Red Hat Bugzilla – Bug 1325673
[RFE] [Neutron] Role-based Access Control (RBAC) support for QoS policies
Last modified: 2016-08-24 08:53:26 EDT
Description of problem: The cloud admin needs to have the ability to share Neutron QoS policies between subsets of tenants instead of the all-or-nothing choice he has now. For example, there is no way for a cloud admin to define a "platinum" policy (e.g. guaranteed BW, low latency) and making it possible only for certain tenants (the ones who actually paid for it) applying it to their ports/networks. In a similar context, a cloud administrator may want to apply a pre-created default policy (e.g. rate limit) for newly created networks/VM's . This feature will add more more flexibility for network management workflows and provide the admin with support for real use cases encountered in enterprise/private-cloud deployments.
Code was merged in upstream Mitaka-3. See https://specs.openstack.org/openstack/neutron-specs/specs/mitaka/rbac-qos-policies.html This patch implements a new database model required for the qos-policy RBAC support. In addition it migrates the current qos-policy 'shared' attribute to leverage the new 'qospolicyrbacs' table. 'shared' is no longer a property of the QosPolicy DB model. Its status is based on the tenant ID of the API caller. From an API perspective the logic remains the same - tenants will see qos-policies as 'shared=True' in case the qos-policy is shared with them). However, internal callers (e.g. plugins, drivers, services) must not check for the 'shared' attribute on qos-policy db objects any more.
@Martin, can you please fill in doctext? Thank you.
Added doctext.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2016-1761.html