You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by nv...@apache.org on 2022/04/21 12:21:31 UTC
[cloudstack-documentation] branch main updated: User-shared networks and network permissions (#258)
This is an automated email from the ASF dual-hosted git repository.
nvazquez pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/cloudstack-documentation.git
The following commit(s) were added to refs/heads/main by this push:
new f239c3d User-shared networks and network permissions (#258)
f239c3d is described below
commit f239c3d59bff4eaf9d96e7d0891fec529440ef42
Author: Wei Zhou <we...@apache.org>
AuthorDate: Thu Apr 21 14:21:26 2022 +0200
User-shared networks and network permissions (#258)
* User-shared networks: init
* User-shared networks: add content
* User-shared networks: fix alignment
* User-shared networks: specifyvlan is possible for shared network now
* add network permissions
* add network permissions: minor fixes
* add network permissions: delete button
* add network permissions: add notes
* user-private gateway
* user-private gateway: fix typos
* network permission: list networks
* Update source/adminguide/networking.rst
Co-authored-by: Nicolas Vazquez <ni...@gmail.com>
Co-authored-by: Nicolas Vazquez <ni...@gmail.com>
---
source/_static/images/add-new-gateway-vpc.png | Bin 30140 -> 0 bytes
source/_static/images/add-new-gateway-vpc2.png | Bin 0 -> 93329 bytes
source/_static/images/add-shared-network.png | Bin 0 -> 146525 bytes
source/_static/images/network-permissions.png | Bin 0 -> 66065 bytes
source/adminguide/networking.rst | 12 ++--
.../adminguide/networking/advanced_zone_config.rst | 57 ++++++++++-----
.../adminguide/networking/network_permissions.rst | 80 +++++++++++++++++++++
.../networking/virtual_private_cloud_config.rst | 21 +++---
source/adminguide/networking_and_traffic.rst | 2 +
9 files changed, 141 insertions(+), 31 deletions(-)
diff --git a/source/_static/images/add-new-gateway-vpc.png b/source/_static/images/add-new-gateway-vpc.png
deleted file mode 100644
index 8e26579..0000000
Binary files a/source/_static/images/add-new-gateway-vpc.png and /dev/null differ
diff --git a/source/_static/images/add-new-gateway-vpc2.png b/source/_static/images/add-new-gateway-vpc2.png
new file mode 100644
index 0000000..8962e58
Binary files /dev/null and b/source/_static/images/add-new-gateway-vpc2.png differ
diff --git a/source/_static/images/add-shared-network.png b/source/_static/images/add-shared-network.png
new file mode 100644
index 0000000..03e8280
Binary files /dev/null and b/source/_static/images/add-shared-network.png differ
diff --git a/source/_static/images/network-permissions.png b/source/_static/images/network-permissions.png
new file mode 100644
index 0000000..3da9fd5
Binary files /dev/null and b/source/_static/images/network-permissions.png differ
diff --git a/source/adminguide/networking.rst b/source/adminguide/networking.rst
index cd96aeb..f8617f9 100644
--- a/source/adminguide/networking.rst
+++ b/source/adminguide/networking.rst
@@ -71,7 +71,9 @@ different accounts. Network Isolation on shared networks is accomplished
by using techniques such as security groups, which is supported only in
Basic zones or Advanced Zones with Security Groups.
-- Shared Networks are created by the administrator
+- Shared Networks are created by the the end users or the administrator. Network offerings
+ which allow the network creator to specify a VLAN can only be created
+ by the root admins.
- Shared Networks can be designated to a certain domain
@@ -84,8 +86,10 @@ Basic zones or Advanced Zones with Security Groups.
- Source NAT per zone is not supported in Shared Network when the
service provider is virtual router. However, Source NAT per account
- is supported. For information, see `“Configuring a Shared Guest
- Network” <networking_and_traffic.html#configuring-a-shared-guest-network>`_.
+ is supported.
+
+For more information, see `“Configuring a Shared Guest Network”
+<networking_and_traffic.html#configuring-a-shared-guest-network>`_.
L2 (Layer 2) Networks
@@ -271,7 +275,7 @@ To create a network offering:
information, see `“Persistent
Networks” <networking_and_traffic.html#persistent-networks>`_.
