| Mohammed Naser | a3a92e5 | 2024-06-03 22:30:38 -0400 | [diff] [blame] | 1 | ===================== |
| 2 | Neutron Policy Server |
| 3 | ===================== |
| 4 | |
| 5 | This is a simple server which can be used to manage complex Neutron policies |
| 6 | which are not possible to be managed using the default Neutron ``policy.json`` |
| 7 | file due to the lack of programmatic control. It covers the following use |
| 8 | cases: |
| 9 | |
| 10 | ------------------------------------------- |
| 11 | Allowed Address Pairs for Provider Networks |
| 12 | ------------------------------------------- |
| 13 | |
| 14 | The default Neutron policy does not allow the use of allowed address pairs for |
| 15 | provider networks. However, in a use case where you need to run a highly |
| 16 | available service on a provider network, you may need to use allowed address |
| 17 | pairs to allow multiple instances to share the same IP address. |
| 18 | |
| 19 | This service intercepts the existing Neutron policy and allows the use of |
| 20 | allowed address pairs for provider networks under these circumstances: |
| 21 | |
| 22 | - Users can modify an ``allowed_address_pairs`` attribute to their port if they |
| 23 | own another port on the same network with the same MAC & IP address. |
| 24 | - Users cannot delete a port if another port on the same network has an |
| 25 | ``allowed_address_pairs`` attribute with the same MAC & IP address. |
| 26 | - Users cannot modify the ``fixed_ips`` attribute of a port if another port on |
| 27 | the same network has an ``allowed_address_pairs`` attribute with the IP. |