blob: 64caeab2e21b33275a27a93e0892ff8a3a765fd8 [file] [log] [blame]
Mohammed Nasera3a92e52024-06-03 22:30:38 -04001=====================
2Neutron Policy Server
3=====================
4
5This is a simple server which can be used to manage complex Neutron policies
6which are not possible to be managed using the default Neutron ``policy.json``
Rico Lin7c5be7f2025-03-07 12:31:26 +09007file due to the lack of programmatic control.
8
9You can reference policy example in
10https://github.com/vexxhost/atmosphere/blob/main/roles/neutron/vars/main.yml#L125-L130
11
12It covers the following use cases:
Mohammed Nasera3a92e52024-06-03 22:30:38 -040013
14-------------------------------------------
15Allowed Address Pairs for Provider Networks
16-------------------------------------------
17
18The default Neutron policy does not allow the use of allowed address pairs for
19provider networks. However, in a use case where you need to run a highly
20available service on a provider network, you may need to use allowed address
21pairs to allow multiple instances to share the same IP address.
22
23This service intercepts the existing Neutron policy and allows the use of
24allowed address pairs for provider networks under these circumstances:
25
26- Users can modify an ``allowed_address_pairs`` attribute to their port if they
27 own another port on the same network with the same MAC & IP address.
28- Users cannot delete a port if another port on the same network has an
29 ``allowed_address_pairs`` attribute with the same MAC & IP address.
30- Users cannot modify the ``fixed_ips`` attribute of a port if another port on
31 the same network has an ``allowed_address_pairs`` attribute with the IP.
Rico Lin7c5be7f2025-03-07 12:31:26 +090032
33---------
34Use cases
35---------
36
37Here is a example policy.yaml file for Neutron to use Neutron policy server:
38
39.. code-block:: yaml
40
41 delete_port: ((rule:admin_only) or (rule:service_api) or role:member and rule:network_owner
42 or role:member and project_id:%(project_id)s) and http://neutron-server:9697/port-delete
43 update_port:allowed_address_pairs: ((rule:admin_only) or (role:member and rule:network_owner)
44 or role:manager and project_id:%(project_id)s) or (role:member and project_id:%(project_id)s
45 and http://neutron-server:9697/address-pair )
46 update_port:allowed_address_pairs:ip_address: ((rule:admin_only) or (role:member and
47 rule:network_owner) or role:manager and project_id:%(project_id)s) or (role:member
48 and project_id:%(project_id)s)
49 update_port:allowed_address_pairs:mac_address: ((rule:admin_only) or (role:member
50 and rule:network_owner) or role:manager and project_id:%(project_id)s) or (role:member
51 and project_id:%(project_id)s)
52 update_port:fixed_ips: ((rule:admin_only) or (rule:service_api) or role:manager and
53 project_id:%(project_id)s or role:member and rule:network_owner) and http://neutron-server:9697/port-update
54 update_port:mac_address: ((rule:admin_only) or (rule:service_api) or role:manager
55 and project_id:%(project_id)s) and http://neutron-server:9697/port-update
56
57All rules above contains original rules with Neutron policy server URL integrated.
58Environment can consider make Neutron policy server URL a hard condition like above if
59wish the protection for allowed address pair exists across network ownership when
60update or delete ports.
61
62-----------
63Strict Mode
64-----------
65
66By default MAC address need to also match for add allowed address pairs,
67update port and delete port cases, but it can be disabled by provide query parameter
68`strict=0`. Like `http://neutron-server:9697/port-delete?strict=0`.
69With strict disabled, Mac address will not required to match.
70Policy can pass with only IP address match. This is useful with some HA structure
71which one IP might needs to switch cross two instances.
72
73-----------------
74Known Limitations
75-----------------
76
77Current limitation for cross-ownership network port address pair binding only
78allows fixed IP address format x.x.x.x without CIDR format like
79`/32` or `/24`. And the reason for that limitation is, when using CIDR like
80`10.10.10.0/24`, it will lock all ports with IPs under 10.10.10.0/24 to prevent
81delete actions. But thats pretty damage to security consider user doesnt get
82the ownership to the entire network. Currently it can directly put in fixed IP
83address like 10.10.10.4.
84Also worth to mentioned that, CIDR format limitation are not affected on any
85existing use cases (which user actually owned the network).
86So network owner can add allowed address pair with CIDRs like 10.10.10.0/24.