Networks in openstack can have the external flag set. If that flag is set it is visible for all openstack projects, and all openstack projects are able to create routers connecting to this network for external access, and create floating-ip's which can be assigned to virtual machines.
Default external networks
Our installations usually have two external networks:
- ntnu-internal - An RFC1918 network available troughout all NTNU networks.
- ntnu-external - A globally numbered network accessible from the whole internet.
The ntnu-internal network is available to all projects, while the ntnu-external networks are only available to projects which have requested access to these.
Remove the access for everyone to a certain network
For the networks which we restrict access to, we need to manually modify the RBAC lists. After marking a network as external, we need to delete the rule giving all projects access to it. To do this you would first need to find the ID of the network:
$ openstack network list -c Name -c ID +--------------------------------------+-------------+ | ID | Name | +--------------------------------------+-------------+ | 50a80b8c-d06c-4b53-97f2-6c0b9f9a405c | test-ext | | ab6cf6f2-b320-4522-99bf-e5ab65c51553 | admin-lan | | dfc8c97d-8cf1-4b4a-9d42-f2cd184b4540 | ext-net | +--------------------------------------+-------------+
Then you should remove the RBAC rule where the object-id is the same as the netowrk id. For instance are the rbac-rule with the ID c1d8506f-a9a2-4f93-9921-0a8969dac3d8 belonging to the "test-ext" network with the id "50a80b8c-d06c-4b53-97f2-6c0b9f9a405c".
$ neutron rbac-list +--------------------------------------+-------------+--------------------------------------+ | id | object_type | object_id | +--------------------------------------+-------------+--------------------------------------+ | c1d8506f-a9a2-4f93-9921-0a8969dac3d8 | network | 50a80b8c-d06c-4b53-97f2-6c0b9f9a405c | | e8abdcf5-1bdd-4087-82bf-26dc08bf0fa1 | network | dfc8c97d-8cf1-4b4a-9d42-f2cd184b4540 | +--------------------------------------+-------------+--------------------------------------+ $ neutron rbac-delete <id>
Give a specific project access to a certain network.
Create a new RBAC rule for "test-ext", that states access for given projects only. You need one RBAC rule per project:
$ neutron rbac-create --target-tenant <project id> --action access_as_external --type network <network id>