Mohammed Naser | a3a92e5 | 2024-06-03 22:30:38 -0400 | [diff] [blame] | 1 | ===================== |
| 2 | Neutron Policy Server |
| 3 | ===================== |
| 4 | |
| 5 | This is a simple server which can be used to manage complex Neutron policies |
| 6 | which are not possible to be managed using the default Neutron ``policy.json`` |
Rico Lin | 7c5be7f | 2025-03-07 12:31:26 +0900 | [diff] [blame] | 7 | file due to the lack of programmatic control. |
| 8 | |
| 9 | You can reference policy example in |
| 10 | https://github.com/vexxhost/atmosphere/blob/main/roles/neutron/vars/main.yml#L125-L130 |
| 11 | |
| 12 | It covers the following use cases: |
Mohammed Naser | a3a92e5 | 2024-06-03 22:30:38 -0400 | [diff] [blame] | 13 | |
| 14 | ------------------------------------------- |
| 15 | Allowed Address Pairs for Provider Networks |
| 16 | ------------------------------------------- |
| 17 | |
| 18 | The default Neutron policy does not allow the use of allowed address pairs for |
| 19 | provider networks. However, in a use case where you need to run a highly |
| 20 | available service on a provider network, you may need to use allowed address |
| 21 | pairs to allow multiple instances to share the same IP address. |
| 22 | |
| 23 | This service intercepts the existing Neutron policy and allows the use of |
| 24 | allowed address pairs for provider networks under these circumstances: |
| 25 | |
| 26 | - Users can modify an ``allowed_address_pairs`` attribute to their port if they |
| 27 | own another port on the same network with the same MAC & IP address. |
| 28 | - Users cannot delete a port if another port on the same network has an |
| 29 | ``allowed_address_pairs`` attribute with the same MAC & IP address. |
| 30 | - Users cannot modify the ``fixed_ips`` attribute of a port if another port on |
| 31 | the same network has an ``allowed_address_pairs`` attribute with the IP. |
Rico Lin | 7c5be7f | 2025-03-07 12:31:26 +0900 | [diff] [blame] | 32 | |
| 33 | --------- |
| 34 | Use cases |
| 35 | --------- |
| 36 | |
| 37 | Here is a example policy.yaml file for Neutron to use Neutron policy server: |
| 38 | |
| 39 | .. code-block:: yaml |
| 40 | |
| 41 | delete_port: ((rule:admin_only) or (rule:service_api) or role:member and rule:network_owner |
| 42 | or role:member and project_id:%(project_id)s) and http://neutron-server:9697/port-delete |
| 43 | update_port:allowed_address_pairs: ((rule:admin_only) or (role:member and rule:network_owner) |
| 44 | or role:manager and project_id:%(project_id)s) or (role:member and project_id:%(project_id)s |
| 45 | and http://neutron-server:9697/address-pair ) |
| 46 | update_port:allowed_address_pairs:ip_address: ((rule:admin_only) or (role:member and |
| 47 | rule:network_owner) or role:manager and project_id:%(project_id)s) or (role:member |
| 48 | and project_id:%(project_id)s) |
| 49 | update_port:allowed_address_pairs:mac_address: ((rule:admin_only) or (role:member |
| 50 | and rule:network_owner) or role:manager and project_id:%(project_id)s) or (role:member |
| 51 | and project_id:%(project_id)s) |
| 52 | update_port:fixed_ips: ((rule:admin_only) or (rule:service_api) or role:manager and |
| 53 | project_id:%(project_id)s or role:member and rule:network_owner) and http://neutron-server:9697/port-update |
| 54 | update_port:mac_address: ((rule:admin_only) or (rule:service_api) or role:manager |
| 55 | and project_id:%(project_id)s) and http://neutron-server:9697/port-update |
| 56 | |
| 57 | All rules above contains original rules with Neutron policy server URL integrated. |
| 58 | Environment can consider make Neutron policy server URL a hard condition like above if |
| 59 | wish the protection for allowed address pair exists across network ownership when |
| 60 | update or delete ports. |
| 61 | |
| 62 | ----------- |
| 63 | Strict Mode |
| 64 | ----------- |
| 65 | |
| 66 | By default MAC address need to also match for add allowed address pairs, |
| 67 | update port and delete port cases, but it can be disabled by provide query parameter |
| 68 | `strict=0`. Like `http://neutron-server:9697/port-delete?strict=0`. |
| 69 | With strict disabled, Mac address will not required to match. |
| 70 | Policy can pass with only IP address match. This is useful with some HA structure |
| 71 | which one IP might needs to switch cross two instances. |
| 72 | |
| 73 | ----------------- |
| 74 | Known Limitations |
| 75 | ----------------- |
| 76 | |
| 77 | Current limitation for cross-ownership network port address pair binding only |
| 78 | allows fixed IP address format x.x.x.x without CIDR format like |
| 79 | `/32` or `/24`. And the reason for that limitation is, when using CIDR like |
| 80 | `10.10.10.0/24`, it will lock all ports with IPs under 10.10.10.0/24 to prevent |
| 81 | delete actions. But that’s pretty damage to security consider user doesn’t get |
| 82 | the ownership to the entire network. Currently it can directly put in fixed IP |
| 83 | address like 10.10.10.4. |
| 84 | Also worth to mentioned that, CIDR format limitation are not affected on any |
| 85 | existing use cases (which user actually owned the network). |
| 86 | So network owner can add allowed address pair with CIDRs like 10.10.10.0/24. |