Access Control Lists(ACL) in Quantum

Registered by Ronak Shah on 2013-03-29

In its simplest of the definition in networking, ACL is an ordered set of entries with priority determining the position of an entry in the set. ACL would have a name and a set of entries. Each entry would have a match, action, from, to and a priority. It is possible to have two entries have the same priority in which case the order of matching can be implementation specific (the one that got added first gets matched first, the one that got added last gets matched first or there is an ability to specify this behavior as well). When a packet is matched against an ACL, going from highest priority to lowest, each entry in the set is checked to see if the packet satisfies the match conditions of the entry. The search stops when a successful match is found. The last entry in the list is the default entry that determines the default action when none of the previous entries match.

class ACL(model_base.BASEV2, models_v2.HasId):
 name = sa.Column(sa.String(255))
 description = sa.Column(sa.String(255))
 attachment = sa.Column(sa.String(512))

attachment will be stored as a blob which represents dictionary.

class ACLterm(model_base.BASEV2):
 aclid = sa.Column(sa.String(36),
 match = sa.Column(sa.String(512))
 action = sa.Column(sa.String(512))
 from = sa.Column(sa.String(64))
 to = sa.Column(sa.String(64))
 priority = sa.Column(sa.Integer)

match and action will be stored as a blob which represents a dictionary and a list respectively.

From python-quantumclient it could look like following:
quantum acl-create <name> --term <term1-name> [match <match-key1=value1, match-key2=value2..> action <action choices> from <from choices> to <to choices> priority <priority-number>] --term <term2-name> ... --attach <attach-key1=value1, attach-key2=valu2>

CRUD operations will work as it works with other objects. Update operation on ACL
can be used to add/delete/change the term and attachment points within the ACL. Or,
there could be CRUD operation for doing term and attachment changes to an ACL. For ex.
quantum acl-term-CRUD <acl-name> <term-definition>
quantum acl-attachment-CRUD <acl-name> <attachment-definition>

We can start building this as an extension object or mainstream object belonging to the quantum/db. Above definition gives us a clear separation of an ACL as an object with its attachment point. After defining it, one can bind this ACL to not just port, but also to subnets, networks and routers as well. It is upto the application (most likely plugins) to define the ACL with right set of terms to go with attachment.

Blueprint information

Needs approval
Series goal:
Milestone target:
Completed by
Armando Migliaccio

Related branches



I think this work can be incorporated as part of the FWaaS plan for sometime during the "I" development cycle. If we consider it sooner, we can pull it in.


Work Items

This blueprint contains Public information 
Everyone can see this information.