<html> <head> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> <div class="moz-cite-prefix">On 11/14/2013 11:36 AM, Prashanth Prahalad wrote: </div> <blockquote cite="mid:CADghgox065_v+2dgPGrzNLbNUM502FebMOttW71Ha-gfJ7GN+w@mail.gmail.com" type="cite"> <div dir="ltr"> <div class="" id="yui_3_10_3_1_1384409082967_302" style="margin:0px;padding:0px;color:rgb(51,51,51);font-family:Ubuntu,'Bitstream Vera Sans','DejaVu Sans',Tahoma,sans-serif;font-size:12px;line-height:18px;text-align:left"> Hi Folks, I'm trying to understand the quantum security model behavior in certain cases. I've OVS plugin configured with VLAN isolation. I've a tenant project (alt_demo) (admin) > keystone tenant-list +----------------------------------+----------+---------+ | id | name | enabled | +----------------------------------+----------+---------+ | c19f9a2d16b74c3c971dbfbc1afdc687 | admin | True | | a37209139af44a8a8a2a8e519e3f8478 | alt_demo | True | | 70e910a7296d4a19be4b32d5bcaf3996 | services | True | +----------------------------------+----------+---------+ I've a user (alt_demo) who is a 'member' of project alt_demo. (alt_demo is not an admin) (admin > keystone user-list +----------------------------------+----------+---------+-------------------+ | id | name | enabled | email | +----------------------------------+----------+---------+-------------------+ | 338a1897720a4be48023a6987c76191d | admin | True | <a moz-do-not-send="true" href="mailto:test@test.com">test@test.com</a> | | c2dc7ac0e8bf4628bc7d3b2fe285793a | alt_demo | True | <a moz-do-not-send="true" href="mailto:alt_demo@demo.com">alt_demo@demo.com</a> | | 94936f26d48e481dadacda322fc51858 | cinder | True | cinder@localhost | | b7db5ef2f2d849b1a8dfc7f043bf4289 | glance | True | glance@localhost | | a42b0ca85f914cf88dc6361da5e08a0c | nova | True | nova@localhost | | 2f0f85cb85f242c7b9c5f620886b9537 | quantum | True | quantum@localhost | +----------------------------------+----------+---------+-------------------+ As alt_demo, try to create a network (alt_demo) > quantum net-create alt-net Created a new network: +-----------------+--------------------------------------+ | Field | Value | +-----------------+--------------------------------------+ | admin_state_up | True | | id | c1629dac-91dd-424a-bc82-8b97323f5059 | | name | alt-net | | router:external | False | | shared | False | | status | ACTIVE | | subnets | | | tenant_id | a37209139af44a8a8a2a8e519e3f8478 | +-----------------+--------------------------------------+ List the network details for the network which was just created (alt_demo) > quantum net-show alt-net +-----------------+--------------------------------------+ | Field | Value | +-----------------+--------------------------------------+ | admin_state_up | True | | id | c1629dac-91dd-424a-bc82-8b97323f5059 | | name | alt-net | | router:external | False | | shared | False | | status | ACTIVE | | subnets | | | tenant_id | a37209139af44a8a8a2a8e519e3f8478 | +-----------------+--------------------------------------+ Here's what an "admin" user sees : (admin) > quantum net-show alt-net +---------------------------+--------------------------------------+ | Field | Value | +---------------------------+--------------------------------------+ | admin_state_up | True | | id | c1629dac-91dd-424a-bc82-8b97323f5059 | | name | alt-net | | provider:network_type | vlan | | provider:physical_network | physnet1 | | provider:segmentation_id | 46 | | router:external | False | | shared | False | | status | ACTIVE | | subnets | | | tenant_id | a37209139af44a8a8a2a8e519e3f8478 | +---------------------------+--------------------------------------+ Now, the question I've is the user "alt_demo" cannot see the VLAN/provider-network and other details which is very confusing (when the user was able to create the network, he should be able to see details of the network he just created). </div> </div> </blockquote> Why does the user need to bother about segmentation id and other details? It just need to work for him and no need to know how it work internally. That may be the reason it's not exposed to him. <blockquote cite="mid:CADghgox065_v+2dgPGrzNLbNUM502FebMOttW71Ha-gfJ7GN+w@mail.gmail.com" type="cite"> <div dir="ltr"> <div class="" id="yui_3_10_3_1_1384409082967_302" style="margin:0px;padding:0px;color:rgb(51,51,51);font-family:Ubuntu,'Bitstream Vera Sans','DejaVu Sans',Tahoma,sans-serif;font-size:12px;line-height:18px;text-align:left"> Thanks ! Prashanth </div> <div class="" style="margin:0px;padding:1em 0px;clear:both;border-top-width:1px;border-top-style:solid;border-top-color:rgb(235,235,235);color:rgb(51,51,51);font-family:Ubuntu,'Bitstream Vera Sans','DejaVu Sans',Tahoma,sans-serif;font-size:12px;line-height:18px;text-align:left"> </div> </div> <fieldset class="mimeAttachmentHeader"></fieldset> <pre wrap="">_______________________________________________ rhos-list mailing list <a class="moz-txt-link-abbreviated" href="mailto:rhos-list@redhat.com">rhos-list@redhat.com</a> <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/rhos-list">https://www.redhat.com/mailman/listinfo/rhos-list</a></pre> </blockquote> </body> </html>