<?xml version="1.0"?>
<feed xmlns="http://www.w3.org/2005/Atom" xml:lang="en">
		<id>https://wiki.openstack.org/w/api.php?action=feedcontributions&amp;feedformat=atom&amp;user=Nidhi+Mittal+Hada</id>
		<title>OpenStack - User contributions [en]</title>
		<link rel="self" type="application/atom+xml" href="https://wiki.openstack.org/w/api.php?action=feedcontributions&amp;feedformat=atom&amp;user=Nidhi+Mittal+Hada"/>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/wiki/Special:Contributions/Nidhi_Mittal_Hada"/>
		<updated>2026-07-14T08:29:59Z</updated>
		<subtitle>User contributions</subtitle>
		<generator>MediaWiki 1.28.2</generator>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=125077</id>
		<title>Manila/design/access groups</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=125077"/>
				<updated>2016-05-11T05:40:41Z</updated>
		
		<summary type="html">&lt;p&gt;Nidhi Mittal Hada: &lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Applying Access Rules == &lt;br /&gt;
=== Current approach ===&lt;br /&gt;
Today we use &amp;quot;manila allow-access&amp;quot; and &amp;quot;manila deny-access&amp;quot; cli command, to allow and deny, &amp;quot;one&amp;quot; ip address/user/cert the access, to a particular share. &lt;br /&gt;
In situation, when we want a &amp;quot;share&amp;quot; to be accessible by  &lt;br /&gt;
* a subnet OR &lt;br /&gt;
* a set of IP addresses together OR &lt;br /&gt;
* a set users together&lt;br /&gt;
we have to execute, allow-access for each combination of (IP address, share) '''one by one'''!!&lt;br /&gt;
That is, If we want to allow, a same set of 'n' ip addresses, for each of 'n' shares, then it requires '''&amp;quot;n iterations for each of n shares&amp;quot;''', &lt;br /&gt;
that's n^2 operations from user side. &lt;br /&gt;
''That's cumbersome hence access-groups were proposed''&lt;br /&gt;
&lt;br /&gt;
=== Requirement ===&lt;br /&gt;
Requirement is to have a mechanism, by which a set of 'ip addresses' can be considered as 'one entity' i.e. 'can be allowed the access to a share together.' &lt;br /&gt;
Henceforth, the 'same set of ip addresses', can be allowed access to any 'other share', in 'one single request' from user. &lt;br /&gt;
There comes the idea of '''&amp;quot;manila access-groups&amp;quot;.'''&lt;br /&gt;
&lt;br /&gt;
=== Manila Access Groups ===&lt;br /&gt;
A new object named 'access_group', can be created by user. Each 'access_group' contains, a bunch of homogeneous 'access_entries'. &lt;br /&gt;
Homogeneous here means, 'entries of same access_type &amp;amp; access_level(in case access_type is 'user'))'. Each 'access_entry' represents, &lt;br /&gt;
either one ip-address or one username. Bunch of access entries, associated to an &amp;quot;access-group&amp;quot;, can be &amp;quot;allowed or denied&amp;quot; access, &lt;br /&gt;
to a share in one go. &lt;br /&gt;
&lt;br /&gt;
'''Feature requirement is, to provide a mechanism, to allow the access to a share, for &amp;quot;a group of ip addresses/users&amp;quot;, in one go,'''&lt;br /&gt;
'''instead of allowing each ip-address/user one at a time.'''&lt;br /&gt;
&lt;br /&gt;
=== Challenges ===&lt;br /&gt;
* With new proposal, a set of access-rules can be applied together using &amp;quot;access-group&amp;quot;. Earlier &amp;quot;allow-access/deny-access&amp;quot; api worked on individual access rule. &lt;br /&gt;
So, that can interfere and allow/deny any access, without any knowledge of access-group api. This has to be understood and resolved.&lt;br /&gt;
&lt;br /&gt;
* A parallel api interface, serving same purpose, but in different granularity, causes redundancy in database and information.&lt;br /&gt;
&lt;br /&gt;
* Sending a bunch of rules together to backend, if any one rule throws an exception, status of whole access-group will be errored.&lt;br /&gt;
&lt;br /&gt;
* If backend driver doesn't implement 'update_access' newer version yet, then 'access-rules' will be sent to driver one by one only. &lt;br /&gt;
Though 'access-group' feature will allow user, to request access, to set of ip addresses, in one go, still backend will work on access-rules individually.&lt;br /&gt;
&lt;br /&gt;
Proposed Object Relationships:-&lt;br /&gt;
[[File: DB_relationships.png| center | 500px| Object Relationship Diagram]]&lt;br /&gt;
&lt;br /&gt;
== Important Actions == &lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Sr No !! Function !! Command&lt;br /&gt;
|-&lt;br /&gt;
| 1 || Create Access Group  || manila access-group-create [--access-level &amp;lt;access_level&amp;gt;] &amp;lt;name&amp;gt; &amp;lt;description&amp;gt; &amp;lt;access_type&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 2 || Add Access Group Entries in Access group || manila access-group-entry-create &amp;lt;access_to&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 3 || Allow Access Group to a share || manila access-group-allow &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 4 || Deny Access Group to a share || manila access-group-deny &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
=== Flow diagram ===&lt;br /&gt;
==== Allow Access Group ====&lt;br /&gt;
[[File : Allow_access_group_(2).png | center | 500px | Allow access group flow]]&lt;br /&gt;
&lt;br /&gt;
==== Deny Access Group ====&lt;br /&gt;
[[File : Deny_access_group.png | center | 500px| deny access group flow]]&lt;br /&gt;
&lt;br /&gt;
== How it works in different situations ==&lt;br /&gt;
'''Ques 1. Lets say a user requests allow-access-group for (share1, AG1)'''&lt;br /&gt;
'''What if the share is already mapped to another access_group/access_rule.'''&lt;br /&gt;
&lt;br /&gt;
Ans: Nothing, set of access_rules for AG1, will be applied on share, using 'add_rule' &lt;br /&gt;
field of 'update_access' helper function.&lt;br /&gt;
&lt;br /&gt;
'''Ques 2. lets say 'share1' has an already applied access rule i.e ( user ,admin, rw).'''&lt;br /&gt;
'''Now, 'AG1' contains (user, admin, ro). A request comes as 'allow_access_group(share1, AG1)'.'''            &lt;br /&gt;
'''share1 is asked to map with AG1, what should happen?'''            &lt;br /&gt;
&lt;br /&gt;
'''What if the already applied rules are redundant to AG1's access rules.'''&lt;br /&gt;
Note:- its a redundant rule, not contradictory, as rules with 'same access_type and access_to' are&lt;br /&gt;
considered redundant..&lt;br /&gt;
&lt;br /&gt;
Ans: Its same as case, if we apply two redundant rules, even without access-groups. We will get an exception, 'access rule for (user, admin) &lt;br /&gt;
already exists'  and we will proceed to examine, rest of the rules, in access_group. '''We need to deny this rule first &amp;quot;to change its level if required.'''&lt;br /&gt;
&lt;br /&gt;
'''Ques 3. What if AG1 is made up of n rules, only one is redundant ?'''&lt;br /&gt;
&lt;br /&gt;
Ans:If any one of the access_rule, from this access_group, is already applied on share(individually)...&lt;br /&gt;
lets say due to 'allow-access' api. Then excluding that access_rule, rest of the rules, present in 'access_group' will be applied on share.&lt;br /&gt;
&lt;br /&gt;
'''Ques 4. What if AG1 is made up of 'n' rules, an error reported from backend for one of the rules?'''&lt;br /&gt;
&lt;br /&gt;
Ans: If there is an error, reported from backend, then error will be registered in share_instances table.&lt;br /&gt;
'access_rules_status' will go in 'error' state and 'access_status_message' will contain the descriptive message.&lt;br /&gt;
&lt;br /&gt;
'''Ques 5. What if access group is already mapped to other shares and this is a new mapping.'''&lt;br /&gt;
&lt;br /&gt;
Ans: Simply, rules from the access-group will be applied on the requested share.&lt;br /&gt;
   &lt;br /&gt;
'''Ques 6. Two compatible access-groups mapping request got out of order before reaching backend driver.'''&lt;br /&gt;
&lt;br /&gt;
Lets say two api requests for two access_groups where two access groups's rules are compatible as below:            &lt;br /&gt;
Two api requests come in this order chronologically, req1 then req2,            &lt;br /&gt;
AG1 has (user, admin, rw), AG2 has (ip, 10.1.1.1, None)            &lt;br /&gt;
req1 = allow_access_group(share1, AG1), req2 = allow_access_group(share1, AG2)&lt;br /&gt;
Let’s say these request reach driver layer, out of order, driver receives req2 then req1. &lt;br /&gt;
What will happen in such case?&lt;br /&gt;
&lt;br /&gt;
Ans: req1 creates a access_group_mapping in db for (share1 -&amp;gt; AG1) and passes “only set of rules in AG1&amp;quot; to driver layer.            &lt;br /&gt;
req2  also creates a access_group_mapping in db for (share1 -&amp;gt; AG2) and passes that “only set of rules in AG2&amp;quot; to driver layer.            &lt;br /&gt;
Driver layer gets req2 first, it will apply access_rules of req2 first and then access_rules from req1 will be applied on backend.&lt;br /&gt;
&lt;br /&gt;
'''Ques 7. What happens if an exception is raised for one of the access-rules in access-group in api layer itself?&lt;br /&gt;
Do we proceed for next rule or we come out ?'''&lt;br /&gt;
&lt;br /&gt;
Ans: These are such exceptions which come like&lt;br /&gt;
1)if share status is not AVAILABLE &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
2)If share_access entry already exists for this share ? &amp;gt;&amp;gt; we raise exception but continue to consider next access_rule&lt;br /&gt;
3)if access_level value requested for is not a valid value &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
4)If share_instance is invalid one &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
5)if access_rules_status is not active &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
&lt;br /&gt;
in all such cases we raise exception before rpc request is sent to driver layer. access_status_message&amp;quot; field in &amp;quot;share_instances&amp;quot; table - &lt;br /&gt;
does not show error messages for above mentioned exceptions.&lt;br /&gt;
Note:- in last two cases(4,5), though we come out, but 'share_access_group_mapping' and 'many share_access_map' entries &lt;br /&gt;
would have been created!!!&lt;br /&gt;
&lt;br /&gt;
'''Ques 8. What is purpose of access_rules_status and access_status_message field in share_instances table?'''&lt;br /&gt;
&lt;br /&gt;
Ans: access_status_message field, registers the error message, from the driver layer. if we get an error message back from driver, it gets registered in &lt;br /&gt;
'access_status_message' in 'share_instances' table. 'access_status_message' field in 'share_instances' table - does not register error messages for &lt;br /&gt;
above mentioned exceptions in Ques7. &lt;br /&gt;
  &lt;br /&gt;
'''Ques 9. Lets say an access-group that contains 4 access_rules, that is applied on a share1.'''&lt;br /&gt;
'''now these 4 access_rules have got their entries created in share_access_map too.'''&lt;br /&gt;
'''What is someone deleted/denies the access rule individually ?'''&lt;br /&gt;
'''that is sequence is like'''&lt;br /&gt;
'''1) manila access-group-allow &amp;lt;share-id&amp;gt; &amp;lt;access-group-id&amp;gt;'''&lt;br /&gt;
'''2) manila access-deny &amp;lt;share&amp;gt; &amp;lt;id&amp;gt;'''&lt;br /&gt;
'''3) manila access-group-deny &amp;lt;share-id&amp;gt; &amp;lt;access-group-id&amp;gt;'''&lt;br /&gt;
'''Now some rules of this access-group are denied individually .. when we go to 'deny-access-group''''&lt;br /&gt;
'''what will happen?&lt;br /&gt;
&lt;br /&gt;
Ans: For each of 4 rules, if anyone is not present in the DB, we raise exception Not-Found and&lt;br /&gt;
continue to next access_entry.&lt;br /&gt;
&lt;br /&gt;
'''Ques 10. Lets say a share share1 is mapped to an access_group AG1. Now we delete one of access_rule''' &lt;br /&gt;
'''of AG1 or we add an entry to mapped access_group AG1. What will happen?'''&lt;br /&gt;
&lt;br /&gt;
Ans: any addition or deletion of access_entry to an access_group after being mapped, will trigger 'update_access'&lt;br /&gt;
on the backend.&lt;br /&gt;
&lt;br /&gt;
== 2nd Alternative Approach ==&lt;br /&gt;
This approach suggests to tag/group share_access_map records by using a new field access_group_tag.&lt;br /&gt;
Here we do not create a separate entity access_group and access_group_entries. &lt;br /&gt;
Instead by using a string type tag with share_access_map records, we group a few entries together.&lt;br /&gt;
&lt;br /&gt;
For first share that wants to allow a group of ip addresses/user the access.&lt;br /&gt;
cli call will be like...&lt;br /&gt;
  manila access-allow %some_share% ip 1.1.1.1,2.2.2.2, 3.3.3.3   --tag %tag_name_1%&lt;br /&gt;
&lt;br /&gt;
After that any share that wants similar access will do &lt;br /&gt;
either:&lt;br /&gt;
  manila access-inherit %some_new_share% --by-share %some_source_share%&lt;br /&gt;
Or &lt;br /&gt;
  manila access-inherit %some_new_share% --by-tag %tag%&lt;br /&gt;
&lt;br /&gt;
=== Thinking impact of 2nd approach.. ===&lt;br /&gt;
* This approach is lighter and less amount of redundancy in database as compared to 1st approach.&lt;br /&gt;
&lt;br /&gt;
* Access-group, being dynamic entity in 2nd approach/a no separate entity, which has its 'existence scope', same as the share, &lt;br /&gt;
its associated with. So no further means to deal with 'access-groups', independently OR after share deletion.&lt;br /&gt;
 &lt;br /&gt;
* Lets say, 'share1' is applied with set of access-rules tagged as 'AG1'. if 'share2' inherits all access_rules from 'share1'. &lt;br /&gt;
Now 'share1' adds a rule by old 'allow-access' api. How will we tackle such situation?&lt;br /&gt;
     * Will we keep these new individual access_rule records without tag?&lt;br /&gt;
     * Will we give every record which is in 'share_access_map' table, a tag..so this individual rule will have new access_group_tag???&lt;br /&gt;
I think '''we can keep the new rule without tag.''' &lt;br /&gt;
Now, the next share 'share3' that inherits with --share from 'share1', will get all rules inclusive (share1, with tag) and (share1, without tag). okay.&lt;br /&gt;
But, if the next share 'share3' that inherits with --tag 'AG1' will get rules which is with ('share1' ,AG1) &lt;br /&gt;
&lt;br /&gt;
* If share is deleted and if its last share which was associated with a access-group, the access-group is considered deleted. &lt;br /&gt;
&lt;br /&gt;
* If a share 'share1' has allowed access to 3 ip addresses tagged with 'AG1', now another 'share2' inherited all 3 rules with 'AG1' tag itself.&lt;br /&gt;
now, a old 'deny-access' request comes, to delete one of the rule with share1 from these 3 rules.&lt;br /&gt;
Now, access-group with 'AG1' tag - has got two separate set of access-rules, defining its members. &lt;br /&gt;
* one that's coming from share1(2 rules) &lt;br /&gt;
* other that's coming from  share2(3 rules).&lt;br /&gt;
Now, If a 'share3' is asking for rules same as tag 'AG1', what rules will be applied on it? &lt;br /&gt;
'''That needs to be decided in this approach. A group/A tag can not have a static definition (set of rules) among all these allow/deny of different sorts.'''&lt;br /&gt;
&lt;br /&gt;
* As access-group tag definition is not static and is not kept independently. Now, With a large deployment and after many iterations of allow/deny, &lt;br /&gt;
this becomes hard for someone to remember, which share has what access-group tagging and what a tag composed of?&lt;br /&gt;
&lt;br /&gt;
* Lets say 'share1' has 3 rules, share2 inherits from access-rules of 'share1'. Now, If there is a change in access-rules of 'share1' for some reason, after that point 'share1' and 'share2' will have different set of access-rule mapping. We can not trigger update on child shares(share2) as we are not keeping this parent child share mapping anywhere.&lt;br /&gt;
&lt;br /&gt;
