This section explains the integration process of OpenStack full access using non-admin privileges.
You require admin privileges to deploy NSX Advanced Load Balancer solution in Provider mode on OpenStack. Admin privileges provides system-wide access to OpenStack resources like Tenants (Projects), Users, Roles, Networks, Routers, Ports, and so on, thereby enabling the NSX Advanced Load Balancer - OpenStack integration to work seamlessly. The cloud admin or the operator does not have to do any additional configuration in OpenStack.
However, for some deployments, admin privileges will be disabled as per business or IT policies. In such cases, you will not be able to deploy and use NSX Advanced Load Balancer with the Provider mode. This guide outlines the OpenStack services policy changes, and constraints on OpenStack network resources to deploy and use NSX Advanced Load Balancer in Provider mode without giving it admin privileges.
Creating Admin User without Admin Privileges
For OpenStack to work without admin privileges, OpenStack admin needs to create NSX Advanced Load Balancer admin user, an NSX Advanced Load Balancer admin role, and a tenant in OpenStack to be used in NSX Advanced Load Balancer cloud configuration. Existing tenant can also be used.
You can use admin user configured in NSX Advanced Load Balancer OpenStack cloud (called NSX Advanced Load Balancer Admin user) for establishing initial connection, authentication with Keystone, and accessing projects, deployed regions and networks for initial setup. Once initial setup is complete, you can use this to import tenants from OpenStack, and access resources in various tenants. Ensure that NSX Advanced Load Balancer admin user has enough privileges to read the Tenants (Projects), Users, Roles, and list the role assignments for users in tenants.
Admin tenant in NSX Advanced Load Balancer OpenStack cloud (called NSX Advanced Load Balancer Admin tenant) is the tenant in which NSX Advanced Load Balancer will spin up the SEs in the Provider mode. Ensure that the admin user has enough permissions to upload the SE images, list the flavors, and spin up the VMs in networks created or shared in the NSX Advanced Load Balancer Admin tenant.
You can create NSX Advanced Load Balancer admin user in OpenStack as follows:
Create
aviadminrole in OpenStack using admin credentials using the following command:source admin-openrc.sh
Create user with name
aviuserin OpenStack Cloud using the following command:config $ openstack user create --password avi123 --description 'Avi Admin user' aviuser
Create
aviadminrole using the following command:$ openstack role create aviadmin
Create project with name
avilbaasproject to be used as NSX Advanced Load Balancer Admin Tenant in OpenStack using the following command:Cloud config $ openstack project create --description 'Avi LBaaS Project' avilbaas
Assign
aviuseruser,aviadminrole inavilbaastenant using the following command:$ openstack role add --project avilbaas --user aviuser aviadmin
Add
aviuseruser,aviadminrole to other projects where NSX Advanced Load Balancer Load balancer service is required. The following is the CLI command:$ openstack role add --project demo --user aviuser aviadmin
Verify the roles assigned to
aviuserin all tenants using the following command:$ openstack role assignment list --user aviuser --names
For non-default domain, use the desired domain while creating the NSX Advanced Load Balancer Admin user and NSX Advanced Load Balancer Admin tenant.
OpenStack Policy Changes
NSX Advanced Load Balancer Controller interacts with Keystone, Nova, Neutron, and Glance OpenStack service. Following is a list of policy changes required per service:
Keystone Policy Changes
The following are the steps to interact with Keystone policy change:
Identify policy file from keystone.conf file, for instance,
[oslo_policy] policy_file = keystone.policy.yaml
Define
aviadminrole in keystone policy file, for instance, keystone.policy.yaml,"aviadmin_role": "role:aviadmin"
Give access to the following APIs for
aviadmin_role, for instance, in keystone.policy.yaml,Show domain details GET /v3/domains/{domain_id} Intended scope(s): system "identity:get_domain": "rule:admin_required or token.project.domain.id:%(target.domain.id)s or rule:aviadmin_role" List domains GET /v3/domains Intended scope(s): system "identity:list_domains": "rule:admin_required or rule:aviadmin_role" List endpoints GET /v3/endpoints Intended scope(s): system "identity:list_endpoints": "rule:admin_required or rule:aviadmin_role" List projects GET /v3/projects Intended scope(s): system "identity:list_projects": "rule:admin_required or rule:aviadmin_role" Show role details GET /v3/roles/{role_id} HEAD /v3/roles/{role_id} Intended scope(s): system "identity:get_role": "rule:admin_required or rule:aviadmin_role" List roles GET /v3/roles HEAD /v3/roles Intended scope(s): system "identity:list_roles": "rule:admin_required or rule:aviadmin_role" List role assignments GET /v3/role_assignments HEAD /v3/role_assignments Intended scope(s): system "identity:list_role_assignments": "rule:admin_required or rule:aviadmin_role" List services GET /v3/services Intended scope(s): system "identity:list_services": "rule:admin_required or rule:aviadmin_role" Show user details GET /v3/users/{user_id} HEAD /v3/users/{user_id} "identity:get_user": "rule:admin_or_owner or rule:aviadmin_role" List users GET /v3/users HEAD /v3/users Intended scope(s): system "identity:list_users": "rule:admin_required or rule:aviadmin_role"Restart Keystone service using the following command:
