Murano

public network access limitations

Asked by smarta94

Is there a way to restrict which users using the murano app have access to the public network? A policy.json addtion or some setting somewhere. I am looking to allow some users access and deny others who require a completly isolated virtual lab to work with -- meaning their instances should be able to access one another but not the external network. Setting this up manually with the neutron networking is possible based on the router that gets created, but the only option I see in murano is to either have the external net connected in teh murano.conf file or to not list a network -- limiting the options to everyone or no one on the murano router. This is not an option for my needs.

Question information

Language:
English Edit question
Status:
Answered
For:
Murano Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
Stan Lagun (slagun) said : 		#1

Currently there is no way to have different networking configuration for different users. At least I don't know one. Maybe this may be achieved by separating those users into different tenants and make all those tenants have router with the same name but Murano would use for external network. And then make this router disabled or not connected to external net for some tenants. Though it is just an idea that I never tried

Revision history for this message
smarta94 (smarta94) said : 		#2

That was my idea I think, but how would one disable the public router for specific tenants? I am in openstack juno currently. As far as I know the public network is shared and in the murano config, it defaults the murano-router to connect to the public network. Disabling the public network is simply disconnecting the gateway from the murano network -- but how would one do this tenant-specific and deny them the option to add a gateway through the dashboard/python commandlines?

Revision history for this message
Stan Lagun (slagun) said : 		#3

Again I'm might be completely wrong because I never tried to do it. But according to my understanding there are 2 options in murano.conf: "router_name" and "create_router". If "create_router" is set to False and "router_name" is set to an existing router Murano will use it as is without attempting to attach something to it. Murano will examine that it is attached to external network by examing "external_gateway_info" attribute of a router. However it doesn't check router's admin state so you could possibly just set it to DOWN preventing router from routing

Can you help with this problem?

Provide an answer of your own, or ask smarta94 for more information if necessary.

To post a message you must log in.