== 3rd approach - Simplifying More ==&lt;br /&gt;
Actually, As a tag doesn't have a individual independent identity, we can think of &amp;quot;NOT&amp;quot; providing, --tag the interface, to inherit from. &lt;br /&gt;
   manila access-inherit %some_new_share% --by-tag %tag%  (********* Lets '''NOT''' have it **********)&lt;br /&gt;
   manila access-inherit %some_new_share% --by-share %some_source_share%  (Lets '''&amp;quot;only&amp;quot;''' have this)&lt;br /&gt;
There should be only api to inherit access from a share.&lt;br /&gt;
&lt;br /&gt;
In such a case, we will allow, for first share like this...&lt;br /&gt;
  manila access-allow %some_share% ip 1.1.1.1,2.2.2.2, 3.3.3.3,4.4.4.4,5.5.5.5,6.6.6.6&lt;br /&gt;
we will create multiple access-records, for the share, in share_access_map table, '''without any tagging.'''&lt;br /&gt;
Next, a share, who wants similar access-scope, will do&lt;br /&gt;
  manila access-inherit %some_new_share% --by-share %some_source_share%&lt;br /&gt;
&lt;br /&gt;
* This solves the problem associated with tagging and trying to keep a static definition of a tag.&lt;br /&gt;
&lt;br /&gt;
* This solves the problem of redundancy, as present in 1st approach.&lt;br /&gt;
&lt;br /&gt;
* This has same problem, as in 2nd approach, of &amp;quot;not having an access-group after share-deletion&amp;quot;.&lt;br /&gt;
&lt;br /&gt;
* Once a share share1, has got a set of rules, it can be inherited by another share and rules-set that's inherited, &lt;br /&gt;
will be set of rules, associated &amp;quot;at that very moment&amp;quot; with share1. Things are dynamic. At some other moment in time,&lt;br /&gt;
some share might inherit separate set of rules, from same share, 'share1'.&lt;br /&gt;
&lt;br /&gt;
* There will be no such api deny-access-rules where we can just say, '''deny group of rules, which we gave access together.'''&lt;br /&gt;
Deny-access will be similar to &lt;br /&gt;
  manila access-deny %some_share% ip 1.1.1.1,2.2.2.2, 3.3.3.3,4.4.4.4,5.5.5.5,6.6.6.6&lt;br /&gt;
&lt;br /&gt;
== Discussion ==&lt;br /&gt;
As has been discussed with bswartz the key points are as below:-&lt;br /&gt;
&lt;br /&gt;
* Need to write spec fitting in formal template, as will be formalized by community soon. &lt;br /&gt;
&lt;br /&gt;
* Access Group are envisioned to provide a grouping mechanism that can allow lets say a 100 shares an access to same host  or 100 host can access a share. &lt;br /&gt;
Its many to many relationship. Architecture should be designed considering that access-group should be object immunal, it can be set of ip addresses or can &lt;br /&gt;
be set of users and so on.  &lt;br /&gt;
 &lt;br /&gt;
* Adding an entry or deleting an entry to an access-group that's already mapped to a share, will affect all associated shares, either by applying or denying &lt;br /&gt;
as per requested entry operation.&lt;br /&gt;
&lt;br /&gt;
* Design should allow later enhancements like, access-group should be able to refer to external entities like neutron security group or lets say a set of nova instances. &lt;br /&gt;
There should be a provision to say &amp;quot;allow access of this share to a nova instance uuid&amp;quot;, wherein uuid is associated with an ip address.&lt;br /&gt;
Now, it may so happen that uuid changes its ip address in future, how will that be tackled? &lt;br /&gt;
Will neutron or nova inform such changes ? Or a polling required from manila side to obtain such information.. That needs to be seen.&lt;br /&gt;
 &lt;br /&gt;
* Access group can be asked to be &amp;quot;a union of previously formed access groups&amp;quot;. An access group can contain all rules of two or more access-groups &lt;br /&gt;
that were formed earlier. A group can include other groups.&lt;/div&gt;</summary>
		<author><name>Nidhi Mittal Hada</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123723</id>
		<title>Manila/design/access groups</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123723"/>
				<updated>2016-04-11T08:04:52Z</updated>
		
		<summary type="html">&lt;p&gt;Nidhi Mittal Hada: /* Thinking impact of 2nd approach.. */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Applying Access Rules == &lt;br /&gt;
=== Current approach ===&lt;br /&gt;
Today we use &amp;quot;manila allow-access&amp;quot; and &amp;quot;manila deny-access&amp;quot; cli command, to allow and deny, &amp;quot;one&amp;quot; ip address/user/cert the access, to a particular share. &lt;br /&gt;
In situation, when we want a &amp;quot;share&amp;quot; to be accessible by  &lt;br /&gt;
* a subnet OR &lt;br /&gt;
* a set of IP addresses together OR &lt;br /&gt;
* a set users together&lt;br /&gt;
we have to execute, allow-access for each combination of (IP address, share) '''one by one'''!!&lt;br /&gt;
That is, If we want to allow, a same set of 'n' ip addresses, for each of 'n' shares, then it requires '''&amp;quot;n iterations for each of n shares&amp;quot;''', &lt;br /&gt;
that's n^2 operations from user side. &lt;br /&gt;
''That's cumbersome hence access-groups were proposed''&lt;br /&gt;
&lt;br /&gt;
=== Requirement ===&lt;br /&gt;
Requirement is to have a mechanism, by which a set of 'ip addresses' can be considered as 'one entity' i.e. 'can be allowed the access to a share together.' &lt;br /&gt;
Henceforth, the 'same set of ip addresses', can be allowed access to any 'other share', in 'one single request' from user. &lt;br /&gt;
There comes the idea of '''&amp;quot;manila access-groups&amp;quot;.'''&lt;br /&gt;
&lt;br /&gt;
=== Manila Access Groups ===&lt;br /&gt;
A new object named 'access_group', can be created by user. Each 'access_group' contains, a bunch of homogeneous 'access_entries'. &lt;br /&gt;
Homogeneous here means, 'entries of same access_type &amp;amp; access_level(in case access_type is 'user'))'. Each 'access_entry' represents, &lt;br /&gt;
either one ip-address or one username. Bunch of access entries, associated to an &amp;quot;access-group&amp;quot;, can be &amp;quot;allowed or denied&amp;quot; access, &lt;br /&gt;
to a share in one go. &lt;br /&gt;
&lt;br /&gt;
'''Feature requirement is, to provide a mechanism, to allow the access to a share, for &amp;quot;a group of ip addresses/users&amp;quot;, in one go,'''&lt;br /&gt;
'''instead of allowing each ip-address/user one at a time.'''&lt;br /&gt;
&lt;br /&gt;
=== Challenges ===&lt;br /&gt;
* With new proposal, a set of access-rules can be applied together using &amp;quot;access-group&amp;quot;. Earlier &amp;quot;allow-access/deny-access&amp;quot; api worked on individual access rule. &lt;br /&gt;
So, that can interfere and allow/deny any access, without any knowledge of access-group api. This has to be understood and resolved.&lt;br /&gt;
&lt;br /&gt;
* A parallel api interface, serving same purpose, but in different granularity, causes redundancy in database and information.&lt;br /&gt;
&lt;br /&gt;
* Sending a bunch of rules together to backend, if any one rule throws an exception, status of whole access-group will be errored.&lt;br /&gt;
&lt;br /&gt;
* If backend driver doesn't implement 'update_access' newer version yet, then 'access-rules' will be sent to driver one by one only. &lt;br /&gt;
Though 'access-group' feature will allow user, to request access, to set of ip addresses, in one go, still backend will work on access-rules individually.&lt;br /&gt;
&lt;br /&gt;
Proposed Object Relationships:-&lt;br /&gt;
[[File: DB_relationships.png| center | 500px| Object Relationship Diagram]]&lt;br /&gt;
&lt;br /&gt;
== Important Actions == &lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Sr No !! Function !! Command&lt;br /&gt;
|-&lt;br /&gt;
| 1 || Create Access Group  || manila access-group-create [--access-level &amp;lt;access_level&amp;gt;] &amp;lt;name&amp;gt; &amp;lt;description&amp;gt; &amp;lt;access_type&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 2 || Add Access Group Entries in Access group || manila access-group-entry-create &amp;lt;access_to&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 3 || Allow Access Group to a share || manila access-group-allow &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 4 || Deny Access Group to a share || manila access-group-deny &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
=== Flow diagram ===&lt;br /&gt;
==== Allow Access Group ====&lt;br /&gt;
[[File : Allow_access_group_(2).png | center | 500px | Allow access group flow]]&lt;br /&gt;
&lt;br /&gt;
==== Deny Access Group ====&lt;br /&gt;
[[File : Deny_access_group.png | center | 500px| deny access group flow]]&lt;br /&gt;
&lt;br /&gt;
== How it works in different situations ==&lt;br /&gt;
'''Ques 1. Lets say a user requests allow-access-group for (share1, AG1)'''&lt;br /&gt;
'''What if the share is already mapped to another access_group/access_rule.'''&lt;br /&gt;
&lt;br /&gt;
Ans: Nothing, set of access_rules for AG1, will be applied on share, using 'add_rule' &lt;br /&gt;
field of 'update_access' helper function.&lt;br /&gt;
&lt;br /&gt;
'''Ques 2. lets say 'share1' has an already applied access rule i.e ( user ,admin, rw).'''&lt;br /&gt;
'''Now, 'AG1' contains (user, admin, ro). A request comes as 'allow_access_group(share1, AG1)'.'''            &lt;br /&gt;
'''share1 is asked to map with AG1, what should happen?'''            &lt;br /&gt;
&lt;br /&gt;
'''What if the already applied rules are redundant to AG1's access rules.'''&lt;br /&gt;
Note:- its a redundant rule, not contradictory, as rules with 'same access_type and access_to' are&lt;br /&gt;
considered redundant..&lt;br /&gt;
&lt;br /&gt;
Ans: Its same as case, if we apply two redundant rules, even without access-groups. We will get an exception, 'access rule for (user, admin) &lt;br /&gt;
already exists'  and we will proceed to examine, rest of the rules, in access_group. '''We need to deny this rule first &amp;quot;to change its level if required.'''&lt;br /&gt;
&lt;br /&gt;
'''Ques 3. What if AG1 is made up of n rules, only one is redundant ?'''&lt;br /&gt;
&lt;br /&gt;
Ans:If any one of the access_rule, from this access_group, is already applied on share(individually)...&lt;br /&gt;
lets say due to 'allow-access' api. Then excluding that access_rule, rest of the rules, present in 'access_group' will be applied on share.&lt;br /&gt;
&lt;br /&gt;
'''Ques 4. What if AG1 is made up of 'n' rules, an error reported from backend for one of the rules?'''&lt;br /&gt;
&lt;br /&gt;
Ans: If there is an error, reported from backend, then error will be registered in share_instances table.&lt;br /&gt;
'access_rules_status' will go in 'error' state and 'access_status_message' will contain the descriptive message.&lt;br /&gt;
&lt;br /&gt;
'''Ques 5. What if access group is already mapped to other shares and this is a new mapping.'''&lt;br /&gt;
&lt;br /&gt;
Ans: Simply, rules from the access-group will be applied on the requested share.&lt;br /&gt;
   &lt;br /&gt;
'''Ques 6. Two compatible access-groups mapping request got out of order before reaching backend driver.'''&lt;br /&gt;
&lt;br /&gt;
Lets say two api requests for two access_groups where two access groups's rules are compatible as below:            &lt;br /&gt;
Two api requests come in this order chronologically, req1 then req2,            &lt;br /&gt;
AG1 has (user, admin, rw), AG2 has (ip, 10.1.1.1, None)            &lt;br /&gt;
req1 = allow_access_group(share1, AG1), req2 = allow_access_group(share1, AG2)&lt;br /&gt;
Let’s say these request reach driver layer, out of order, driver receives req2 then req1. &lt;br /&gt;
What will happen in such case?&lt;br /&gt;
&lt;br /&gt;
Ans: req1 creates a access_group_mapping in db for (share1 -&amp;gt; AG1) and passes “only set of rules in AG1&amp;quot; to driver layer.            &lt;br /&gt;
req2  also creates a access_group_mapping in db for (share1 -&amp;gt; AG2) and passes that “only set of rules in AG2&amp;quot; to driver layer.            &lt;br /&gt;
Driver layer gets req2 first, it will apply access_rules of req2 first and then access_rules from req1 will be applied on backend.&lt;br /&gt;
&lt;br /&gt;
'''Ques 7. What happens if an exception is raised for one of the access-rules in access-group in api layer itself?&lt;br /&gt;
Do we proceed for next rule or we come out ?'''&lt;br /&gt;
&lt;br /&gt;
Ans: These are such exceptions which come like&lt;br /&gt;
1)if share status is not AVAILABLE &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
2)If share_access entry already exists for this share ? &amp;gt;&amp;gt; we raise exception but continue to consider next access_rule&lt;br /&gt;
3)if access_level value requested for is not a valid value &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
4)If share_instance is invalid one &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
5)if access_rules_status is not active &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
&lt;br /&gt;
in all such cases we raise exception before rpc request is sent to driver layer. access_status_message&amp;quot; field in &amp;quot;share_instances&amp;quot; table - &lt;br /&gt;
does not show error messages for above mentioned exceptions.&lt;br /&gt;
Note:- in last two cases(4,5), though we come out, but 'share_access_group_mapping' and 'many share_access_map' entries &lt;br /&gt;
would have been created!!!&lt;br /&gt;
&lt;br /&gt;
'''Ques 8. What is purpose of access_rules_status and access_status_message field in share_instances table?'''&lt;br /&gt;
&lt;br /&gt;
Ans: access_status_message field, registers the error message, from the driver layer. if we get an error message back from driver, it gets registered in &lt;br /&gt;
'access_status_message' in 'share_instances' table. 'access_status_message' field in 'share_instances' table - does not register error messages for &lt;br /&gt;
above mentioned exceptions in Ques7. &lt;br /&gt;
  &lt;br /&gt;
'''Ques 9. Lets say an access-group that contains 4 access_rules, that is applied on a share1.'''&lt;br /&gt;
'''now these 4 access_rules have got their entries created in share_access_map too.'''&lt;br /&gt;
'''What is someone deleted/denies the access rule individually ?'''&lt;br /&gt;
'''that is sequence is like'''&lt;br /&gt;
'''1) manila access-group-allow &amp;lt;share-id&amp;gt; &amp;lt;access-group-id&amp;gt;'''&lt;br /&gt;
'''2) manila access-deny &amp;lt;share&amp;gt; &amp;lt;id&amp;gt;'''&lt;br /&gt;
'''3) manila access-group-deny &amp;lt;share-id&amp;gt; &amp;lt;access-group-id&amp;gt;'''&lt;br /&gt;
'''Now some rules of this access-group are denied individually .. when we go to 'deny-access-group''''&lt;br /&gt;
'''what will happen?&lt;br /&gt;
&lt;br /&gt;
Ans: For each of 4 rules, if anyone is not present in the DB, we raise exception Not-Found and&lt;br /&gt;
continue to next access_entry.&lt;br /&gt;
&lt;br /&gt;
'''Ques 10. Lets say a share share1 is mapped to an access_group AG1. Now we delete one of access_rule''' &lt;br /&gt;
'''of AG1 or we add an entry to mapped access_group AG1. What will happen?'''&lt;br /&gt;
&lt;br /&gt;
Ans: any addition or deletion of access_entry to an access_group after being mapped, will trigger 'update_access'&lt;br /&gt;
on the backend.&lt;br /&gt;
&lt;br /&gt;
== 2nd Alternative Approach ==&lt;br /&gt;
This approach suggests to tag/group share_access_map records by using a new field access_group_tag.&lt;br /&gt;
Here we do not create a separate entity access_group and access_group_entries. &lt;br /&gt;
Instead by using a string type tag with share_access_map records, we group a few entries together.&lt;br /&gt;
&lt;br /&gt;
For first share that wants to allow a group of ip addresses/user the access.&lt;br /&gt;
cli call will be like...&lt;br /&gt;
  manila access-allow %some_share% ip 1.1.1.1,2.2.2.2, 3.3.3.3   --tag %tag_name_1%&lt;br /&gt;
&lt;br /&gt;