apache2ctl restart
Nova Policy Changes
The following are the steps to interact with Nova policy change:
Identify policy file from nova.conf file:
[oslo_policy] policy_file = nova.policy.yaml
Define
aviadminrole in nova policy file:"aviadmin_role": "role:aviadmin"
Give access to following APIs for
aviadmin_role in nova policy file:List all aggregates GET /os-aggregates "os_compute_api:os-aggregates:index": "rule:admin_api or rule:aviadmin_role" Show details for an aggregate GET /os-aggregates/{aggregate_id} "os_compute_api:os-aggregates:show": "rule:admin_api or rule:aviadmin_role" List availability zone information without host information GET /os-availability-zone "os_compute_api:os-availability-zone:list": "rule:admin_or_owner or rule:aviadmin_role" List detailed availability zone information with host information GET /os-availability-zone/detail "os_compute_api:os-availability-zone:detail": "rule:admin_api or rule:aviadmin_role" List available extensions and show information for an extension by alias GET /extensions GET /extensions/{alias} "os_compute_api:extensions": "rule:admin_or_owner or rule:aviadmin_role" It also allows access to the full list of tenants that have access to a flavor via an os-flavor-access API. GET /flavors/{flavor_id}/os-flavor-access GET /flavors/detail GET /flavors/{flavor_id} POST /flavors PUT /flavors/{flavor_id} "os_compute_api:os-flavor-access": "rule:admin_or_owner or rule:aviadmin_role" List all servers GET /servers "os_compute_api:servers:index": "rule:admin_or_owner or rule:aviadmin_role" List all servers with detailed information GET /servers/detail "os_compute_api:servers:detail": "rule:admin_or_owner or rule:aviadmin_role" List all servers for all projects GET /servers "os_compute_api:servers:index:get_all_tenants": "rule:admin_api or rule:aviadmin_role" List all servers with detailed information for all projects GET /servers/detail "os_compute_api:servers:detail:get_all_tenants": "rule:admin_api or rule:aviadmin_role"Restart
nova-apiservice:service nova-api restart
Neutron Policy Changes
The following are the steps to interact with Neutron policy change:
Identify policy file from neutron.conf file:
[oslo_policy] policy_file = neutron.policy.json
Define
aviadminrole inneutron.policyfile (neutron.policy.json):"aviadmin_role": "role:aviadmin",
Give access to the following APIs for
aviadmin_roleinneutron.policy.json:"create_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner or rule:aviadmin_role", "create_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:aviadmin_role", "create_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:aviadmin_role", "create_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared or rule:aviadmin_role", "create_port:allowed_address_pairs": "rule:admin_or_network_owner or rule:aviadmin_role", "get_port": "rule:context_is_advsvc or rule:admin_owner_or_network_owner or rule:aviadmin_role", "update_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:aviadmin_role", "update_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:aviadmin_role", "update_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared or rule:aviadmin_role", "update_port:allowed_address_pairs": "rule:admin_or_network_owner or rule:aviadmin_role ", "get_agent": "rule:admin_only or rule:aviadmin_role", "get_l3-agents": "rule:admin_only or rule:aviadmin_role", "get_loadbalancer-agent": "rule:admin_only or rule:aviadmin_role", "get_loadbalancer-pools": "rule:admin_only or rule:aviadmin_role", "get_agent-loadbalancers": "rule:admin_only or rule:aviadmin_role", "get_loadbalancer-hosting-agent": "rule:admin_only or rule:aviadmin_role", "create_floatingip:floating_ip_address": "rule:admin_only or rule:aviadmin_role", "get_floatingip": "rule:admin_or_owner or rule:aviadmin_role",Restart neutron-server service using the command:
service neutron-server restart
Configuring Cloud
On NSX Advanced Load Balancer Controller, configure the cloud with aviuser credentials, and avilbaas as admin tenant. In OpenStack role mapping, map OpenStack aviadmin role to NSX Advanced Load Balancer System-Admin or Tenant-Admin role.
You can set map_admin_to_cloud_admin to True. This will map avilbaas tenant to admin tenant in NSX Advanced Load Balancer, and any action taken in admin tenant in NSX Advanced Load Balancer will reflect in avilbaas tenant.
Configuration Example
In this example, all OpenStack roles are given Tenant-Admin role.