- - **Specify VLAN**. (Isolated guest networks only) Indicate whether
+ - **Specify VLAN**. Indicate whether
a VLAN could be specified when this offering is used. If you
select this option and later use this network offering while
creating a VPC tier or an isolated network, you will be able to
diff --git a/source/adminguide/networking/advanced_zone_config.rst b/source/adminguide/networking/advanced_zone_config.rst
index 68b4929..aab21a6 100644
--- a/source/adminguide/networking/advanced_zone_config.rst
+++ b/source/adminguide/networking/advanced_zone_config.rst
@@ -74,26 +74,20 @@ one range of IP addresses for Internet traffic.
Configuring a Shared Guest Network
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-#. Log in to the CloudStack UI as administrator.
+#. Log in to the CloudStack UI as administrator or an end user.
-#. In the left navigation, choose Infrastructure.
-
-#. On Zones, click View More.
-
-#. Click the zone to which you want to add a guest network.
-
-#. Click the Physical Network tab.
-
-#. Click the physical network you want to work with.
+#. In the left navigation, choose Network.
-#. On the Guest node of the diagram, click Configure.
+#. Click the Guest networks tab
-#. Click the Network tab.
+#. Click the Add network icon.
-#. Click Add guest network.
+#. Click the Shared tab.
The Add guest network window is displayed.
+ |addsharednetwork.png|
+
#. Specify the following:
- **Name**: The name of the network. This will be visible to the user.
@@ -101,10 +95,21 @@ Configuring a Shared Guest Network
- **Description**: The short description of the network that can be
displayed to users.
- - **VLAN ID**: The unique ID of the VLAN.
+ - **Zone**: The zone for the network.
+
+ - **Physical Network**: The physical network ID the network belongs to.
- - **Isolated VLAN ID**: The unique ID of the Secondary Isolated
- VLAN.
+ - **VLAN ID**: (Administrators only) The unique ID of the VLAN.
+
+ - **Secondary VLAN Type**: (Administrators only) The isolation private
+ VLAN type for this network
+
+ - **Secondary VLAN ID**: (Administrators only) The unique ID of the
+ Secondary Isolated VLAN.
+
+ - **Bypass VLAN id/range overlap**: (Administrators only) When true
+ bypasses VLAN id/range overlap check during network creation for
+ shared and L2 networks
- **Scope**: The available scopes are Domain, Account, Project, and
All.
@@ -123,13 +128,17 @@ Configuring a Shared Guest Network
created for. You must specify the domain the project belongs
to.
- - **All**: The guest network is available for all the domains,
- account, projects within the selected zone.
+ - **All**: (Administrators only) The guest network is available
+ for all the domains, account, projects within the selected zone.
- **Network Offering**: If the administrator has configured multiple
network offerings, select the one you want to use for this
network.
+ - **Associated Network**: The L2 or Isolated network this network is
+ associated to. This network will use same VLAN as associated network.
+ This will be visible if network offering has specifyvlan is false.
+
- **Gateway**: The gateway that the guests should use.
- **Netmask**: The netmask in use on the subnet the guests will use.
@@ -151,6 +160,16 @@ Configuring a Shared Guest Network
#. Click OK to confirm.
+ .. note::
+ End users (not administrator) can only use the network
+ offerings with specifyvlan is false. Please create a network offering
+ with specifyvlan is false to enable this for end users. See
+ `“Creating a New Network Offering”
+ <networking.html#creating-a-new-network-offering>`_.
+
.. |addguestnetwork.png| image:: /_static/images/add-guest-network.png
- :alt: Add Guest network setup in a single zone.
\ No newline at end of file
+ :alt: Add Guest network setup in a single zone.
+
+.. |addsharednetwork.png| image:: /_static/images/add-shared-network.png
+ :alt: Add Shared Guest network.
diff --git a/source/adminguide/networking/network_permissions.rst b/source/adminguide/networking/network_permissions.rst
new file mode 100644
index 0000000..7076f5c
--- /dev/null
+++ b/source/adminguide/networking/network_permissions.rst
@@ -0,0 +1,80 @@
+.. Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information#
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+ http://www.apache.org/licenses/LICENSE-2.0
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+
+
+Guest Network Permissions
+-----------------------------
+
+From Apache CloudStack 4.17.0.0, guest networks can be shared to other
+accounts in the same domain by managing network permissions.
+
+The following networks can be shared:
+
+#. L2 networks not in Project
+
+#. Isolated networks not in Project
+
+#. Shared networks with scope is Account
+
+Adding a network permission
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+#. Log in to the CloudStack UI as an administrator or end user.
+
+#. In the left navigation, choose Network.
+
+#. In the Select view, select Guest networks.