After that any share that wants similar access will do &lt;br /&gt;
either:&lt;br /&gt;
  manila access-inherit %some_new_share% --by-share %some_source_share%&lt;br /&gt;
Or &lt;br /&gt;
  manila access-inherit %some_new_share% --by-tag %tag%&lt;br /&gt;
&lt;br /&gt;
=== Thinking impact of 2nd approach.. ===&lt;br /&gt;
* This approach is lighter and less amount of redundancy in database as compared to 1st approach.&lt;br /&gt;
&lt;br /&gt;
* Access-group, being dynamic entity in 2nd approach/a no separate entity, which has its 'existence scope', same as the share, &lt;br /&gt;
its associated with. So no further means to deal with 'access-groups', independently OR after share deletion.&lt;br /&gt;
 &lt;br /&gt;
* Lets say, 'share1' is applied with set of access-rules tagged as 'AG1'. if 'share2' inherits all access_rules from 'share1'. &lt;br /&gt;
Now 'share1' adds a rule by old 'allow-access' api. How will we tackle such situation?&lt;br /&gt;
     * Will we keep these new individual access_rule records without tag?&lt;br /&gt;
     * Will we give every record which is in 'share_access_map' table, a tag..so this individual rule will have new access_group_tag???&lt;br /&gt;
I think '''we can keep the new rule without tag.''' &lt;br /&gt;
Now, the next share 'share3' that inherits with --share from 'share1', will get all rules inclusive (share1, with tag) and (share1, without tag). okay.&lt;br /&gt;
But, if the next share 'share3' that inherits with --tag 'AG1' will get rules which is with ('share1' ,AG1) &lt;br /&gt;
&lt;br /&gt;
* If share is deleted and if its last share which was associated with a access-group, the access-group is considered deleted. &lt;br /&gt;
&lt;br /&gt;
* If a share 'share1' has allowed access to 3 ip addresses tagged with 'AG1', now another 'share2' inherited all 3 rules with 'AG1' tag itself.&lt;br /&gt;
now, a old 'deny-access' request comes, to delete one of the rule with share1 from these 3 rules.&lt;br /&gt;
Now, access-group with 'AG1' tag - has got two separate set of access-rules, defining its members. &lt;br /&gt;
* one that's coming from share1(2 rules) &lt;br /&gt;
* other that's coming from  share2(3 rules).&lt;br /&gt;
Now, If a 'share3' is asking for rules same as tag 'AG1', what rules will be applied on it? &lt;br /&gt;
'''That needs to be decided in this approach. A group/A tag can not have a static definition (set of rules) among all these allow/deny of different sorts.'''&lt;br /&gt;
&lt;br /&gt;
* As access-group tag definition is not static and is not kept independently. Now, With a large deployment and after many iterations of allow/deny, &lt;br /&gt;
this becomes hard for someone to remember, which share has what access-group tagging and what a tag composed of?&lt;br /&gt;
&lt;br /&gt;
* Lets say 'share1' has 3 rules, share2 inherits from access-rules of 'share1'. Now, If there is a change in access-rules of 'share1' for some reason, after that point 'share1' and 'share2' will have different set of access-rule mapping. We can not trigger update on child shares(share2) as we are not keeping this parent child share mapping anywhere.&lt;br /&gt;
&lt;br /&gt;
== 3rd approach - Simplifying More ==&lt;br /&gt;
Actually, As a tag doesn't have a individual independent identity, we can think of &amp;quot;NOT&amp;quot; providing, --tag the interface, to inherit from. &lt;br /&gt;
   manila access-inherit %some_new_share% --by-tag %tag%  (********* Lets '''NOT''' have it **********)&lt;br /&gt;
   manila access-inherit %some_new_share% --by-share %some_source_share%  (Lets '''&amp;quot;only&amp;quot;''' have this)&lt;br /&gt;
There should be only api to inherit access from a share.&lt;br /&gt;
&lt;br /&gt;
In such a case, we will allow, for first share like this...&lt;br /&gt;
  manila access-allow %some_share% ip 1.1.1.1,2.2.2.2, 3.3.3.3,4.4.4.4,5.5.5.5,6.6.6.6&lt;br /&gt;
we will create multiple access-records, for the share, in share_access_map table, '''without any tagging.'''&lt;br /&gt;
Next, a share, who wants similar access-scope, will do&lt;br /&gt;
  manila access-inherit %some_new_share% --by-share %some_source_share%&lt;br /&gt;
&lt;br /&gt;
* This solves the problem associated with tagging and trying to keep a static definition of a tag.&lt;br /&gt;
&lt;br /&gt;
* This solves the problem of redundancy, as present in 1st approach.&lt;br /&gt;
&lt;br /&gt;
* This has same problem, as in 2nd approach, of &amp;quot;not having an access-group after share-deletion&amp;quot;.&lt;br /&gt;
&lt;br /&gt;
* Once a share share1, has got a set of rules, it can be inherited by another share and rules-set that's inherited, &lt;br /&gt;
will be set of rules, associated &amp;quot;at that very moment&amp;quot; with share1. Things are dynamic. At some other moment in time,&lt;br /&gt;
some share might inherit separate set of rules, from same share, 'share1'.&lt;br /&gt;
&lt;br /&gt;
* There will be no such api deny-access-rules where we can just say, '''deny group of rules, which we gave access together.'''&lt;br /&gt;
Deny-access will be similar to &lt;br /&gt;
  manila access-deny %some_share% ip 1.1.1.1,2.2.2.2, 3.3.3.3,4.4.4.4,5.5.5.5,6.6.6.6&lt;/div&gt;</summary>
		<author><name>Nidhi Mittal Hada</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123722</id>
		<title>Manila/design/access groups</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123722"/>
				<updated>2016-04-11T07:56:17Z</updated>
		
		<summary type="html">&lt;p&gt;Nidhi Mittal Hada: /* Thinking impact of 2nd approach.. */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Applying Access Rules == &lt;br /&gt;
=== Current approach ===&lt;br /&gt;
Today we use &amp;quot;manila allow-access&amp;quot; and &amp;quot;manila deny-access&amp;quot; cli command, to allow and deny, &amp;quot;one&amp;quot; ip address/user/cert the access, to a particular share. &lt;br /&gt;
In situation, when we want a &amp;quot;share&amp;quot; to be accessible by  &lt;br /&gt;
* a subnet OR &lt;br /&gt;
* a set of IP addresses together OR &lt;br /&gt;
* a set users together&lt;br /&gt;
we have to execute, allow-access for each combination of (IP address, share) '''one by one'''!!&lt;br /&gt;
That is, If we want to allow, a same set of 'n' ip addresses, for each of 'n' shares, then it requires '''&amp;quot;n iterations for each of n shares&amp;quot;''', &lt;br /&gt;
that's n^2 operations from user side. &lt;br /&gt;
''That's cumbersome hence access-groups were proposed''&lt;br /&gt;
&lt;br /&gt;
=== Requirement ===&lt;br /&gt;
Requirement is to have a mechanism, by which a set of 'ip addresses' can be considered as 'one entity' i.e. 'can be allowed the access to a share together.' &lt;br /&gt;
Henceforth, the 'same set of ip addresses', can be allowed access to any 'other share', in 'one single request' from user. &lt;br /&gt;
There comes the idea of '''&amp;quot;manila access-groups&amp;quot;.'''&lt;br /&gt;
&lt;br /&gt;
=== Manila Access Groups ===&lt;br /&gt;
A new object named 'access_group', can be created by user. Each 'access_group' contains, a bunch of homogeneous 'access_entries'. &lt;br /&gt;
Homogeneous here means, 'entries of same access_type &amp;amp; access_level(in case access_type is 'user'))'. Each 'access_entry' represents, &lt;br /&gt;
either one ip-address or one username. Bunch of access entries, associated to an &amp;quot;access-group&amp;quot;, can be &amp;quot;allowed or denied&amp;quot; access, &lt;br /&gt;
to a share in one go. &lt;br /&gt;
&lt;br /&gt;
'''Feature requirement is, to provide a mechanism, to allow the access to a share, for &amp;quot;a group of ip addresses/users&amp;quot;, in one go,'''&lt;br /&gt;
'''instead of allowing each ip-address/user one at a time.'''&lt;br /&gt;
&lt;br /&gt;
=== Challenges ===&lt;br /&gt;
* With new proposal, a set of access-rules can be applied together using &amp;quot;access-group&amp;quot;. Earlier &amp;quot;allow-access/deny-access&amp;quot; api worked on individual access rule. &lt;br /&gt;
So, that can interfere and allow/deny any access, without any knowledge of access-group api. This has to be understood and resolved.&lt;br /&gt;
&lt;br /&gt;
* A parallel api interface, serving same purpose, but in different granularity, causes redundancy in database and information.&lt;br /&gt;
&lt;br /&gt;
* Sending a bunch of rules together to backend, if any one rule throws an exception, status of whole access-group will be errored.&lt;br /&gt;
&lt;br /&gt;
* If backend driver doesn't implement 'update_access' newer version yet, then 'access-rules' will be sent to driver one by one only. &lt;br /&gt;
Though 'access-group' feature will allow user, to request access, to set of ip addresses, in one go, still backend will work on access-rules individually.&lt;br /&gt;
&lt;br /&gt;
Proposed Object Relationships:-&lt;br /&gt;
[[File: DB_relationships.png| center | 500px| Object Relationship Diagram]]&lt;br /&gt;
&lt;br /&gt;
== Important Actions == &lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Sr No !! Function !! Command&lt;br /&gt;
|-&lt;br /&gt;
| 1 || Create Access Group  || manila access-group-create [--access-level &amp;lt;access_level&amp;gt;] &amp;lt;name&amp;gt; &amp;lt;description&amp;gt; &amp;lt;access_type&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 2 || Add Access Group Entries in Access group || manila access-group-entry-create &amp;lt;access_to&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 3 || Allow Access Group to a share || manila access-group-allow &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 4 || Deny Access Group to a share || manila access-group-deny &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
=== Flow diagram ===&lt;br /&gt;
==== Allow Access Group ====&lt;br /&gt;
[[File : Allow_access_group_(2).png | center | 500px | Allow access group flow]]&lt;br /&gt;
&lt;br /&gt;
==== Deny Access Group ====&lt;br /&gt;
[[File : Deny_access_group.png | center | 500px| deny access group flow]]&lt;br /&gt;
&lt;br /&gt;
== How it works in different situations ==&lt;br /&gt;
'''Ques 1. Lets say a user requests allow-access-group for (share1, AG1)'''&lt;br /&gt;
'''What if the share is already mapped to another access_group/access_rule.'''&lt;br /&gt;
&lt;br /&gt;
Ans: Nothing, set of access_rules for AG1, will be applied on share, using 'add_rule' &lt;br /&gt;
field of 'update_access' helper function.&lt;br /&gt;
&lt;br /&gt;
'''Ques 2. lets say 'share1' has an already applied access rule i.e ( user ,admin, rw).'''&lt;br /&gt;
'''Now, 'AG1' contains (user, admin, ro). A request comes as 'allow_access_group(share1, AG1)'.'''            &lt;br /&gt;
'''share1 is asked to map with AG1, what should happen?'''            &lt;br /&gt;
&lt;br /&gt;
'''What if the already applied rules are redundant to AG1's access rules.'''&lt;br /&gt;
Note:- its a redundant rule, not contradictory, as rules with 'same access_type and access_to' are&lt;br /&gt;
considered redundant..&lt;br /&gt;
&lt;br /&gt;
Ans: Its same as case, if we apply two redundant rules, even without access-groups. We will get an exception, 'access rule for (user, admin) &lt;br /&gt;
already exists'  and we will proceed to examine, rest of the rules, in access_group. '''We need to deny this rule first &amp;quot;to change its level if required.'''&lt;br /&gt;
&lt;br /&gt;
'''Ques 3. What if AG1 is made up of n rules, only one is redundant ?'''&lt;br /&gt;
&lt;br /&gt;
Ans:If any one of the access_rule, from this access_group, is already applied on share(individually)...&lt;br /&gt;
lets say due to 'allow-access' api. Then excluding that access_rule, rest of the rules, present in 'access_group' will be applied on share.&lt;br /&gt;
&lt;br /&gt;
'''Ques 4. What if AG1 is made up of 'n' rules, an error reported from backend for one of the rules?'''&lt;br /&gt;
&lt;br /&gt;
Ans: If there is an error, reported from backend, then error will be registered in share_instances table.&lt;br /&gt;
'access_rules_status' will go in 'error' state and 'access_status_message' will contain the descriptive message.&lt;br /&gt;
&lt;br /&gt;
'''Ques 5. What if access group is already mapped to other shares and this is a new mapping.'''&lt;br /&gt;
&lt;br /&gt;
Ans: Simply, rules from the access-group will be applied on the requested share.&lt;br /&gt;
   &lt;br /&gt;
'''Ques 6. Two compatible access-groups mapping request got out of order before reaching backend driver.'''&lt;br /&gt;
&lt;br /&gt;
Lets say two api requests for two access_groups where two access groups's rules are compatible as below:            &lt;br /&gt;
Two api requests come in this order chronologically, req1 then req2,            &lt;br /&gt;
AG1 has (user, admin, rw), AG2 has (ip, 10.1.1.1, None)            &lt;br /&gt;
req1 = allow_access_group(share1, AG1), req2 = allow_access_group(share1, AG2)&lt;br /&gt;
Let’s say these request reach driver layer, out of order, driver receives req2 then req1. &lt;br /&gt;
What will happen in such case?&lt;br /&gt;
&lt;br /&gt;
Ans: req1 creates a access_group_mapping in db for (share1 -&amp;gt; AG1) and passes “only set of rules in AG1&amp;quot; to driver layer.            &lt;br /&gt;
req2  also creates a access_group_mapping in db for (share1 -&amp;gt; AG2) and passes that “only set of rules in AG2&amp;quot; to driver layer.            &lt;br /&gt;
Driver layer gets req2 first, it will apply access_rules of req2 first and then access_rules from req1 will be applied on backend.&lt;br /&gt;
&lt;br /&gt;
'''Ques 7. What happens if an exception is raised for one of the access-rules in access-group in api layer itself?&lt;br /&gt;
Do we proceed for next rule or we come out ?'''&lt;br /&gt;
&lt;br /&gt;
Ans: These are such exceptions which come like&lt;br /&gt;
1)if share status is not AVAILABLE &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
2)If share_access entry already exists for this share ? &amp;gt;&amp;gt; we raise exception but continue to consider next access_rule&lt;br /&gt;
3)if access_level value requested for is not a valid value &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
4)If share_instance is invalid one &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
5)if access_rules_status is not active &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
&lt;br /&gt;
in all such cases we raise exception before rpc request is sent to driver layer. access_status_message&amp;quot; field in &amp;quot;share_instances&amp;quot; table - &lt;br /&gt;
does not show error messages for above mentioned exceptions.&lt;br /&gt;
Note:- in last two cases(4,5), though we come out, but 'share_access_group_mapping' and 'many share_access_map' entries &lt;br /&gt;
would have been created!!!&lt;br /&gt;
&lt;br /&gt;
'''Ques 8. What is purpose of access_rules_status and access_status_message field in share_instances table?'''&lt;br /&gt;
&lt;br /&gt;
Ans: access_status_message field, registers the error message, from the driver layer. if we get an error message back from driver, it gets registered in &lt;br /&gt;
'access_status_message' in 'share_instances' table. 'access_status_message' field in 'share_instances' table - does not register error messages for &lt;br /&gt;
above mentioned exceptions in Ques7. &lt;br /&gt;
  &lt;br /&gt;
'''Ques 9. Lets say an access-group that contains 4 access_rules, that is applied on a share1.'''&lt;br /&gt;
'''now these 4 access_rules have got their entries created in share_access_map too.'''&lt;br /&gt;
'''What is someone deleted/denies the access rule individually ?'''&lt;br /&gt;
'''that is sequence is like'''&lt;br /&gt;
'''1) manila access-group-allow &amp;lt;share-id&amp;gt; &amp;lt;access-group-id&amp;gt;'''&lt;br /&gt;
'''2) manila access-deny &amp;lt;share&amp;gt; &amp;lt;id&amp;gt;'''&lt;br /&gt;
