Bug 1287415

Summary: [Docs] [Networking] Provide an outline of RBAC control
Product: Red Hat OpenStack Reporter: Andrew Dahms <adahms>
Component: documentationAssignee: Martin Lopes <mlopes>
Status: CLOSED CURRENTRELEASE QA Contact: Dan Macpherson <dmacpher>
Severity: medium Docs Contact:
Priority: high    
Version: 8.0 (Liberty)CC: mburns, srevivo
Target Milestone: gaKeywords: Documentation
Target Release: 8.0 (Liberty)   
Hardware: Unspecified   
OS: Unspecified   
URL: https://blueprints.launchpad.net/neutron/+spec/rbac-networks
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-12-02 03:13:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1266081    
Bug Blocks:    

Description Andrew Dahms 2015-12-02 03:14:29 UTC 
In Red Hat Enterprise Linux OpenStack Platform 8, users can apply RBAC to networks, allowing administrators to control access to networks across tenants. A conceptual overview and instructions on how and why to configure RBAC must be added to the Networking Guide.
Comment 1 Andrew Dahms 2015-12-02 03:15:04 UTC 
Assigning to Martin for review.
Comment 3 Martin Lopes 2015-12-03 00:14:14 UTC 
Content has been tech reviewed by SME
Comment 5 Martin Lopes 2016-11-08 04:12:13 UTC 
For docs QA, updated URL is here: https://access.redhat.com/documentation/en/red-hat-openstack-platform/9/single/networking-guide#sec-rbac

All of chapter 12 is in scope for peer review.
Comment 6 Dan Macpherson 2016-12-01 05:07:40 UTC 
Hi Martin,

Sorry it took so long. This BZ slipped under my radar. Here's a my peer review:


> OpenStack Networking now uses a RBAC table to control sharing of neutron networks between tenants

Since you can share networks with more than two tenants, it should be "among tenants".

> ability for some tenants to create networks, and can instead allow them

Unnecessary comma.

> Use neutron rbac-delete to delete the RBAC, based on its ID value: 

Unnecessary comma.

> Access to external networks (networks with gateway interfaces attached) can be controlled with RBAC, using the --action access_as_external parameter. 

Consider using active voice: "You can grant RBAC access to external networks (networks with gateway interfaces attached) using the --action access_as_external parameter."

Also an unnecessary comma.

> this procedure creates a RBAC for the web-servers network, and grants access to the engineering tenant (c717f263785d4679b16a122516247deb): 

Unnecessary comma.

> As a result, users in the Engineering tenant are able to view the network, or connect instances to it:

Unnecessary comma.
Comment 8 Dan Macpherson 2016-12-01 06:25:57 UTC 
Cool. Flipping this to VERIFIED.
Comment 9 Martin Lopes 2016-12-02 03:13:47 UTC 
Closing bug:

https://access.redhat.com/documentation/en/red-hat-openstack-platform/9/single/networking-guide#sec-rbac