[admin:avi-controller]: show cloud Default-Cloud +------------------------------+--------------------------------------------+ | Field | Value | +------------------------------+--------------------------------------------+ | uuid | cloud-4db84437-f236-41cb-996f-11e450976744 | | name | Default-Cloud | | vtype | CLOUD_OPENSTACK | | openstack_configuration | | | username | aviuser | | password | [sensitive] | | admin_tenant | avilbaas | | mgmt_network_name | mgmt | | privilege | WRITE_ACCESS | | use_keystone_auth | True | | region | RegionOne | | hypervisor | KVM | | tenant_se | False | | import_keystone_tenants | True | | anti_affinity | True | | port_security | False | | security_groups | False | | allowed_address_pairs | True | | free_floatingips | False | | img_format | OS_IMG_FMT_AUTO | | use_admin_url | True | | role_mapping[1] | | | os_role | * | | avi_role | Tenant-Admin | | use_internal_endpoints | False | | config_drive | True | | auth_url | http://10.10.32.213:5000/v3 | | insecure | False | | external_networks | False | | neutron_rbac | True | | map_admin_to_cloudadmin | True | | nuage_port | 8443 | | contrail_plugin | False | | name_owner | True | | use_nuagevip | False | | nuage_virtualip | False | | contrail_disable_policy | False | | apic_mode | False | | dhcp_enabled | True | | mtu | 1500 bytes | | prefer_static_routes | False | | enable_vip_static_routes | False | | license_type | LIC_CORES | | state_based_dns_registration | True | | ip6_autocfg_enabled | True | | tenant_ref | admin | | license_tier | ENTERPRISE_18 | | autoscale_polling_interval | 60 seconds | +------------------------------+--------------------------------------------+
Requirements for OpenStack Keystone/ Nova/ Neutron Resources
The following are the requirements for OpenStack resources:
NSX Advanced Load Balancer Controller must be in
avilbaastenant for cluster VIP to work. Without admin privileges, the Controller will not be able to look into other tenants for Controller and it expects the Controllers and SE to be in same tenant (avilbaastenant).Flavors - The Controller will be able to use only public flavors or the flavors accessible to
avilbaastenant. Share the flavor toavilbaastenant to use the flavor for SE. After sharing the flavor, set theinstance_flavoroption in SE Group.Add
aviadminrole in all tenants - You need to have an admin role for integration to work.NSX Advanced Load Balancer admin user cannot create ports in tenant networks, without having an admin role. This cannot be changed through Neutron policy. To fix this issue, the CC agent will use the tenant scoped client to create virtual service VIP port.
Without having an admin role or without being network owner, NSX Advanced Load Balancer admin user will not be able to add
allowed-address-pairentry to the port created in tenant network. This will cause virtual service placement to fail. This can be fixed using policy changes. To fix this, you can addaviadminrole to NSX Advanced Load Balancer admin user in the tenants, and make policy changes as mentioned above in Neutron Policy Changes section.
Tenant Networks
When deploying in provider mode, tenant networks must be shared with NSX Advanced Load Balancer admin tenant, for instance,
avilbaastenant. Without this, the Controller will not be able to connect SE to the networks. For instance,neutron rbac-create --target-tenant [avilbaas-tenant-uuid] --action access_as_shared --type network [network-uuid]
When deploying in non-provider mode (dedicated SE mode, SE in tenant context), management network must be shared in all tenants that you want to deploy NSX Advanced Load Balancer . Tenant networks used for creating Virtual Service VIP or backend pool members need not be shared with
avilbaastenant.
FIP allocation — The routers connecting the tenant networks to provider networks must be created in the tenant. If the routers are created in admin tenant (or any other tenant), the Controller will not be able to access them and identify which provider networks to use for FIP allocation.
For using floating IP feature, having router in different tenant will not work even if you manually pass the floating network/ subnet UUID in virtual service VIP request. This will not work because, the access is limited to tenant in which virtual service is being created, and if the Controller cannot see the VIP network connected to a router, it will not be able to see the FIP network as well. FIP networks are derived from the tenant router’s interfaces to provider networks, and requires the routers to be the tenant hosting the VIP networks.
Upgrade Feature
The existing deployments use admin credentials with admin role. You can re-configure the cloud to use new credentials with aviadmin role.
- Case 1:
-
OpenStack admin tenant is used as NSX Advanced Load Balancer admin tenant. You need to add
aviadminrole to the admin user in admin tenant, and share all the tenant networks with admin tenant. Upgrading to use this feature will not be disruptive. - Case 2:
-
OpenStack non-admin tenant is used as NSX Advanced Load Balancer admin tenant. In this case,
aviadminrole is added to admin user in this tenant. This tenant is configured as NSX Advanced Load Balancer admin tenant in NSX Advanced Load Balancer Cloud configuration. All the tenant networks need to be shared with this tenant. Upgrading to use this feature will not be disruptive. - Case 3:
-
Changing the NSX Advanced Load Balancer admin tenant in cloud. This will be disruptive for some instances, since the admin tenant will be used to spin up the SEs. Configuring different admin tenant means using the other tenant to host all the SEs. This is disruptive, and all the virtual service need to be deactivated or enabled in a maintenance window.