'''3) manila access-group-deny &amp;lt;share-id&amp;gt; &amp;lt;access-group-id&amp;gt;'''&lt;br /&gt;
'''Now some rules of this access-group are denied individually .. when we go to 'deny-access-group''''&lt;br /&gt;
'''what will happen?&lt;br /&gt;
&lt;br /&gt;
Ans: For each of 4 rules, if anyone is not present in the DB, we raise exception Not-Found and&lt;br /&gt;
continue to next access_entry.&lt;br /&gt;
&lt;br /&gt;
'''Ques 10. Lets say a share share1 is mapped to an access_group AG1. Now we delete one of access_rule''' &lt;br /&gt;
'''of AG1 or we add an entry to mapped access_group AG1. What will happen?'''&lt;br /&gt;
&lt;br /&gt;
Ans: any addition or deletion of access_entry to an access_group after being mapped, will trigger 'update_access'&lt;br /&gt;
on the backend.&lt;br /&gt;
&lt;br /&gt;
== 2nd Alternative Approach ==&lt;br /&gt;
This approach suggests to tag/group share_access_map records by using a new field access_group_tag.&lt;br /&gt;
Here we do not create a separate entity access_group and access_group_entries. &lt;br /&gt;
Instead by using a string type tag with share_access_map records, we group a few entries together.&lt;br /&gt;
&lt;br /&gt;
For first share that wants to allow a group of ip addresses/user the access.&lt;br /&gt;
cli call will be like...&lt;br /&gt;
  manila access-allow %some_share% ip 1.1.1.1,2.2.2.2, 3.3.3.3   --tag %tag_name_1%&lt;br /&gt;
&lt;br /&gt;
After that any share that wants similar access will do &lt;br /&gt;
either:&lt;br /&gt;
  manila access-inherit %some_new_share% --by-share %some_source_share%&lt;br /&gt;
Or &lt;br /&gt;
  manila access-inherit %some_new_share% --by-tag %tag%&lt;br /&gt;
&lt;br /&gt;
=== Thinking impact of 2nd approach.. ===&lt;br /&gt;
* This approach is lighter and less amount of redundancy in database as compared to 1st approach.&lt;br /&gt;
&lt;br /&gt;
* Access-group, being dynamic entity in 2nd approach/a no separate entity, which has its 'existence scope', same as the share, &lt;br /&gt;
its associated with. So no further means to deal with 'access-groups', independently OR after share deletion.&lt;br /&gt;
 &lt;br /&gt;
* Lets say, 'share1' is applied with set of access-rules tagged as 'AG1'. if 'share2' inherits all access_rules from 'share1'. &lt;br /&gt;
Now 'share1' adds a rule by old 'allow-access' api. How will we tackle such situation?&lt;br /&gt;
     * Will we keep these new individual access_rule records without tag?&lt;br /&gt;
     * Will we give every record which is in 'share_access_map' table, a tag..so this individual rule will have new access_group_tag???&lt;br /&gt;
I think '''we can keep the new rule without tag.''' &lt;br /&gt;
Now, the next share 'share3' that inherits with --share from 'share1', will get all rules inclusive (share1, with tag) and (share1, without tag). okay.&lt;br /&gt;
But, if the next share 'share3' that inherits with --tag 'AG1' will get rules which is with ('share1' ,AG1) &lt;br /&gt;
&lt;br /&gt;
* If share is deleted and if its last share which was associated with a access-group, the access-group is considered deleted. &lt;br /&gt;
&lt;br /&gt;
* If a share 'share1' has allowed access to 3 ip addresses tagged with 'AG1', now another 'share2' inherited all 3 rules with 'AG1' tag itself.&lt;br /&gt;
now, a old 'deny-access' request comes, to delete one of the rule with share1 from these 3 rules.&lt;br /&gt;
Now, access-group with 'AG1' tag - has got two separate set of access-rules, defining its members. &lt;br /&gt;
* one that's coming from share1(2 rules) &lt;br /&gt;
* other that's coming from  share2(3 rules).&lt;br /&gt;
Now, If a 'share3' is asking for rules same as tag 'AG1', what rules will be applied on it? &lt;br /&gt;
'''That needs to be decided in this approach. A group/A tag can not have a static definition (set of rules) among all these allow/deny of different sorts.'''&lt;br /&gt;
&lt;br /&gt;
* As access-group tag definition is not static and is not kept independently. Now, With a large deployment and after many iterations of allow/deny, &lt;br /&gt;
this becomes hard for someone to remember, which share has what access-group tagging and what a tag composed of?&lt;br /&gt;
&lt;br /&gt;
* Lets say 'share1' has 3 rules, share2 inherits from access-rules of 'share1'. Now, If there is a change in access-rules of 'share1' for some reason, after that point &lt;br /&gt;
'share1' and 'share2' will have different set of access-rules mapping. We can not trigger update on child shares(share2) as we are not keeping this parent child share mapping &lt;br /&gt;
anywhere.&lt;br /&gt;
&lt;br /&gt;
== 3rd approach - Simplifying More ==&lt;br /&gt;
Actually, As a tag doesn't have a individual independent identity, we can think of &amp;quot;NOT&amp;quot; providing, --tag the interface, to inherit from. &lt;br /&gt;
   manila access-inherit %some_new_share% --by-tag %tag%  (********* Lets '''NOT''' have it **********)&lt;br /&gt;
   manila access-inherit %some_new_share% --by-share %some_source_share%  (Lets '''&amp;quot;only&amp;quot;''' have this)&lt;br /&gt;
There should be only api to inherit access from a share.&lt;br /&gt;
&lt;br /&gt;
In such a case, we will allow, for first share like this...&lt;br /&gt;
  manila access-allow %some_share% ip 1.1.1.1,2.2.2.2, 3.3.3.3,4.4.4.4,5.5.5.5,6.6.6.6&lt;br /&gt;
we will create multiple access-records, for the share, in share_access_map table, '''without any tagging.'''&lt;br /&gt;
Next, a share, who wants similar access-scope, will do&lt;br /&gt;
  manila access-inherit %some_new_share% --by-share %some_source_share%&lt;br /&gt;
&lt;br /&gt;
* This solves the problem associated with tagging and trying to keep a static definition of a tag.&lt;br /&gt;
&lt;br /&gt;
* This solves the problem of redundancy, as present in 1st approach.&lt;br /&gt;
&lt;br /&gt;
* This has same problem, as in 2nd approach, of &amp;quot;not having an access-group after share-deletion&amp;quot;.&lt;br /&gt;
&lt;br /&gt;
* Once a share share1, has got a set of rules, it can be inherited by another share and rules-set that's inherited, &lt;br /&gt;
will be set of rules, associated &amp;quot;at that very moment&amp;quot; with share1. Things are dynamic. At some other moment in time,&lt;br /&gt;
some share might inherit separate set of rules, from same share, 'share1'.&lt;br /&gt;
&lt;br /&gt;
* There will be no such api deny-access-rules where we can just say, '''deny group of rules, which we gave access together.'''&lt;br /&gt;
Deny-access will be similar to &lt;br /&gt;
  manila access-deny %some_share% ip 1.1.1.1,2.2.2.2, 3.3.3.3,4.4.4.4,5.5.5.5,6.6.6.6&lt;/div&gt;</summary>
		<author><name>Nidhi Mittal Hada</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123720</id>
		<title>Manila/design/access groups</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123720"/>
				<updated>2016-04-11T07:23:25Z</updated>
		
		<summary type="html">&lt;p&gt;Nidhi Mittal Hada: /* Thinking impact of 2nd approach.. */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Applying Access Rules == &lt;br /&gt;
=== Current approach ===&lt;br /&gt;
Today we use &amp;quot;manila allow-access&amp;quot; and &amp;quot;manila deny-access&amp;quot; cli command, to allow and deny, &amp;quot;one&amp;quot; ip address/user/cert the access, to a particular share. &lt;br /&gt;
In situation, when we want a &amp;quot;share&amp;quot; to be accessible by  &lt;br /&gt;
* a subnet OR &lt;br /&gt;
* a set of IP addresses together OR &lt;br /&gt;
* a set users together&lt;br /&gt;
we have to execute, allow-access for each combination of (IP address, share) '''one by one'''!!&lt;br /&gt;
That is, If we want to allow, a same set of 'n' ip addresses, for each of 'n' shares, then it requires '''&amp;quot;n iterations for each of n shares&amp;quot;''', &lt;br /&gt;
that's n^2 operations from user side. &lt;br /&gt;
''That's cumbersome hence access-groups were proposed''&lt;br /&gt;
&lt;br /&gt;
=== Requirement ===&lt;br /&gt;
Requirement is to have a mechanism, by which a set of 'ip addresses' can be considered as 'one entity' i.e. 'can be allowed the access to a share together.' &lt;br /&gt;
Henceforth, the 'same set of ip addresses', can be allowed access to any 'other share', in 'one single request' from user. &lt;br /&gt;
There comes the idea of '''&amp;quot;manila access-groups&amp;quot;.'''&lt;br /&gt;
&lt;br /&gt;
=== Manila Access Groups ===&lt;br /&gt;
A new object named 'access_group', can be created by user. Each 'access_group' contains, a bunch of homogeneous 'access_entries'. &lt;br /&gt;
Homogeneous here means, 'entries of same access_type &amp;amp; access_level(in case access_type is 'user'))'. Each 'access_entry' represents, &lt;br /&gt;
either one ip-address or one username. Bunch of access entries, associated to an &amp;quot;access-group&amp;quot;, can be &amp;quot;allowed or denied&amp;quot; access, &lt;br /&gt;
to a share in one go. &lt;br /&gt;
&lt;br /&gt;
'''Feature requirement is, to provide a mechanism, to allow the access to a share, for &amp;quot;a group of ip addresses/users&amp;quot;, in one go,'''&lt;br /&gt;
'''instead of allowing each ip-address/user one at a time.'''&lt;br /&gt;
&lt;br /&gt;
=== Challenges ===&lt;br /&gt;
* With new proposal, a set of access-rules can be applied together using &amp;quot;access-group&amp;quot;. Earlier &amp;quot;allow-access/deny-access&amp;quot; api worked on individual access rule. &lt;br /&gt;
So, that can interfere and allow/deny any access, without any knowledge of access-group api. This has to be understood and resolved.&lt;br /&gt;
&lt;br /&gt;
* A parallel api interface, serving same purpose, but in different granularity, causes redundancy in database and information.&lt;br /&gt;
&lt;br /&gt;
* Sending a bunch of rules together to backend, if any one rule throws an exception, status of whole access-group will be errored.&lt;br /&gt;
&lt;br /&gt;
* If backend driver doesn't implement 'update_access' newer version yet, then 'access-rules' will be sent to driver one by one only. &lt;br /&gt;
Though 'access-group' feature will allow user, to request access, to set of ip addresses, in one go, still backend will work on access-rules individually.&lt;br /&gt;
&lt;br /&gt;
Proposed Object Relationships:-&lt;br /&gt;
[[File: DB_relationships.png| center | 500px| Object Relationship Diagram]]&lt;br /&gt;
&lt;br /&gt;
== Important Actions == &lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Sr No !! Function !! Command&lt;br /&gt;
|-&lt;br /&gt;
| 1 || Create Access Group  || manila access-group-create [--access-level &amp;lt;access_level&amp;gt;] &amp;lt;name&amp;gt; &amp;lt;description&amp;gt; &amp;lt;access_type&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 2 || Add Access Group Entries in Access group || manila access-group-entry-create &amp;lt;access_to&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 3 || Allow Access Group to a share || manila access-group-allow &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 4 || Deny Access Group to a share || manila access-group-deny &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
=== Flow diagram ===&lt;br /&gt;
==== Allow Access Group ====&lt;br /&gt;
[[File : Allow_access_group_(2).png | center | 500px | Allow access group flow]]&lt;br /&gt;
&lt;br /&gt;
==== Deny Access Group ====&lt;br /&gt;
[[File : Deny_access_group.png | center | 500px| deny access group flow]]&lt;br /&gt;
&lt;br /&gt;
== How it works in different situations ==&lt;br /&gt;
'''Ques 1. Lets say a user requests allow-access-group for (share1, AG1)'''&lt;br /&gt;
'''What if the share is already mapped to another access_group/access_rule.'''&lt;br /&gt;
&lt;br /&gt;
Ans: Nothing, set of access_rules for AG1, will be applied on share, using 'add_rule' &lt;br /&gt;
field of 'update_access' helper function.&lt;br /&gt;
&lt;br /&gt;
'''Ques 2. lets say 'share1' has an already applied access rule i.e ( user ,admin, rw).'''&lt;br /&gt;
'''Now, 'AG1' contains (user, admin, ro). A request comes as 'allow_access_group(share1, AG1)'.'''            &lt;br /&gt;
'''share1 is asked to map with AG1, what should happen?'''            &lt;br /&gt;
&lt;br /&gt;
'''What if the already applied rules are redundant to AG1's access rules.'''&lt;br /&gt;
Note:- its a redundant rule, not contradictory, as rules with 'same access_type and access_to' are&lt;br /&gt;
considered redundant..&lt;br /&gt;
&lt;br /&gt;
Ans: Its same as case, if we apply two redundant rules, even without access-groups. We will get an exception, 'access rule for (user, admin) &lt;br /&gt;
already exists'  and we will proceed to examine, rest of the rules, in access_group. '''We need to deny this rule first &amp;quot;to change its level if required.'''&lt;br /&gt;
&lt;br /&gt;
'''Ques 3. What if AG1 is made up of n rules, only one is redundant ?'''&lt;br /&gt;
&lt;br /&gt;
Ans:If any one of the access_rule, from this access_group, is already applied on share(individually)...&lt;br /&gt;
lets say due to 'allow-access' api. Then excluding that access_rule, rest of the rules, present in 'access_group' will be applied on share.&lt;br /&gt;
&lt;br /&gt;
'''Ques 4. What if AG1 is made up of 'n' rules, an error reported from backend for one of the rules?'''&lt;br /&gt;
&lt;br /&gt;
Ans: If there is an error, reported from backend, then error will be registered in share_instances table.&lt;br /&gt;
'access_rules_status' will go in 'error' state and 'access_status_message' will contain the descriptive message.&lt;br /&gt;
&lt;br /&gt;
'''Ques 5. What if access group is already mapped to other shares and this is a new mapping.'''&lt;br /&gt;
&lt;br /&gt;
Ans: Simply, rules from the access-group will be applied on the requested share.&lt;br /&gt;
   &lt;br /&gt;
'''Ques 6. Two compatible access-groups mapping request got out of order before reaching backend driver.'''&lt;br /&gt;
&lt;br /&gt;
Lets say two api requests for two access_groups where two access groups's rules are compatible as below:            &lt;br /&gt;
Two api requests come in this order chronologically, req1 then req2,            &lt;br /&gt;
AG1 has (user, admin, rw), AG2 has (ip, 10.1.1.1, None)            &lt;br /&gt;
req1 = allow_access_group(share1, AG1), req2 = allow_access_group(share1, AG2)&lt;br /&gt;
Let’s say these request reach driver layer, out of order, driver receives req2 then req1. &lt;br /&gt;
What will happen in such case?&lt;br /&gt;
&lt;br /&gt;
Ans: req1 creates a access_group_mapping in db for (share1 -&amp;gt; AG1) and passes “only set of rules in AG1&amp;quot; to driver layer.            &lt;br /&gt;
req2  also creates a access_group_mapping in db for (share1 -&amp;gt; AG2) and passes that “only set of rules in AG2&amp;quot; to driver layer.            &lt;br /&gt;
Driver layer gets req2 first, it will apply access_rules of req2 first and then access_rules from req1 will be applied on backend.&lt;br /&gt;
&lt;br /&gt;
'''Ques 7. What happens if an exception is raised for one of the access-rules in access-group in api layer itself?&lt;br /&gt;
Do we proceed for next rule or we come out ?'''&lt;br /&gt;
&lt;br /&gt;
Ans: These are such exceptions which come like&lt;br /&gt;
1)if share status is not AVAILABLE &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
2)If share_access entry already exists for this share ? &amp;gt;&amp;gt; we raise exception but continue to consider next access_rule&lt;br /&gt;
3)if access_level value requested for is not a valid value &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
4)If share_instance is invalid one &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
5)if access_rules_status is not active &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
&lt;br /&gt;
