[rhos-list] quantum security model
Sadique Puthen
sputhenp at redhat.com
Thu Nov 14 07:25:28 UTC 2013
On 11/14/2013 11:36 AM, Prashanth Prahalad wrote:
>
> Hi Folks,
>
> I'm trying to understand the quantum security model behavior in
> certain cases. I've OVS plugin configured with VLAN isolation.
>
> I've a tenant project (alt_demo)
>
> (admin) > keystone tenant-list
> +----------------------------------+----------+---------+
> | id | name | enabled |
> +----------------------------------+----------+---------+
> | c19f9a2d16b74c3c971dbfbc1afdc687 | admin | True |
> | a37209139af44a8a8a2a8e519e3f8478 | alt_demo | True |
> | 70e910a7296d4a19be4b32d5bcaf3996 | services | True |
> +----------------------------------+----------+---------+
>
> I've a user (alt_demo) who is a 'member' of project alt_demo.
> (alt_demo is not an admin)
>
> (admin > keystone user-list
> +----------------------------------+----------+---------+-------------------+
> | id | name | enabled | email |
> +----------------------------------+----------+---------+-------------------+
> | 338a1897720a4be48023a6987c76191d | admin | True | test at test.com
> <mailto:test at test.com> |
> | c2dc7ac0e8bf4628bc7d3b2fe285793a | alt_demo | True |
> alt_demo at demo.com <mailto:alt_demo at demo.com> |
> | 94936f26d48e481dadacda322fc51858 | cinder | True | cinder at localhost |
> | b7db5ef2f2d849b1a8dfc7f043bf4289 | glance | True | glance at localhost |
> | a42b0ca85f914cf88dc6361da5e08a0c | nova | True | nova at localhost |
> | 2f0f85cb85f242c7b9c5f620886b9537 | quantum | True | quantum at localhost |
> +----------------------------------+----------+---------+-------------------+
>
> As alt_demo, try to create a network
>
> (alt_demo) > quantum net-create alt-net
> Created a new network:
> +-----------------+--------------------------------------+
> | Field | Value |
> +-----------------+--------------------------------------+
> | admin_state_up | True |
> | id | c1629dac-91dd-424a-bc82-8b97323f5059 |
> | name | alt-net |
> | router:external | False |
> | shared | False |
> | status | ACTIVE |
> | subnets | |
> | tenant_id | a37209139af44a8a8a2a8e519e3f8478 |
> +-----------------+--------------------------------------+
>
> List the network details for the network which was just created
>
> (alt_demo) > quantum net-show alt-net
> +-----------------+--------------------------------------+
> | Field | Value |
> +-----------------+--------------------------------------+
> | admin_state_up | True |
> | id | c1629dac-91dd-424a-bc82-8b97323f5059 |
> | name | alt-net |
> | router:external | False |
> | shared | False |
> | status | ACTIVE |
> | subnets | |
> | tenant_id | a37209139af44a8a8a2a8e519e3f8478 |
> +-----------------+--------------------------------------+
>
> Here's what an "admin" user sees :
>
> (admin) > quantum net-show alt-net
> +---------------------------+--------------------------------------+
> | Field | Value |
> +---------------------------+--------------------------------------+
> | admin_state_up | True |
> | id | c1629dac-91dd-424a-bc82-8b97323f5059 |
> | name | alt-net |
> | provider:network_type | vlan |
> | provider:physical_network | physnet1 |
> | provider:segmentation_id | 46 |
> | router:external | False |
> | shared | False |
> | status | ACTIVE |
> | subnets | |
> | tenant_id | a37209139af44a8a8a2a8e519e3f8478 |
> +---------------------------+--------------------------------------+
>
> Now, the question I've is the user "alt_demo" cannot see the
> VLAN/provider-network and other details which is very confusing (when
> the user was able to create the network, he should be able to see
> details of the network he just created).
>
Why does the user need to bother about segmentation id and other
details? It just need to work for him and no need to know how it work
internally. That may be the reason it's not exposed to him.
> Thanks !
> Prashanth
>
>
>
> _______________________________________________
> rhos-list mailing list
> rhos-list at redhat.com
> https://www.redhat.com/mailman/listinfo/rhos-list
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/rhos-list/attachments/20131114/d21fc108/attachment.htm>
More information about the rhos-list
mailing list