | | network_id | c3d55c21-d8c9-4ee5-944b-560b7e0ea33b | | security_groups | 275802d0-33cb-4796-9e57-03d8ddd29b94 | | status | DOWN | | tenant_id | 5a582af8b44b422fafcd4545bd2b7eb5 | +-----------------------+-----------------------------------------------------------------------------------------------------+
Here the tenant demo2
boots a VM that uses the demo-net
shared network:
ardana >
openstack server create --flavor 1 --image $OS_IMAGE --nic net-id=c3d55c21-d8c9-4ee5-944b-560b7e0ea33b demo2-vm-using-demo-net-nic
+--------------------------------------+------------------------------------------------+ | Property | Value | +--------------------------------------+------------------------------------------------+ | OS-EXT-AZ:availability_zone | | | OS-EXT-STS:power_state | 0 | | OS-EXT-STS:task_state | scheduling | | OS-EXT-STS:vm_state | building | | OS-SRV-USG:launched_at | - | | OS-SRV-USG:terminated_at | - | | accessIPv4 | | | accessIPv6 | | | adminPass | sS9uSv9PT79F | | config_drive | | | created | 2016-01-04T19:23:24Z | | flavor | m1.tiny (1) | | hostId | | | id | 3a4dc44a-027b-45e9-acf8-054a7c2dca2a | | image | cirros-0.3.3-x86_64 (6ae23432-8636-4e...1efc5) | | key_name | - | | metadata | {} | | name | demo2-vm-using-demo-net-nic | | os-extended-volumes:volumes_attached | [] | | progress | 0 | | security_groups | default | | status | BUILD | | tenant_id | 5a582af8b44b422fafcd4545bd2b7eb5 | | updated | 2016-01-04T19:23:24Z | | user_id | a0e6427b036344fdb47162987cb0cee5 | +--------------------------------------+------------------------------------------------+
Run openstack server list:
ardana >
openstack server list
See the VM running:
+-------------------+-----------------------------+--------+------------+-------------+--------------------+ | ID | Name | Status | Task State | Power State | Networks | +-------------------+-----------------------------+--------+------------+-------------+--------------------+ | 3a4dc...a7c2dca2a | demo2-vm-using-demo-net-nic | ACTIVE | - | Running | demo-net=10.0.1.11 | +-------------------+-----------------------------+--------+------------+-------------+--------------------+
Run openstack port list:
ardana >
neutron port-list --device-id 3a4dc44a-027b-45e9-acf8-054a7c2dca2a
View the subnet:
+---------------------+------+-------------------+-------------------------------------------------------------------+ | id | name | mac_address | fixed_ips | +---------------------+------+-------------------+-------------------------------------------------------------------+ | 7d14ef8b-9...80348f | | fa:16:3e:75:32:8e | {"subnet_id": "d9b765da-45...00a2556", "ip_address": "10.0.1.11"} | +---------------------+------+-------------------+-------------------------------------------------------------------+
Run neutron port-show:
ardana >
openstack port show 7d14ef8b-9d48-4310-8c02-00c74d80348f
+-----------------------+-----------------------------------------------------------------------------------------------------+ | Field | Value | +-----------------------+-----------------------------------------------------------------------------------------------------+ | admin_state_up | True | | allowed_address_pairs | | | binding:vnic_type | normal | | device_id | 3a4dc44a-027b-45e9-acf8-054a7c2dca2a | | device_owner | compute:None | | dns_assignment | {"hostname": "host-10-0-1-11", "ip_address": "10.0.1.11", "fqdn": "host-10-0-1-11.openstacklocal."} | | dns_name | | | extra_dhcp_opts | | | fixed_ips | {"subnet_id": "d9b765da-45eb-4543-be96-1b69a00a2556", "ip_address": "10.0.1.11"} | | id | 7d14ef8b-9d48-4310-8c02-00c74d80348f | | mac_address | fa:16:3e:75:32:8e | | name | | | network_id | c3d55c21-d8c9-4ee5-944b-560b7e0ea33b | | security_groups | 275802d0-33cb-4796-9e57-03d8ddd29b94 | | status | ACTIVE | | tenant_id | 5a582af8b44b422fafcd4545bd2b7eb5 | +-----------------------+-----------------------------------------------------------------------------------------------------+
Note the following limitations of RBAC in Neutron.
Neutron network is the only supported RBAC Neutron object type.
The "access_as_external" action is not supported – even though it is listed as a valid action by python-neutronclient.
The neutron-api server will not accept action value of
'access_as_external'. The access_as_external
definition
is not found in the specs.
The target project users cannot create, modify, or delete subnets on networks that have RBAC policies.
The subnet of a network that has an RBAC policy cannot be added as an
interface of a target tenant's router. For example, the command
neutron router-interface-add tgt-tenant-router <sb-demo-net
uuid>
will error out.
The security group rules on the network owner do not apply to other projects that can use the network.
A user in target project can boot up VMs using a VNIC using the shared network. The user of the target project can assign a floating IP (FIP) to the VM. The target project must have SG rules that allows SSH and/or ICMP for VM connectivity.
Neutron RBAC creation and management are currently not supported in Horizon. For now, the Neutron CLI has to be used to manage RBAC rules.
A RBAC rule tells Neutron whether a tenant can access a network (Allow). Currently there is no DENY action.
Port creation on a shared network fails if --fixed-ip
is specified in the neutron port-create
command.