in all such cases we raise exception before rpc request is sent to driver layer. access_status_message&amp;quot; field in &amp;quot;share_instances&amp;quot; table - &lt;br /&gt;
does not show error messages for above mentioned exceptions.&lt;br /&gt;
Note:- in last two cases(4,5), though we come out, but 'share_access_group_mapping' and 'many share_access_map' entries &lt;br /&gt;
would have been created!!!&lt;br /&gt;
&lt;br /&gt;
'''Ques 8. What is purpose of access_rules_status and access_status_message field in share_instances table?'''&lt;br /&gt;
&lt;br /&gt;
Ans: access_status_message field, registers the error message, from the driver layer. if we get an error message back from driver, it gets registered in &lt;br /&gt;
'access_status_message' in 'share_instances' table. 'access_status_message' field in 'share_instances' table - does not register error messages for &lt;br /&gt;
above mentioned exceptions in Ques7. &lt;br /&gt;
  &lt;br /&gt;
'''Ques 9. Lets say an access-group that contains 4 access_rules, that is applied on a share1.'''&lt;br /&gt;
'''now these 4 access_rules have got their entries created in share_access_map too.'''&lt;br /&gt;
'''What is someone deleted/denies the access rule individually ?'''&lt;br /&gt;
'''that is sequence is like'''&lt;br /&gt;
'''1) manila access-group-allow &amp;lt;share-id&amp;gt; &amp;lt;access-group-id&amp;gt;'''&lt;br /&gt;
'''2) manila access-deny &amp;lt;share&amp;gt; &amp;lt;id&amp;gt;'''&lt;br /&gt;
'''3) manila access-group-deny &amp;lt;share-id&amp;gt; &amp;lt;access-group-id&amp;gt;'''&lt;br /&gt;
'''Now some rules of this access-group are denied individually .. when we go to 'deny-access-group''''&lt;br /&gt;
'''what will happen?&lt;br /&gt;
&lt;br /&gt;
Ans: For each of 4 rules, if anyone is not present in the DB, we raise exception Not-Found and&lt;br /&gt;
continue to next access_entry.&lt;br /&gt;
&lt;br /&gt;
'''Ques 10. Lets say a share share1 is mapped to an access_group AG1. Now we delete one of access_rule''' &lt;br /&gt;
'''of AG1 or we add an entry to mapped access_group AG1. What will happen?'''&lt;br /&gt;
&lt;br /&gt;
Ans: any addition or deletion of access_entry to an access_group after being mapped, will trigger 'update_access'&lt;br /&gt;
on the backend.&lt;br /&gt;
&lt;br /&gt;
== 2nd Alternative Approach ==&lt;br /&gt;
This approach suggests to tag/group share_access_map records by using a new field access_group_tag.&lt;br /&gt;
Here we do not create a separate entity access_group and access_group_entries. &lt;br /&gt;
Instead by using a string type tag with share_access_map records, we group a few entries together.&lt;br /&gt;
&lt;br /&gt;
For first share that wants to allow a group of ip addresses/user the access.&lt;br /&gt;
cli call will be like...&lt;br /&gt;
  manila access-allow %some_share% ip 1.1.1.1,2.2.2.2, 3.3.3.3   --tag %tag_name_1%&lt;br /&gt;
&lt;br /&gt;
After that any share that wants similar access will do &lt;br /&gt;
either:&lt;br /&gt;
  manila access-inherit %some_new_share% --by-share %some_source_share%&lt;br /&gt;
Or &lt;br /&gt;
  manila access-inherit %some_new_share% --by-tag %tag%&lt;br /&gt;
&lt;br /&gt;
=== Thinking impact of 2nd approach.. ===&lt;br /&gt;
* This approach is lighter and less amount of redundancy in database as compared to 1st approach.&lt;br /&gt;
&lt;br /&gt;
* Access-group, being dynamic entity in 2nd approach/a no separate entity, which has its 'existence scope', same as the share, &lt;br /&gt;
its associated with. So no further means to deal with 'access-groups', independently OR after share deletion.&lt;br /&gt;
 &lt;br /&gt;
* Lets say, 'share1' is applied with set of access-rules tagged as 'AG1'. if 'share2' inherits all access_rules from 'share1'. &lt;br /&gt;
Now 'share1' adds a rule by old 'allow-access' api. How will we tackle such situation?&lt;br /&gt;
     * Will we keep these new individual access_rule records without tag?&lt;br /&gt;
     * Will we give every record which is in 'share_access_map' table, a tag..so this individual rule will have new access_group_tag???&lt;br /&gt;
I think '''we can keep the new rule without tag.''' &lt;br /&gt;
Now, the next share 'share3' that inherits with --share from 'share1', will get all rules inclusive (share1, with tag) and (share1, without tag). okay.&lt;br /&gt;
But, if the next share 'share3' that inherits with --tag 'AG1' will get rules which is with ('share1' ,AG1) &lt;br /&gt;
&lt;br /&gt;
* If share is deleted and if its last share which was associated with a access-group, the access-group is considered deleted. &lt;br /&gt;
&lt;br /&gt;
* If a share 'share1' has allowed access to 3 ip addresses tagged with 'AG1', now another 'share2' inherited all 3 rules with 'AG1' tag itself.&lt;br /&gt;
now, a old 'deny-access' request comes, to delete one of the rule with share1 from these 3 rules.&lt;br /&gt;
Now, access-group with 'AG1' tag - has got two separate set of access-rules, defining its members. &lt;br /&gt;
* one that's coming from share1(2 rules) &lt;br /&gt;
* other that's coming from  share2(3 rules).&lt;br /&gt;
Now, If a 'share3' is asking for rules same as tag 'AG1', what rules will be applied on it? &lt;br /&gt;
'''That needs to be decided in this approach. A group/A tag can not have a static definition (set of rules) among all these allow/deny of different sorts.'''&lt;br /&gt;
&lt;br /&gt;
* As access-group tag definition is not static and is not kept independently. Now, With a large deployment and after many iterations of allow/deny, &lt;br /&gt;
this becomes hard for someone to remember, which share has what access-group tagging and what a tag composed of?&lt;br /&gt;
&lt;br /&gt;
== 3rd approach - Simplifying More ==&lt;br /&gt;
Actually, As a tag doesn't have a individual independent identity, we can think of &amp;quot;NOT&amp;quot; providing, --tag the interface, to inherit from. &lt;br /&gt;
   manila access-inherit %some_new_share% --by-tag %tag%  (********* Lets '''NOT''' have it **********)&lt;br /&gt;
   manila access-inherit %some_new_share% --by-share %some_source_share%  (Lets '''&amp;quot;only&amp;quot;''' have this)&lt;br /&gt;
There should be only api to inherit access from a share.&lt;br /&gt;
&lt;br /&gt;
In such a case, we will allow, for first share like this...&lt;br /&gt;
  manila access-allow %some_share% ip 1.1.1.1,2.2.2.2, 3.3.3.3,4.4.4.4,5.5.5.5,6.6.6.6&lt;br /&gt;
we will create multiple access-records, for the share, in share_access_map table, '''without any tagging.'''&lt;br /&gt;
Next, a share, who wants similar access-scope, will do&lt;br /&gt;
  manila access-inherit %some_new_share% --by-share %some_source_share%&lt;br /&gt;
&lt;br /&gt;
* This solves the problem associated with tagging and trying to keep a static definition of a tag.&lt;br /&gt;
&lt;br /&gt;
* This solves the problem of redundancy, as present in 1st approach.&lt;br /&gt;
&lt;br /&gt;
* This has same problem, as in 2nd approach, of &amp;quot;not having an access-group after share-deletion&amp;quot;.&lt;br /&gt;
&lt;br /&gt;
* Once a share share1, has got a set of rules, it can be inherited by another share and rules-set that's inherited, &lt;br /&gt;
will be set of rules, associated &amp;quot;at that very moment&amp;quot; with share1. Things are dynamic. At some other moment in time,&lt;br /&gt;
some share might inherit separate set of rules, from same share, 'share1'.&lt;br /&gt;
&lt;br /&gt;
* There will be no such api deny-access-rules where we can just say, '''deny group of rules, which we gave access together.'''&lt;br /&gt;
Deny-access will be similar to &lt;br /&gt;
  manila access-deny %some_share% ip 1.1.1.1,2.2.2.2, 3.3.3.3,4.4.4.4,5.5.5.5,6.6.6.6&lt;/div&gt;</summary>
		<author><name>Nidhi Mittal Hada</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123719</id>
		<title>Manila/design/access groups</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123719"/>
				<updated>2016-04-11T07:21:53Z</updated>
		
		<summary type="html">&lt;p&gt;Nidhi Mittal Hada: /* Thinking impact of 2nd approach.. */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Applying Access Rules == &lt;br /&gt;
=== Current approach ===&lt;br /&gt;
Today we use &amp;quot;manila allow-access&amp;quot; and &amp;quot;manila deny-access&amp;quot; cli command, to allow and deny, &amp;quot;one&amp;quot; ip address/user/cert the access, to a particular share. &lt;br /&gt;
In situation, when we want a &amp;quot;share&amp;quot; to be accessible by  &lt;br /&gt;
* a subnet OR &lt;br /&gt;
* a set of IP addresses together OR &lt;br /&gt;
* a set users together&lt;br /&gt;
we have to execute, allow-access for each combination of (IP address, share) '''one by one'''!!&lt;br /&gt;
That is, If we want to allow, a same set of 'n' ip addresses, for each of 'n' shares, then it requires '''&amp;quot;n iterations for each of n shares&amp;quot;''', &lt;br /&gt;
that's n^2 operations from user side. &lt;br /&gt;
''That's cumbersome hence access-groups were proposed''&lt;br /&gt;
&lt;br /&gt;
=== Requirement ===&lt;br /&gt;
Requirement is to have a mechanism, by which a set of 'ip addresses' can be considered as 'one entity' i.e. 'can be allowed the access to a share together.' &lt;br /&gt;
Henceforth, the 'same set of ip addresses', can be allowed access to any 'other share', in 'one single request' from user. &lt;br /&gt;
There comes the idea of '''&amp;quot;manila access-groups&amp;quot;.'''&lt;br /&gt;
&lt;br /&gt;
=== Manila Access Groups ===&lt;br /&gt;
A new object named 'access_group', can be created by user. Each 'access_group' contains, a bunch of homogeneous 'access_entries'. &lt;br /&gt;
Homogeneous here means, 'entries of same access_type &amp;amp; access_level(in case access_type is 'user'))'. Each 'access_entry' represents, &lt;br /&gt;
either one ip-address or one username. Bunch of access entries, associated to an &amp;quot;access-group&amp;quot;, can be &amp;quot;allowed or denied&amp;quot; access, &lt;br /&gt;
to a share in one go. &lt;br /&gt;
&lt;br /&gt;
'''Feature requirement is, to provide a mechanism, to allow the access to a share, for &amp;quot;a group of ip addresses/users&amp;quot;, in one go,'''&lt;br /&gt;
'''instead of allowing each ip-address/user one at a time.'''&lt;br /&gt;
&lt;br /&gt;
=== Challenges ===&lt;br /&gt;
* With new proposal, a set of access-rules can be applied together using &amp;quot;access-group&amp;quot;. Earlier &amp;quot;allow-access/deny-access&amp;quot; api worked on individual access rule. &lt;br /&gt;
So, that can interfere and allow/deny any access, without any knowledge of access-group api. This has to be understood and resolved.&lt;br /&gt;
&lt;br /&gt;
* A parallel api interface, serving same purpose, but in different granularity, causes redundancy in database and information.&lt;br /&gt;
&lt;br /&gt;
* Sending a bunch of rules together to backend, if any one rule throws an exception, status of whole access-group will be errored.&lt;br /&gt;
&lt;br /&gt;
* If backend driver doesn't implement 'update_access' newer version yet, then 'access-rules' will be sent to driver one by one only. &lt;br /&gt;
Though 'access-group' feature will allow user, to request access, to set of ip addresses, in one go, still backend will work on access-rules individually.&lt;br /&gt;
&lt;br /&gt;
Proposed Object Relationships:-&lt;br /&gt;
[[File: DB_relationships.png| center | 500px| Object Relationship Diagram]]&lt;br /&gt;
&lt;br /&gt;
== Important Actions == &lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Sr No !! Function !! Command&lt;br /&gt;
|-&lt;br /&gt;
| 1 || Create Access Group  || manila access-group-create [--access-level &amp;lt;access_level&amp;gt;] &amp;lt;name&amp;gt; &amp;lt;description&amp;gt; &amp;lt;access_type&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 2 || Add Access Group Entries in Access group || manila access-group-entry-create &amp;lt;access_to&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 3 || Allow Access Group to a share || manila access-group-allow &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 4 || Deny Access Group to a share || manila access-group-deny &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
=== Flow diagram ===&lt;br /&gt;
==== Allow Access Group ====&lt;br /&gt;
[[File : Allow_access_group_(2).png | center | 500px | Allow access group flow]]&lt;br /&gt;
&lt;br /&gt;
==== Deny Access Group ====&lt;br /&gt;
[[File : Deny_access_group.png | center | 500px| deny access group flow]]&lt;br /&gt;
&lt;br /&gt;
== How it works in different situations ==&lt;br /&gt;
'''Ques 1. Lets say a user requests allow-access-group for (share1, AG1)'''&lt;br /&gt;
'''What if the share is already mapped to another access_group/access_rule.'''&lt;br /&gt;
&lt;br /&gt;
Ans: Nothing, set of access_rules for AG1, will be applied on share, using 'add_rule' &lt;br /&gt;
field of 'update_access' helper function.&lt;br /&gt;
&lt;br /&gt;
'''Ques 2. lets say 'share1' has an already applied access rule i.e ( user ,admin, rw).'''&lt;br /&gt;
'''Now, 'AG1' contains (user, admin, ro). A request comes as 'allow_access_group(share1, AG1)'.'''            &lt;br /&gt;
'''share1 is asked to map with AG1, what should happen?'''            &lt;br /&gt;
&lt;br /&gt;
'''What if the already applied rules are redundant to AG1's access rules.'''&lt;br /&gt;
Note:- its a redundant rule, not contradictory, as rules with 'same access_type and access_to' are&lt;br /&gt;
considered redundant..&lt;br /&gt;
&lt;br /&gt;
Ans: Its same as case, if we apply two redundant rules, even without access-groups. We will get an exception, 'access rule for (user, admin) &lt;br /&gt;
already exists'  and we will proceed to examine, rest of the rules, in access_group. '''We need to deny this rule first &amp;quot;to change its level if required.'''&lt;br /&gt;
&lt;br /&gt;
'''Ques 3. What if AG1 is made up of n rules, only one is redundant ?'''&lt;br /&gt;
&lt;br /&gt;
Ans:If any one of the access_rule, from this access_group, is already applied on share(individually)...&lt;br /&gt;
lets say due to 'allow-access' api. Then excluding that access_rule, rest of the rules, present in 'access_group' will be applied on share.&lt;br /&gt;
&lt;br /&gt;
'''Ques 4. What if AG1 is made up of 'n' rules, an error reported from backend for one of the rules?'''&lt;br /&gt;
&lt;br /&gt;
Ans: If there is an error, reported from backend, then error will be registered in share_instances table.&lt;br /&gt;
'access_rules_status' will go in 'error' state and 'access_status_message' will contain the descriptive message.&lt;br /&gt;
&lt;br /&gt;
'''Ques 5. What if access group is already mapped to other shares and this is a new mapping.'''&lt;br /&gt;
&lt;br /&gt;
Ans: Simply, rules from the access-group will be applied on the requested share.&lt;br /&gt;
   &lt;br /&gt;
'''Ques 6. Two compatible access-groups mapping request got out of order before reaching backend driver.'''&lt;br /&gt;
&lt;br /&gt;
Lets say two api requests for two access_groups where two access groups's rules are compatible as below:            &lt;br /&gt;
Two api requests come in this order chronologically, req1 then req2,            &lt;br /&gt;
AG1 has (user, admin, rw), AG2 has (ip, 10.1.1.1, None)            &lt;br /&gt;
req1 = allow_access_group(share1, AG1), req2 = allow_access_group(share1, AG2)&lt;br /&gt;
Let’s say these request reach driver layer, out of order, driver receives req2 then req1. &lt;br /&gt;
What will happen in such case?&lt;br /&gt;
&lt;br /&gt;
Ans: req1 creates a access_group_mapping in db for (share1 -&amp;gt; AG1) and passes “only set of rules in AG1&amp;quot; to driver layer.            &lt;br /&gt;