+
+#. Select the guest network you want to work with.
+
+#. Click the Network Permissions tab.
+
+ All the network permissions that you have created for the network are
+ listed in the page. |network-permissions.png|
+
+#. Click Add Network Permission icon. Provide the following information:
+
+ - **Account**: The name of the accounts this network will be shared to.
+
+ - **Project**. The name of the projects this network will be shared to.
+
+#. Click OK.
+
+ .. note::
+ The accounts/projects are permitted to create VMs on the network.
+ However, they are not permitted to restart and update network, and
+ modify network rules (e.g. firewall, static nat, load balancer, port
+ forwarding).
+
+
+Removing a network permission
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+To remove a network permission, click the Delete Network Permission icon of
+the network permission. |delete-button.png|
+
+
+Resetting network permissions
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+CloudStack provides the ability to reset the network permissions of a network.
+All network permissions will be removed. To reset the network permission, click
+the Reset Network Permissions button on the page.
+
+
+.. |network-permissions.png| image:: /_static/images/network-permissions.png
+ :alt: network permissions.
+.. |delete-button.png| image:: /_static/images/delete-button.png
+ :alt: button to delete.
diff --git a/source/adminguide/networking/virtual_private_cloud_config.rst b/source/adminguide/networking/virtual_private_cloud_config.rst
index 5f381d6..dc37d2f 100644
--- a/source/adminguide/networking/virtual_private_cloud_config.rst
+++ b/source/adminguide/networking/virtual_private_cloud_config.rst
@@ -488,7 +488,7 @@ Assigning a Custom ACL List to a Tier
Adding a Private Gateway to a VPC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-A private gateway can be added by the root admin only. The VPC private
+A private gateway can be added by the root admin and users. The VPC private
network has 1:1 relationship with the NIC of the physical network. You
can configure multiple private gateways to a single VPC. No gateways
with duplicated VLAN and IP are allowed in the same data center.
@@ -538,14 +538,14 @@ with duplicated VLAN and IP are allowed in the same data center.
#. Click Add new gateway:
- |add-new-gateway-vpc.png|
+ |add-new-gateway-vpc2.png|
#. Specify the following:
- - **Physical Network**: The physical network you have created in the
- zone.
+ - **Physical Network**: (Administrators only) The physical network
+ you have created in the zone.
- - **VLAN**: The VLAN associated with the VPC gateway.
+ - **VLAN**: (Administrators only) The VLAN associated with the VPC gateway.
- **IP Address**: The IP address associated with the VPC gateway.
@@ -559,8 +559,13 @@ with duplicated VLAN and IP are allowed in the same data center.
See ":ref:`source-nat-priv-gw`".
- - **Bypass VLAN id/range overlap**: Bypasses the check for a VLAN
- overlap. This way multiple networks with the same VLAN can be created
+ - **Bypass VLAN id/range overlap**: (Administrators only) Bypasses
+ the check for a VLAN overlap. This way multiple networks with the
+ same VLAN can be created
+
+ - **Associated Network**: The L2 or Isolated network this private
+ gateway is associated to. This private network will use the same
+ VLAN as the associated network.
- **ACL**: Controls both ingress and egress traffic on a VPC private
gateway. By default, all the traffic is blocked.
@@ -1421,7 +1426,7 @@ Editing, Restarting, and Removing a Virtual Private Cloud
:alt: adding a tier to a vpc.
.. |replace-acl-icon.png| image:: /_static/images/replace-acl-icon.png
:alt: button to replace an ACL list
-.. |add-new-gateway-vpc.png| image:: /_static/images/add-new-gateway-vpc.png
+.. |add-new-gateway-vpc2.png| image:: /_static/images/add-new-gateway-vpc2.png
:alt: adding a private gateway for the VPC.
.. |add-vm-vpc.png| image:: /_static/images/add-vm-vpc.png
:alt: adding a VM to a vpc.
diff --git a/source/adminguide/networking_and_traffic.rst b/source/adminguide/networking_and_traffic.rst
index 6b9bcbd..6adbd53 100644
--- a/source/adminguide/networking_and_traffic.rst
+++ b/source/adminguide/networking_and_traffic.rst
@@ -33,6 +33,8 @@ providing networking features for guest traffic.
.. include:: networking/multiple_guest_networks.rst
+.. include:: networking/network_permissions.rst
+
.. include:: networking/ip_reservation_in_guest_networks.rst
.. include:: networking/public_ips_and_vlans_for_accounts.rst