Ask Your Question

Make flat network available only to some tenants/users

asked 2015-01-28 16:11:09 -0500

olc gravatar image

Hi - I have a flat provider network physically attached to an internal network. Is there a way to make it available only to some tenants (aka not to everyone and not to the owner only)? I guess that the neutron's policy.json is the way to go but I can't find which entry can control that. Thanks in anticipation.

edit retag flag offensive close merge delete

2 answers

Sort by ยป oldest newest most voted

answered 2015-01-29 15:23:01 -0500

olc gravatar image

Thanks @NoNoNoo. Well here is the results of my experiments today. My purpose is actually to provide a couple of tenants with an access to an NFS storage network.

I have created an 'nfs' role and associated it with the required users and tenants with keystone. Then I have added/modified the following rules in /etc/neutron/policy.json (controller nodes where the neutron api server resides):

"network_is_nfs": "field:networks:id=7a1cbc3d-54de-48a9-aaed-2fc28152abf7",
"show_nfs": "rule:network_is_nfs and role:nfs",
"get_network": "rule:admin_or_owner or rule:external or rule:show_nfs or (not rule:network_is_nfs and rule:shared)",

That seems to do the trick. The only drawback is that it is necessary to have the network id (7a1cbc3d-54de-48a9-aaed-2fc28152abf7 in my case) hardcoded in the policy file.

edit flag offensive delete link more

answered 2015-01-29 07:16:59 -0500

NoNoNoo gravatar image

From openstack documentation :

Currently the concept of 'external' network is somewhat similar to the concept of a 'shared' network. However, while every tenant can operate on a shared network, performing operations such as creating port, the set of operations a tenant can perform on an external network is more limited, as it's currently restrained to setting external gateways on routers and creating floating IPs.

Nevertheless, the concept of 'external' implies some forms of sharing, and this has some bearing on the topologies that can be achieved. For instance it is not possible at the moment have an external network which is reserved to a specific tenant. That external network will always show up in queries performed by other tenants too.

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2015-01-28 16:11:09 -0500

Seen: 563 times

Last updated: Jan 29 '15