req2  also creates a access_group_mapping in db for (share1 -&amp;gt; AG2) and passes that “only set of rules in AG2&amp;quot; to driver layer.            &lt;br /&gt;
Driver layer gets req2 first, it will apply access_rules of req2 first and then access_rules from req1 will be applied on backend.&lt;br /&gt;
&lt;br /&gt;
'''Ques 7. What happens if an exception is raised for one of the access-rules in access-group in api layer itself?&lt;br /&gt;
Do we proceed for next rule or we come out ?'''&lt;br /&gt;
&lt;br /&gt;
Ans: These are such exceptions which come like&lt;br /&gt;
1)if share status is not AVAILABLE &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
2)If share_access entry already exists for this share ? &amp;gt;&amp;gt; we raise exception but continue to consider next access_rule&lt;br /&gt;
3)if access_level value requested for is not a valid value &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
4)If share_instance is invalid one &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
5)if access_rules_status is not active &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
&lt;br /&gt;
in all such cases we raise exception before rpc request is sent to driver layer. access_status_message&amp;quot; field in &amp;quot;share_instances&amp;quot; table - &lt;br /&gt;
does not show error messages for above mentioned exceptions.&lt;br /&gt;
Note:- in last two cases(4,5), though we come out, but 'share_access_group_mapping' and 'many share_access_map' entries &lt;br /&gt;
would have been created!!!&lt;br /&gt;
&lt;br /&gt;
'''Ques 8. What is purpose of access_rules_status and access_status_message field in share_instances table?'''&lt;br /&gt;
&lt;br /&gt;
Ans: access_status_message field, registers the error message, from the driver layer. if we get an error message back from driver, it gets registered in &lt;br /&gt;
'access_status_message' in 'share_instances' table. 'access_status_message' field in 'share_instances' table - does not register error messages for &lt;br /&gt;
above mentioned exceptions in Ques7. &lt;br /&gt;
  &lt;br /&gt;
'''Ques 9. Lets say an access-group that contains 4 access_rules, that is applied on a share1.'''&lt;br /&gt;
'''now these 4 access_rules have got their entries created in share_access_map too.'''&lt;br /&gt;
'''What is someone deleted/denies the access rule individually ?'''&lt;br /&gt;
'''that is sequence is like'''&lt;br /&gt;
'''1) manila access-group-allow &amp;lt;share-id&amp;gt; &amp;lt;access-group-id&amp;gt;'''&lt;br /&gt;
'''2) manila access-deny &amp;lt;share&amp;gt; &amp;lt;id&amp;gt;'''&lt;br /&gt;
'''3) manila access-group-deny &amp;lt;share-id&amp;gt; &amp;lt;access-group-id&amp;gt;'''&lt;br /&gt;
'''Now some rules of this access-group are denied individually .. when we go to 'deny-access-group''''&lt;br /&gt;
'''what will happen?&lt;br /&gt;
&lt;br /&gt;
Ans: For each of 4 rules, if anyone is not present in the DB, we raise exception Not-Found and&lt;br /&gt;
continue to next access_entry.&lt;br /&gt;
&lt;br /&gt;
'''Ques 10. Lets say a share share1 is mapped to an access_group AG1. Now we delete one of access_rule''' &lt;br /&gt;
'''of AG1 or we add an entry to mapped access_group AG1. What will happen?'''&lt;br /&gt;
&lt;br /&gt;
Ans: any addition or deletion of access_entry to an access_group after being mapped, will trigger 'update_access'&lt;br /&gt;
on the backend.&lt;br /&gt;
&lt;br /&gt;
== 2nd Alternative Approach ==&lt;br /&gt;
This approach suggests to tag/group share_access_map records by using a new field access_group_tag.&lt;br /&gt;
Here we do not create a separate entity access_group and access_group_entries. &lt;br /&gt;
Instead by using a string type tag with share_access_map records, we group a few entries together.&lt;br /&gt;
&lt;br /&gt;
For first share that wants to allow a group of ip addresses/user the access.&lt;br /&gt;
cli call will be like...&lt;br /&gt;
  manila access-allow %some_share% ip 1.1.1.1,2.2.2.2, 3.3.3.3   --tag %tag_name_1%&lt;br /&gt;
&lt;br /&gt;
After that any share that wants similar access will do &lt;br /&gt;
either:&lt;br /&gt;
  manila access-inherit %some_new_share% --by-share %some_source_share%&lt;br /&gt;
Or &lt;br /&gt;
  manila access-inherit %some_new_share% --by-tag %tag%&lt;br /&gt;
&lt;br /&gt;
=== Thinking impact of 2nd approach.. ===&lt;br /&gt;
* This approach is lighter and less amount of redundancy in database as compared to 1st approach.&lt;br /&gt;
&lt;br /&gt;
* Access-group, being dynamic entity in 2nd approach/a no separate entity, which has its 'existence scope', same as the share, &lt;br /&gt;
its associated with. So no further means to deal with 'access-groups', independently OR after share deletion.&lt;br /&gt;
 &lt;br /&gt;
* Lets say, 'share1' is applied with set of access-rules tagged as 'AG1'. if 'share2' inherits all access_rules from 'share1'. &lt;br /&gt;
Now 'share1' adds a rule by old 'allow-access' api. How will we tackle such situation?&lt;br /&gt;
     * Will we keep these new individual access_rule records without tag?&lt;br /&gt;
     * Will we give every record which is in 'share_access_map' table, a tag..so this individual rule will have new access_group_tag???&lt;br /&gt;
I think '''we can keep the new rule without tag.''' &lt;br /&gt;
Now, the next share 'share3' that inherits with --share from 'share1', will get all rules inclusive (share1, with tag) and (share1, without tag). okay.&lt;br /&gt;
But, if the next share 'share3' that inherits with --tag 'AG1' will get rules which is with ('share1' ,AG1) &lt;br /&gt;
&lt;br /&gt;
* If share is deleted and if its last share which was associated with a access-group, the access-group is considered deleted. &lt;br /&gt;
&lt;br /&gt;
* If a share 'share1' has allowed access to 3 ip addresses tagged with 'AG1', now another 'share2' inherited all 3 rules with 'AG1' tag itself.&lt;br /&gt;
now, a old 'deny-access' request comes, to delete one of the rule with share1 from these 3 rules.&lt;br /&gt;
Now, access-group with 'AG1' tag - has got two separate set of access-rules, defining its members. &lt;br /&gt;
* one that's coming from share1(2 rules) &lt;br /&gt;
* other that's coming from  share2(3 rules).&lt;br /&gt;
Now, If a 'share3' is asking for rules same as tag 'AG1', what rules will be applied on it? &lt;br /&gt;
'''That needs to be decided in this approach.'''&lt;br /&gt;
==== Actually, ==== '''A group/A tag can not have a static definition (set of rules) among all these allow/deny of different sorts.'''&lt;br /&gt;
&lt;br /&gt;
* As access-group tag definition is not static and is not kept independently. Now, With a large deployment and after many iterations of allow/deny, &lt;br /&gt;
this becomes hard for someone to remember, which share has what access-group tagging and what a tag composed of?&lt;br /&gt;
&lt;br /&gt;
== 3rd approach - Simplifying More ==&lt;br /&gt;
Actually, As a tag doesn't have a individual independent identity, we can think of &amp;quot;NOT&amp;quot; providing, --tag the interface, to inherit from. &lt;br /&gt;
   manila access-inherit %some_new_share% --by-tag %tag%  (********* Lets '''NOT''' have it **********)&lt;br /&gt;
   manila access-inherit %some_new_share% --by-share %some_source_share%  (Lets '''&amp;quot;only&amp;quot;''' have this)&lt;br /&gt;
There should be only api to inherit access from a share.&lt;br /&gt;
&lt;br /&gt;
In such a case, we will allow, for first share like this...&lt;br /&gt;
  manila access-allow %some_share% ip 1.1.1.1,2.2.2.2, 3.3.3.3,4.4.4.4,5.5.5.5,6.6.6.6&lt;br /&gt;
we will create multiple access-records, for the share, in share_access_map table, '''without any tagging.'''&lt;br /&gt;
Next, a share, who wants similar access-scope, will do&lt;br /&gt;
  manila access-inherit %some_new_share% --by-share %some_source_share%&lt;br /&gt;
&lt;br /&gt;
* This solves the problem associated with tagging and trying to keep a static definition of a tag.&lt;br /&gt;
&lt;br /&gt;
* This solves the problem of redundancy, as present in 1st approach.&lt;br /&gt;
&lt;br /&gt;
* This has same problem, as in 2nd approach, of &amp;quot;not having an access-group after share-deletion&amp;quot;.&lt;br /&gt;
&lt;br /&gt;
* Once a share share1, has got a set of rules, it can be inherited by another share and rules-set that's inherited, &lt;br /&gt;
will be set of rules, associated &amp;quot;at that very moment&amp;quot; with share1. Things are dynamic. At some other moment in time,&lt;br /&gt;
some share might inherit separate set of rules, from same share, 'share1'.&lt;br /&gt;
&lt;br /&gt;
* There will be no such api deny-access-rules where we can just say, '''deny group of rules, which we gave access together.'''&lt;br /&gt;
Deny-access will be similar to &lt;br /&gt;
  manila access-deny %some_share% ip 1.1.1.1,2.2.2.2, 3.3.3.3,4.4.4.4,5.5.5.5,6.6.6.6&lt;/div&gt;</summary>
		<author><name>Nidhi Mittal Hada</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123592</id>
		<title>Manila/design/access groups</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123592"/>
				<updated>2016-04-07T05:40:12Z</updated>
		
		<summary type="html">&lt;p&gt;Nidhi Mittal Hada: /* 2nd Alternative Approach */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Applying Access Rules == &lt;br /&gt;
=== Current approach ===&lt;br /&gt;
Today we use &amp;quot;manila allow-access&amp;quot; and &amp;quot;manila deny-access&amp;quot; cli command, to allow and deny, &amp;quot;one&amp;quot; ip address/user/cert the access, to a particular share. &lt;br /&gt;
In situation, when we want a &amp;quot;share&amp;quot; to be accessible by  &lt;br /&gt;
* a subnet OR &lt;br /&gt;
* a set of IP addresses together OR &lt;br /&gt;
* a set users together&lt;br /&gt;
we have to execute, allow-access for each combination of (IP address, share) '''one by one'''!!&lt;br /&gt;
That is, If we want to allow, a same set of 'n' ip addresses, for each of 'n' shares, then it requires '''&amp;quot;n iterations for each of n shares&amp;quot;''', &lt;br /&gt;
that's n^2 operations from user side. &lt;br /&gt;
''That's cumbersome hence access-groups were proposed''&lt;br /&gt;
&lt;br /&gt;
=== Requirement ===&lt;br /&gt;
Requirement is to have a mechanism, by which a set of 'ip addresses' can be considered as 'one entity' i.e. 'can be allowed the access to a share together.' &lt;br /&gt;
Henceforth, the 'same set of ip addresses', can be allowed access to any 'other share', in 'one single request' from user. &lt;br /&gt;
There comes the idea of '''&amp;quot;manila access-groups&amp;quot;.'''&lt;br /&gt;
&lt;br /&gt;
=== Manila Access Groups ===&lt;br /&gt;
A new object named 'access_group', can be created by user. Each 'access_group' contains, a bunch of homogeneous 'access_entries'. &lt;br /&gt;
Homogeneous here means, 'entries of same access_type &amp;amp; access_level(in case access_type is 'user'))'. Each 'access_entry' represents, &lt;br /&gt;
either one ip-address or one username. Bunch of access entries, associated to an &amp;quot;access-group&amp;quot;, can be &amp;quot;allowed or denied&amp;quot; access, &lt;br /&gt;
to a share in one go. &lt;br /&gt;
&lt;br /&gt;
'''Feature requirement is, to provide a mechanism, to allow the access to a share, for &amp;quot;a group of ip addresses/users&amp;quot;, in one go,'''&lt;br /&gt;
'''instead of allowing each ip-address/user one at a time.'''&lt;br /&gt;
&lt;br /&gt;
=== Challenges ===&lt;br /&gt;
* With new proposal, a set of access-rules can be applied together using &amp;quot;access-group&amp;quot;. Earlier &amp;quot;allow-access/deny-access&amp;quot; api worked on individual access rule. &lt;br /&gt;
So, that can interfere and allow/deny any access, without any knowledge of access-group api. This has to be understood and resolved.&lt;br /&gt;
&lt;br /&gt;
* A parallel api interface, serving same purpose, but in different granularity, causes redundancy in database and information.&lt;br /&gt;
&lt;br /&gt;
* Sending a bunch of rules together to backend, if any one rule throws an exception, status of whole access-group will be errored.&lt;br /&gt;
&lt;br /&gt;
* If backend driver doesn't implement 'update_access' newer version yet, then 'access-rules' will be sent to driver one by one only. &lt;br /&gt;
Though 'access-group' feature will allow user, to request access, to set of ip addresses, in one go, still backend will work on access-rules individually.&lt;br /&gt;
&lt;br /&gt;
Proposed Object Relationships:-&lt;br /&gt;
[[File: DB_relationships.png| center | 500px| Object Relationship Diagram]]&lt;br /&gt;
&lt;br /&gt;
== Important Actions == &lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Sr No !! Function !! Command&lt;br /&gt;
|-&lt;br /&gt;
| 1 || Create Access Group  || manila access-group-create [--access-level &amp;lt;access_level&amp;gt;] &amp;lt;name&amp;gt; &amp;lt;description&amp;gt; &amp;lt;access_type&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 2 || Add Access Group Entries in Access group || manila access-group-entry-create &amp;lt;access_to&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 3 || Allow Access Group to a share || manila access-group-allow &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 4 || Deny Access Group to a share || manila access-group-deny &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
=== Flow diagram ===&lt;br /&gt;
==== Allow Access Group ====&lt;br /&gt;
[[File : Allow_access_group_(2).png | center | 500px | Allow access group flow]]&lt;br /&gt;
&lt;br /&gt;
==== Deny Access Group ====&lt;br /&gt;
[[File : Deny_access_group.png | center | 500px| deny access group flow]]&lt;br /&gt;
&lt;br /&gt;
== How it works in different situations ==&lt;br /&gt;
'''Ques 1. Lets say a user requests allow-access-group for (share1, AG1)'''&lt;br /&gt;
'''What if the share is already mapped to another access_group/access_rule.'''&lt;br /&gt;
&lt;br /&gt;
Ans: Nothing, set of access_rules for AG1, will be applied on share, using 'add_rule' &lt;br /&gt;
field of 'update_access' helper function.&lt;br /&gt;
&lt;br /&gt;
'''Ques 2. lets say 'share1' has an already applied access rule i.e ( user ,admin, rw).'''&lt;br /&gt;
'''Now, 'AG1' contains (user, admin, ro). A request comes as 'allow_access_group(share1, AG1)'.'''            &lt;br /&gt;
'''share1 is asked to map with AG1, what should happen?'''            &lt;br /&gt;
&lt;br /&gt;
'''What if the already applied rules are redundant to AG1's access rules.'''&lt;br /&gt;
Note:- its a redundant rule, not contradictory, as rules with 'same access_type and access_to' are&lt;br /&gt;
considered redundant..&lt;br /&gt;
&lt;br /&gt;
Ans: Its same as case, if we apply two redundant rules, even without access-groups. We will get an exception, 'access rule for (user, admin) &lt;br /&gt;
already exists'  and we will proceed to examine, rest of the rules, in access_group. '''We need to deny this rule first &amp;quot;to change its level if required.'''&lt;br /&gt;
&lt;br /&gt;
'''Ques 3. What if AG1 is made up of n rules, only one is redundant ?'''&lt;br /&gt;
&lt;br /&gt;
Ans:If any one of the access_rule, from this access_group, is already applied on share(individually)...&lt;br /&gt;
lets say due to 'allow-access' api. Then excluding that access_rule, rest of the rules, present in 'access_group' will be applied on share.&lt;br /&gt;
&lt;br /&gt;
'''Ques 4. What if AG1 is made up of 'n' rules, an error reported from backend for one of the rules?'''&lt;br /&gt;
&lt;br /&gt;
Ans: If there is an error, reported from backend, then error will be registered in share_instances table.&lt;br /&gt;
'access_rules_status' will go in 'error' state and 'access_status_message' will contain the descriptive message.&lt;br /&gt;
&lt;br /&gt;
'''Ques 5. What if access group is already mapped to other shares and this is a new mapping.'''&lt;br /&gt;
