...
- ntnu-internal - An RFC1918 network available troughout all NTNU networks.
- ntnu-external global - A globally numbered network accessible from the whole internet.
The ntnu-internal network is available to all projects, while the ntnu-external global networks are only available to projects which have requested access to these.
Remove the access for everyone to a certain network
Give a project access to use a network as an external network.
To give a certain project access to the external network, you would need to add that project to the network's RBAC list. To add a project with the ID "5b23998288424b65af422700a5ecd081" you can use the following command:For the networks which we restrict access to, we need to manually modify the RBAC lists. After marking a network as external, we need to delete the rule giving all projects access to it. To do this you would first need to find the ID of the network:
Code Block |
---|
$ openstack network list -c Namerbac create -c ID +--------------------------------------+-------------+ | ID | Name | +--------------------------------------+-------------+ | 50a80b8c-d06c-4b53-97f2-6c0b9f9a405c | test-ext | | ab6cf6f2-b320-4522-99bf-e5ab65c51553 | admin-lan | | dfc8c97d-8cf1-4b4a-9d42-f2cd184b4540 | ext-net | +--------------------------------------+-------------+ |
Then you should remove the RBAC rule where the object-id is the same as the netowrk id. For instance are the rbac-rule with the ID c1d8506f-a9a2-4f93-9921-0a8969dac3d8 belonging to the "test-ext" network with the id "50a80b8c-d06c-4b53-97f2-6c0b9f9a405c".
-type network --action access_as_external --target-project 5b23998288424b65af422700a5ecd081 0b537b33-d135-493a-bd97-3d5ce9e6dea6 |
The command needs the network ID (0b537b33-d135-493a-bd97-3d5ce9e6dea6). To find the correct ID for your environment the following command might be useful:
Code Block |
---|
$ openstack network list -c Name -c ID --external
+ |
Code Block |
$ neutron rbac-list +--------------------------------------+-------------+--------------------------------------+ | idID | object_type | object_id Name | +--------------------------------------+-------------+--------------------------------------+ | c1d8506f0b537b33-a9a2d135-4f93493a-9921bd97-0a8969dac3d83d5ce9e6dea6 | network | 50a80b8c-d06c-4b53-97f2-6c0b9f9a405cntnu-global | | e8abdcf5730cb16e-1bdda460-40874a87-82bf8c73-26dc08bf0fa150a2cb2293f9 | network | dfc8c97d-8cf1-4b4a-9d42-f2cd184b4540ntnu-internal | +--------------------------------------+-------------+--------------------------------------+ $ neutron rbac-delete <id> |
Give a specific project access to a certain network.
Create a new RBAC rule for "test-ext", that states access for given projects only. You need one RBAC rule per project:
Code Block |
---|
$ neutron rbac-create --target-tenant <project id> --action access_as_external --type network <network id> |