Ask Your Question
1

How can one implement ACLs in Neutron?

asked 2015-04-02 18:15:19 -0500

rw2 gravatar image

According to https://wiki.openstack.org/wiki/Neutron/APIv2-specification (https://wiki.openstack.org/wiki/Neutr...)

"More sophisticated mechanisms for specifying ACLs on networks will come in future releases of the API."

I would like to do one of two things:

1) Hear someone recommend an approach on how to do ACLs today when writing a Neutron V2 plugin. I've looked at the existing plugins and don't see anyone trying to do anything bespoke to accomplish this goal.

or

2) Get engaged with the right people as I have the time and inclination to help enhance the API in order to provide support for this going forward.

edit retag flag offensive close merge delete

2 answers

Sort by ยป oldest newest most voted
1

answered 2015-04-03 12:20:23 -0500

echiu gravatar image

There is an old blueprint for Quantum ACL that was never approved: https://blueprints.launchpad.net/neut...

It seems the current direction is to have central ACL through keystone rather than have each project have its own ACL. You can try a bottoms up approach and implemented for your own Neutron driver and propose it as part of the specification for Neutron.

edit flag offensive delete link more
0

answered 2015-04-03 15:49:17 -0500

rw2 gravatar image

updated 2015-04-03 18:03:31 -0500

Very helpful, thanks a lot.

How did you determine that Keystone was the direction? (Not doubting the veracity of your statement, just looking for more background on the subject). I see swift seems to have some binding to keystone, but it also looks like swift has its own ACLs.

I've been around open source for a long time and am extremely reluctant to implement this in my neutron plugin and then not have it be accepted into the distribution. I'd much rather reach a consensus up front as to what the approach should be then apply my efforts to implementing something that has a good chance of being accepted. If the community is already coalescing around keystone, then I'd prefer to support that rather than go off in my own direction.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2015-04-02 18:15:19 -0500

Seen: 566 times

Last updated: Apr 03 '15