&lt;br /&gt;
Ans: Simply, rules from the access-group will be applied on the requested share.&lt;br /&gt;
   &lt;br /&gt;
'''Ques 6. Two compatible access-groups mapping request got out of order before reaching backend driver.'''&lt;br /&gt;
&lt;br /&gt;
Lets say two api requests for two access_groups where two access groups's rules are compatible as below:            &lt;br /&gt;
Two api requests come in this order chronologically, req1 then req2,            &lt;br /&gt;
AG1 has (user, admin, rw), AG2 has (ip, 10.1.1.1, None)            &lt;br /&gt;
req1 = allow_access_group(share1, AG1), req2 = allow_access_group(share1, AG2)&lt;br /&gt;
Let’s say these request reach driver layer, out of order, driver receives req2 then req1. &lt;br /&gt;
What will happen in such case?&lt;br /&gt;
&lt;br /&gt;
Ans: req1 creates a access_group_mapping in db for (share1 -&amp;gt; AG1) and passes “only set of rules in AG1&amp;quot; to driver layer.            &lt;br /&gt;
req2  also creates a access_group_mapping in db for (share1 -&amp;gt; AG2) and passes that “only set of rules in AG2&amp;quot; to driver layer.            &lt;br /&gt;
Driver layer gets req2 first, it will apply access_rules of req2 first and then access_rules from req1 will be applied on backend.&lt;br /&gt;
&lt;br /&gt;
'''Ques 7. What happens if an exception is raised for one of the access-rules in access-group in api layer itself?&lt;br /&gt;
Do we proceed for next rule or we come out ?'''&lt;br /&gt;
&lt;br /&gt;
Ans: These are such exceptions which come like&lt;br /&gt;
1)if share status is not AVAILABLE &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
2)If share_access entry already exists for this share ? &amp;gt;&amp;gt; we raise exception but continue to consider next access_rule&lt;br /&gt;
3)if access_level value requested for is not a valid value &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
4)If share_instance is invalid one &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
5)if access_rules_status is not active &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
&lt;br /&gt;
in all such cases we raise exception before rpc request is sent to driver layer. access_status_message&amp;quot; field in &amp;quot;share_instances&amp;quot; table - &lt;br /&gt;
does not show error messages for above mentioned exceptions.&lt;br /&gt;
Note:- in last two cases(4,5), though we come out, but 'share_access_group_mapping' and 'many share_access_map' entries &lt;br /&gt;
would have been created!!!&lt;br /&gt;
&lt;br /&gt;
'''Ques 8. What is purpose of access_rules_status and access_status_message field in share_instances table?'''&lt;br /&gt;
&lt;br /&gt;
Ans: access_status_message field, registers the error message, from the driver layer. if we get an error message back from driver, it gets registered in &lt;br /&gt;
'access_status_message' in 'share_instances' table. 'access_status_message' field in 'share_instances' table - does not register error messages for &lt;br /&gt;
above mentioned exceptions in Ques7. &lt;br /&gt;
  &lt;br /&gt;
'''Ques 9. Lets say an access-group that contains 4 access_rules, that is applied on a share1.'''&lt;br /&gt;
'''now these 4 access_rules have got their entries created in share_access_map too.'''&lt;br /&gt;
'''What is someone deleted/denies the access rule individually ?'''&lt;br /&gt;
'''that is sequence is like'''&lt;br /&gt;
'''1) manila access-group-allow &amp;lt;share-id&amp;gt; &amp;lt;access-group-id&amp;gt;'''&lt;br /&gt;
'''2) manila access-deny &amp;lt;share&amp;gt; &amp;lt;id&amp;gt;'''&lt;br /&gt;
'''3) manila access-group-deny &amp;lt;share-id&amp;gt; &amp;lt;access-group-id&amp;gt;'''&lt;br /&gt;
'''Now some rules of this access-group are denied individually .. when we go to 'deny-access-group''''&lt;br /&gt;
'''what will happen?&lt;br /&gt;
&lt;br /&gt;
Ans: For each of 4 rules, if anyone is not present in the DB, we raise exception Not-Found and&lt;br /&gt;
continue to next access_entry.&lt;br /&gt;
&lt;br /&gt;
'''Ques 10. Lets say a share share1 is mapped to an access_group AG1. Now we delete one of access_rule''' &lt;br /&gt;
'''of AG1 or we add an entry to mapped access_group AG1. What will happen?'''&lt;br /&gt;
&lt;br /&gt;
Ans: any addition or deletion of access_entry to an access_group after being mapped, will trigger 'update_access'&lt;br /&gt;
on the backend.&lt;br /&gt;
&lt;br /&gt;
== 2nd Alternative Approach ==&lt;br /&gt;
This approach suggests to tag/group share_access_map records by using a new field access_group_tag.&lt;br /&gt;
Here we do not create a separate entity access_group and access_group_entries. &lt;br /&gt;
Instead by using a string type tag with share_access_map records, we group a few entries together.&lt;br /&gt;
&lt;br /&gt;
For first share that wants to allow a group of ip addresses/user the access.&lt;br /&gt;
cli call will be like...&lt;br /&gt;
  manila access-allow %some_share% ip 1.1.1.1,2.2.2.2, 3.3.3.3   --tag %tag_name_1%&lt;br /&gt;
&lt;br /&gt;
After that any share that wants similar access will do &lt;br /&gt;
either:&lt;br /&gt;
  manila access-inherit %some_new_share% --by-share %some_source_share%&lt;br /&gt;
Or &lt;br /&gt;
  manila access-inherit %some_new_share% --by-tag %tag%&lt;br /&gt;
&lt;br /&gt;
=== Thinking impact of 2nd approach.. ===&lt;br /&gt;
* This approach is lighter and less amount of redundancy in database as compared to 1st approach.&lt;br /&gt;
&lt;br /&gt;
* Access-group, being dynamic entity in 2nd approach/a no separate entity, which has its 'existence scope' same as the share its associated with, &lt;br /&gt;
so no further means, to deal with 'access-groups', independently OR after share deletion.&lt;br /&gt;
 &lt;br /&gt;
* Lets say, 'share1' is applied with set of access-rules tagged as 'AG1'. if 'share2' inherits all access_rules from 'share1'. &lt;br /&gt;
Now 'share1' adds a rule by old 'allow-access' api. How will we tackle such situation?&lt;br /&gt;
     * Will we keep these new individual access_rule records without tag?&lt;br /&gt;
     * Will we give every record which is in 'share_access_map' table, a tag..so this individual rule will have new access_group_tag???&lt;br /&gt;
I think '''we can keep the new rule without tag.''' &lt;br /&gt;
Now, the next share 'share3' that inherits with --share from 'share1', will get all rules inclusive (share1, with tag) and (share1, without tag). okay.&lt;br /&gt;
But, if the next share 'share3' that inherits with --tag 'AG1' will get rules which is with ('share2' ,AG1) &lt;br /&gt;
&lt;br /&gt;
* If share is deleted the access-group existed/associated with is, will be considered deleted. &lt;br /&gt;
&lt;br /&gt;
* If a share1 has allowed access to 3 ip addresses tagged with 'AG1', now another 'share2' inherited all 3 rules with 'AG1' tag itself.&lt;br /&gt;
now, a old 'deny-access' request comes, to delete one of the rule with share1 from these 3 rules.&lt;br /&gt;
Now, access-group with 'AG1' tag - has got two separate set of access-rules, defining its members. &lt;br /&gt;
* one that's coming from share1(2 rules) &lt;br /&gt;
* other that's coming from  share2(3 rules).&lt;br /&gt;
Now, If a 'share3' is asking for rules same as tag 'AG1', what rules will be applied on it? &lt;br /&gt;
That needs to be decided in this approach.&lt;br /&gt;
Actually &lt;br /&gt;
'''A group/A tag can not have a static definition (set of rules) among all these allow/deny of different sorts.'''&lt;br /&gt;
&lt;br /&gt;
== 3rd approach - Simplifying More ==&lt;br /&gt;
Actually, As a tag doesn't have a individual independent identity, we can think of &amp;quot;NOT&amp;quot; providing, --tag the interface, to inherit from. &lt;br /&gt;
   manila access-inherit %some_new_share% --by-tag %tag%  (********* Lets '''NOT''' have it **********)&lt;br /&gt;
   manila access-inherit %some_new_share% --by-share %some_source_share%  (Lets '''&amp;quot;only&amp;quot;''' have this)&lt;br /&gt;
There should be only api to inherit access from a share.&lt;br /&gt;
&lt;br /&gt;
In such a case, we will allow, for first share like this...&lt;br /&gt;
  manila access-allow %some_share% ip 1.1.1.1,2.2.2.2, 3.3.3.3,4.4.4.4,5.5.5.5,6.6.6.6&lt;br /&gt;
we will create multiple access-records, for the share, in share_access_map table, '''without any tagging.'''&lt;br /&gt;
Next, a share, who wants similar access-scope, will do&lt;br /&gt;
  manila access-inherit %some_new_share% --by-share %some_source_share%&lt;br /&gt;
&lt;br /&gt;
* This solves the problem associated with tagging and trying to keep a static definition of a tag.&lt;br /&gt;
&lt;br /&gt;
* This solves the problem of redundancy, as present in 1st approach.&lt;br /&gt;
&lt;br /&gt;
* This has same problem, as in 2nd approach, of &amp;quot;not having an access-group after share-deletion&amp;quot;.&lt;br /&gt;
&lt;br /&gt;
* Once a share share1, has got a set of rules, it can be inherited by another share and rules-set that's inherited, &lt;br /&gt;
will be set of rules, associated &amp;quot;at that very moment&amp;quot; with share1. Things are dynamic. At some other moment in time,&lt;br /&gt;
some share might inherit separate set of rules, from same share, 'share1'.&lt;br /&gt;
&lt;br /&gt;
* There will be no such api deny-access-rules where we can just say, '''deny group of rules, which we gave access together.'''&lt;br /&gt;
Deny-access will be similar to &lt;br /&gt;
  manila access-deny %some_share% ip 1.1.1.1,2.2.2.2, 3.3.3.3,4.4.4.4,5.5.5.5,6.6.6.6&lt;/div&gt;</summary>
		<author><name>Nidhi Mittal Hada</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123471</id>
		<title>Manila/design/access groups</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123471"/>
				<updated>2016-04-05T06:42:16Z</updated>
		
		<summary type="html">&lt;p&gt;Nidhi Mittal Hada: /* Thinking impact of 2nd approach.. */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Applying Access Rules == &lt;br /&gt;
=== Current approach ===&lt;br /&gt;
Today we use &amp;quot;manila allow-access&amp;quot; and &amp;quot;manila deny-access&amp;quot; cli command, to allow and deny, &amp;quot;one&amp;quot; ip address/user/cert the access, to a particular share. &lt;br /&gt;
In situation, when we want a &amp;quot;share&amp;quot; to be accessible by  &lt;br /&gt;
* a subnet OR &lt;br /&gt;
* a set of IP addresses together OR &lt;br /&gt;
* a set users together&lt;br /&gt;
we have to execute, allow-access for each combination of (IP address, share) '''one by one'''!!&lt;br /&gt;
That is, If we want to allow, a same set of 'n' ip addresses, for each of 'n' shares, then it requires '''&amp;quot;n iterations for each of n shares&amp;quot;''', &lt;br /&gt;
that's n^2 operations from user side. &lt;br /&gt;
''That's cumbersome hence access-groups were proposed''&lt;br /&gt;
&lt;br /&gt;
=== Requirement ===&lt;br /&gt;
Requirement is to have a mechanism, by which a set of 'ip addresses' can be considered as 'one entity' i.e. 'can be allowed the access to a share together.' &lt;br /&gt;
Henceforth, the 'same set of ip addresses', can be allowed access to any 'other share', in 'one single request' from user. &lt;br /&gt;
There comes the idea of '''&amp;quot;manila access-groups&amp;quot;.'''&lt;br /&gt;
&lt;br /&gt;
=== Manila Access Groups ===&lt;br /&gt;
A new object named 'access_group', can be created by user. Each 'access_group' contains, a bunch of homogeneous 'access_entries'. &lt;br /&gt;
Homogeneous here means, 'entries of same access_type &amp;amp; access_level(in case access_type is 'user'))'. Each 'access_entry' represents, &lt;br /&gt;
either one ip-address or one username. Bunch of access entries, associated to an &amp;quot;access-group&amp;quot;, can be &amp;quot;allowed or denied&amp;quot; access, &lt;br /&gt;
to a share in one go. &lt;br /&gt;
&lt;br /&gt;
'''Feature requirement is, to provide a mechanism, to allow the access to a share, for &amp;quot;a group of ip addresses/users&amp;quot;, in one go,'''&lt;br /&gt;
'''instead of allowing each ip-address/user one at a time.'''&lt;br /&gt;
&lt;br /&gt;
=== Challenges ===&lt;br /&gt;
* With new proposal, a set of access-rules can be applied together using &amp;quot;access-group&amp;quot;. Earlier &amp;quot;allow-access/deny-access&amp;quot; api worked on individual access rule. &lt;br /&gt;
So, that can interfere and allow/deny any access, without any knowledge of access-group api. This has to be understood and resolved.&lt;br /&gt;
&lt;br /&gt;
* A parallel api interface, serving same purpose, but in different granularity, causes redundancy in database and information.&lt;br /&gt;
&lt;br /&gt;
* Sending a bunch of rules together to backend, if any one rule throws an exception, status of whole access-group will be errored.&lt;br /&gt;
&lt;br /&gt;
* If backend driver doesn't implement 'update_access' newer version yet, then 'access-rules' will be sent to driver one by one only. &lt;br /&gt;
Though 'access-group' feature will allow user, to request access, to set of ip addresses, in one go, still backend will work on access-rules individually.&lt;br /&gt;
&lt;br /&gt;
Proposed Object Relationships:-&lt;br /&gt;
[[File: DB_relationships.png| center | 500px| Object Relationship Diagram]]&lt;br /&gt;
&lt;br /&gt;
== Important Actions == &lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Sr No !! Function !! Command&lt;br /&gt;
|-&lt;br /&gt;
| 1 || Create Access Group  || manila access-group-create [--access-level &amp;lt;access_level&amp;gt;] &amp;lt;name&amp;gt; &amp;lt;description&amp;gt; &amp;lt;access_type&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 2 || Add Access Group Entries in Access group || manila access-group-entry-create &amp;lt;access_to&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 3 || Allow Access Group to a share || manila access-group-allow &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 4 || Deny Access Group to a share || manila access-group-deny &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
=== Flow diagram ===&lt;br /&gt;
==== Allow Access Group ====&lt;br /&gt;
[[File : Allow_access_group_(2).png | center | 500px | Allow access group flow]]&lt;br /&gt;
&lt;br /&gt;
==== Deny Access Group ====&lt;br /&gt;
[[File : Deny_access_group.png | center | 500px| deny access group flow]]&lt;br /&gt;
&lt;br /&gt;
== How it works in different situations ==&lt;br /&gt;
'''Ques 1. Lets say a user requests allow-access-group for (share1, AG1)'''&lt;br /&gt;
'''What if the share is already mapped to another access_group/access_rule.'''&lt;br /&gt;
&lt;br /&gt;
Ans: Nothing, set of access_rules for AG1, will be applied on share, using 'add_rule' &lt;br /&gt;
field of 'update_access' helper function.&lt;br /&gt;
&lt;br /&gt;
'''Ques 2. lets say 'share1' has an already applied access rule i.e ( user ,admin, rw).'''&lt;br /&gt;
'''Now, 'AG1' contains (user, admin, ro). A request comes as 'allow_access_group(share1, AG1)'.'''            &lt;br /&gt;
'''share1 is asked to map with AG1, what should happen?'''            &lt;br /&gt;
&lt;br /&gt;
'''What if the already applied rules are redundant to AG1's access rules.'''&lt;br /&gt;
Note:- its a redundant rule, not contradictory, as rules with 'same access_type and access_to' are&lt;br /&gt;
considered redundant..&lt;br /&gt;
&lt;br /&gt;
Ans: Its same as case, if we apply two redundant rules, even without access-groups. We will get an exception, 'access rule for (user, admin) &lt;br /&gt;
already exists'  and we will proceed to examine, rest of the rules, in access_group. '''We need to deny this rule first &amp;quot;to change its level if required.'''&lt;br /&gt;
&lt;br /&gt;
'''Ques 3. What if AG1 is made up of n rules, only one is redundant ?'''&lt;br /&gt;
&lt;br /&gt;
Ans:If any one of the access_rule, from this access_group, is already applied on share(individually)...&lt;br /&gt;
lets say due to 'allow-access' api. Then excluding that access_rule, rest of the rules, present in 'access_group' will be applied on share.&lt;br /&gt;
&lt;br /&gt;
'''Ques 4. What if AG1 is made up of 'n' rules, an error reported from backend for one of the rules?'''&lt;br /&gt;
&lt;br /&gt;
Ans: If there is an error, reported from backend, then error will be registered in share_instances table.&lt;br /&gt;
'access_rules_status' will go in 'error' state and 'access_status_message' will contain the descriptive message.&lt;br /&gt;
&lt;br /&gt;
'''Ques 5. What if access group is already mapped to other shares and this is a new mapping.'''&lt;br /&gt;
&lt;br /&gt;
Ans: Simply, rules from the access-group will be applied on the requested share.&lt;br /&gt;
   &lt;br /&gt;
'''Ques 6. Two compatible access-groups mapping request got out of order before reaching backend driver.'''&lt;br /&gt;
&lt;br /&gt;
Lets say two api requests for two access_groups where two access groups's rules are compatible as below:            &lt;br /&gt;
Two api requests come in this order chronologically, req1 then req2,            &lt;br /&gt;
AG1 has (user, admin, rw), AG2 has (ip, 10.1.1.1, None)            &lt;br /&gt;
req1 = allow_access_group(share1, AG1), req2 = allow_access_group(share1, AG2)&lt;br /&gt;
Let’s say these request reach driver layer, out of order, driver receives req2 then req1. &lt;br /&gt;
What will happen in such case?&lt;br /&gt;
&lt;br /&gt;
Ans: req1 creates a access_group_mapping in db for (share1 -&amp;gt; AG1) and passes “only set of rules in AG1&amp;quot; to driver layer.            &lt;br /&gt;
req2  also creates a access_group_mapping in db for (share1 -&amp;gt; AG2) and passes that “only set of rules in AG2&amp;quot; to driver layer.            &lt;br /&gt;
Driver layer gets req2 first, it will apply access_rules of req2 first and then access_rules from req1 will be applied on backend.&lt;br /&gt;
&lt;br /&gt;
'''Ques 7. What happens if an exception is raised for one of the access-rules in access-group in api layer itself?&lt;br /&gt;
Do we proceed for next rule or we come out ?'''&lt;br /&gt;
&lt;br /&gt;
Ans: These are such exceptions which come like&lt;br /&gt;
1)if share status is not AVAILABLE &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
2)If share_access entry already exists for this share ? &amp;gt;&amp;gt; we raise exception but continue to consider next access_rule&lt;br /&gt;
3)if access_level value requested for is not a valid value &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
4)If share_instance is invalid one &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
5)if access_rules_status is not active &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
&lt;br /&gt;
in all such cases we raise exception before rpc request is sent to driver layer. access_status_message&amp;quot; field in &amp;quot;share_instances&amp;quot; table - &lt;br /&gt;
does not show error messages for above mentioned exceptions.&lt;br /&gt;
Note:- in last two cases(4,5), though we come out, but 'share_access_group_mapping' and 'many share_access_map' entries &lt;br /&gt;
would have been created!!!&lt;br /&gt;
&lt;br /&gt;
'''Ques 8. What is purpose of access_rules_status and access_status_message field in share_instances table?'''&lt;br /&gt;
&lt;br /&gt;
Ans: access_status_message field, registers the error message, from the driver layer. if we get an error message back from driver, it gets registered in &lt;br /&gt;
'access_status_message' in 'share_instances' table. 'access_status_message' field in 'share_instances' table - does not register error messages for &lt;br /&gt;
above mentioned exceptions in Ques7. &lt;br /&gt;
  &lt;br /&gt;
'''Ques 9. Lets say an access-group that contains 4 access_rules, that is applied on a share1.'''&lt;br /&gt;
'''now these 4 access_rules have got their entries created in share_access_map too.'''&lt;br /&gt;
'''What is someone deleted/denies the access rule individually ?'''&lt;br /&gt;
'''that is sequence is like'''&lt;br /&gt;
'''1) manila access-group-allow &amp;lt;share-id&amp;gt; &amp;lt;access-group-id&amp;gt;'''&lt;br /&gt;
'''2) manila access-deny &amp;lt;share&amp;gt; &amp;lt;id&amp;gt;'''&lt;br /&gt;
'''3) manila access-group-deny &amp;lt;share-id&amp;gt; &amp;lt;access-group-id&amp;gt;'''&lt;br /&gt;
'''Now some rules of this access-group are denied individually .. when we go to 'deny-access-group''''&lt;br /&gt;
'''what will happen?&lt;br /&gt;
&lt;br /&gt;
Ans: For each of 4 rules, if anyone is not present in the DB, we raise exception Not-Found and&lt;br /&gt;
continue to next access_entry.&lt;br /&gt;
&lt;br /&gt;
'''Ques 10. Lets say a share share1 is mapped to an access_group AG1. Now we delete one of access_rule''' &lt;br /&gt;
'''of AG1 or we add an entry to mapped access_group AG1. What will happen?'''&lt;br /&gt;
&lt;br /&gt;
Ans: any addition or deletion of access_entry to an access_group after being mapped, will trigger 'update_access'&lt;br /&gt;
on the backend.&lt;br /&gt;
&lt;br /&gt;
== 2nd Alternative Approach ==&lt;br /&gt;
This approach suggests to tag/group share_access_map records by using a new field access_group_tag.&lt;br /&gt;
Here we do not create a separate entity access_group and access_group_entries. &lt;br /&gt;
Instead by using a string type tag with share_access_map records, we group a few entries together.&lt;br /&gt;
&lt;br /&gt;
For first share that wants to allow a group of ip addresses/user the access.&lt;br /&gt;
cli call will be like...&lt;br /&gt;
  manila access-allow %some_share% ip 1.1.1.1,2.2.2.2, 3.3.3.3   --tag %tag_name_1%&lt;br /&gt;
&lt;br /&gt;
After that any share that wants similar access will do &lt;br /&gt;
either:&lt;br /&gt;
  manila access-inherit %some_new_share% --by-share %some_source_share%&lt;br /&gt;
Or &lt;br /&gt;
  manila access-inherit %some_new_share% --by-tag %tag%&lt;br /&gt;
&lt;br /&gt;
=== Thinking impact of 2nd approach.. ===&lt;br /&gt;
* This approach is lighter and less amount of redundancy in database as compared to 1st approach.&lt;br /&gt;
&lt;br /&gt;
* Access-group, being dynamic entity in 2nd approach/a no separate entity, which has its 'existence scope' same as the share its associated with, &lt;br /&gt;
so no further means, to deal with 'access-groups', independently OR after share deletion.&lt;br /&gt;
 &lt;br /&gt;
* Lets say, 'share1' is applied with set of access-rules tagged as 'AG1'. if 'share2' inherits all access_rules from 'share1'. &lt;br /&gt;
Now 'share1' adds a rule by old 'allow-access' api. How will we tackle such situation?&lt;br /&gt;
     * Will we keep these new individual access_rule records without tag?&lt;br /&gt;
     * Will we give every record which is in 'share_access_map' table, a tag..so this individual rule will have new access_group_tag???&lt;br /&gt;
&lt;br /&gt;
I think '''we can keep the new rule without tag.''' &lt;br /&gt;
Now, the next share 'share3' that inherits with --share from 'share1', will get all rules inclusive (share1, with tag) and (share1, without tag). okay.&lt;br /&gt;
But, if the next share 'share3' that inherits with --tag 'AG1' will get rules which is with ('share2' ,AG1) &lt;br /&gt;
&lt;br /&gt;
* If share is deleted the access-group existed/associated with is, will be considered deleted. &lt;br /&gt;
&lt;br /&gt;
* If a share1 has allowed access to 3 ip addresses tagged with 'AG1', now another 'share2' inherited all 3 rules with 'AG1' tag itself.&lt;br /&gt;
now, a old 'deny-access' request comes, to delete one of the rule with share1 from these 3 rules.&lt;br /&gt;
Now, access-group with 'AG1' tag - has got two separate set of access-rules, defining its members. &lt;br /&gt;
* one that's coming from share1(2 rules) &lt;br /&gt;
* other that's coming from  share2(3 rules).&lt;br /&gt;
Now, If a 'share3' is asking for rules same as tag 'AG1', what rules will be applied on it? &lt;br /&gt;
That needs to be decided in this approach.&lt;br /&gt;
Actually &lt;br /&gt;
'''A group/A tag can not have a static definition (set of rules) among all these allow/deny of different sorts.'''&lt;br /&gt;
&lt;br /&gt;
== 3rd approach - Simplifying More ==&lt;br /&gt;
Actually, As a tag doesn't have a individual independent identity, we can think of &amp;quot;NOT&amp;quot; providing, --tag the interface, to inherit from. &lt;br /&gt;
   manila access-inherit %some_new_share% --by-tag %tag%  (********* Lets '''NOT''' have it **********)&lt;br /&gt;
   manila access-inherit %some_new_share% --by-share %some_source_share%  (Lets '''&amp;quot;only&amp;quot;''' have this)&lt;br /&gt;
There should be only api to inherit access from a share.&lt;br /&gt;
&lt;br /&gt;
In such a case, we will allow, for first share like this...&lt;br /&gt;
  manila access-allow %some_share% ip 1.1.1.1,2.2.2.2, 3.3.3.3,4.4.4.4,5.5.5.5,6.6.6.6&lt;br /&gt;
we will create multiple access-records, for the share, in share_access_map table, '''without any tagging.'''&lt;br /&gt;
Next, a share, who wants similar access-scope, will do&lt;br /&gt;
  manila access-inherit %some_new_share% --by-share %some_source_share%&lt;br /&gt;
&lt;br /&gt;
* This solves the problem associated with tagging and trying to keep a static definition of a tag.&lt;br /&gt;
&lt;br /&gt;
* This solves the problem of redundancy, as present in 1st approach.&lt;br /&gt;
&lt;br /&gt;
* This has same problem, as in 2nd approach, of &amp;quot;not having an access-group after share-deletion&amp;quot;.&lt;br /&gt;
&lt;br /&gt;
* Once a share share1, has got a set of rules, it can be inherited by another share and rules-set that's inherited, &lt;br /&gt;
will be set of rules, associated &amp;quot;at that very moment&amp;quot; with share1. Things are dynamic. At some other moment in time,&lt;br /&gt;
some share might inherit separate set of rules, from same share, 'share1'.&lt;br /&gt;
&lt;br /&gt;
* There will be no such api deny-access-rules where we can just say, '''deny group of rules, which we gave access together.'''&lt;br /&gt;
Deny-access will be similar to &lt;br /&gt;
  manila access-deny %some_share% ip 1.1.1.1,2.2.2.2, 3.3.3.3,4.4.4.4,5.5.5.5,6.6.6.6&lt;/div&gt;</summary>
		<author><name>Nidhi Mittal Hada</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123470</id>
		<title>Manila/design/access groups</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123470"/>
				<updated>2016-04-05T06:41:00Z</updated>
		
		<summary type="html">&lt;p&gt;Nidhi Mittal Hada: /* Alternative Approach */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Applying Access Rules == &lt;br /&gt;
=== Current approach ===&lt;br /&gt;
Today we use &amp;quot;manila allow-access&amp;quot; and &amp;quot;manila deny-access&amp;quot; cli command, to allow and deny, &amp;quot;one&amp;quot; ip address/user/cert the access, to a particular share. &lt;br /&gt;
In situation, when we want a &amp;quot;share&amp;quot; to be accessible by  &lt;br /&gt;
* a subnet OR &lt;br /&gt;
* a set of IP addresses together OR &lt;br /&gt;
* a set users together&lt;br /&gt;
we have to execute, allow-access for each combination of (IP address, share) '''one by one'''!!&lt;br /&gt;
That is, If we want to allow, a same set of 'n' ip addresses, for each of 'n' shares, then it requires '''&amp;quot;n iterations for each of n shares&amp;quot;''', &lt;br /&gt;
that's n^2 operations from user side. &lt;br /&gt;
''That's cumbersome hence access-groups were proposed''&lt;br /&gt;
&lt;br /&gt;
=== Requirement ===&lt;br /&gt;
Requirement is to have a mechanism, by which a set of 'ip addresses' can be considered as 'one entity' i.e. 'can be allowed the access to a share together.' &lt;br /&gt;
Henceforth, the 'same set of ip addresses', can be allowed access to any 'other share', in 'one single request' from user. &lt;br /&gt;
There comes the idea of '''&amp;quot;manila access-groups&amp;quot;.'''&lt;br /&gt;
&lt;br /&gt;
=== Manila Access Groups ===&lt;br /&gt;
A new object named 'access_group', can be created by user. Each 'access_group' contains, a bunch of homogeneous 'access_entries'. &lt;br /&gt;
Homogeneous here means, 'entries of same access_type &amp;amp; access_level(in case access_type is 'user'))'. Each 'access_entry' represents, &lt;br /&gt;
either one ip-address or one username. Bunch of access entries, associated to an &amp;quot;access-group&amp;quot;, can be &amp;quot;allowed or denied&amp;quot; access, &lt;br /&gt;
to a share in one go. &lt;br /&gt;
&lt;br /&gt;
'''Feature requirement is, to provide a mechanism, to allow the access to a share, for &amp;quot;a group of ip addresses/users&amp;quot;, in one go,'''&lt;br /&gt;
'''instead of allowing each ip-address/user one at a time.'''&lt;br /&gt;
&lt;br /&gt;
=== Challenges ===&lt;br /&gt;
* With new proposal, a set of access-rules can be applied together using &amp;quot;access-group&amp;quot;. Earlier &amp;quot;allow-access/deny-access&amp;quot; api worked on individual access rule. &lt;br /&gt;
So, that can interfere and allow/deny any access, without any knowledge of access-group api. This has to be understood and resolved.&lt;br /&gt;
&lt;br /&gt;
* A parallel api interface, serving same purpose, but in different granularity, causes redundancy in database and information.&lt;br /&gt;
&lt;br /&gt;
* Sending a bunch of rules together to backend, if any one rule throws an exception, status of whole access-group will be errored.&lt;br /&gt;
&lt;br /&gt;
* If backend driver doesn't implement 'update_access' newer version yet, then 'access-rules' will be sent to driver one by one only. &lt;br /&gt;
Though 'access-group' feature will allow user, to request access, to set of ip addresses, in one go, still backend will work on access-rules individually.&lt;br /&gt;
&lt;br /&gt;
Proposed Object Relationships:-&lt;br /&gt;
[[File: DB_relationships.png| center | 500px| Object Relationship Diagram]]&lt;br /&gt;
&lt;br /&gt;
== Important Actions == &lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Sr No !! Function !! Command&lt;br /&gt;
|-&lt;br /&gt;
| 1 || Create Access Group  || manila access-group-create [--access-level &amp;lt;access_level&amp;gt;] &amp;lt;name&amp;gt; &amp;lt;description&amp;gt; &amp;lt;access_type&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 2 || Add Access Group Entries in Access group || manila access-group-entry-create &amp;lt;access_to&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 3 || Allow Access Group to a share || manila access-group-allow &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 4 || Deny Access Group to a share || manila access-group-deny &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
=== Flow diagram ===&lt;br /&gt;
==== Allow Access Group ====&lt;br /&gt;
[[File : Allow_access_group_(2).png | center | 500px | Allow access group flow]]&lt;br /&gt;
&lt;br /&gt;
==== Deny Access Group ====&lt;br /&gt;
[[File : Deny_access_group.png | center | 500px| deny access group flow]]&lt;br /&gt;
&lt;br /&gt;
== How it works in different situations ==&lt;br /&gt;
'''Ques 1. Lets say a user requests allow-access-group for (share1, AG1)'''&lt;br /&gt;
'''What if the share is already mapped to another access_group/access_rule.'''&lt;br /&gt;
&lt;br /&gt;
Ans: Nothing, set of access_rules for AG1, will be applied on share, using 'add_rule' &lt;br /&gt;
field of 'update_access' helper function.&lt;br /&gt;
&lt;br /&gt;
'''Ques 2. lets say 'share1' has an already applied access rule i.e ( user ,admin, rw).'''&lt;br /&gt;
'''Now, 'AG1' contains (user, admin, ro). A request comes as 'allow_access_group(share1, AG1)'.'''            &lt;br /&gt;
'''share1 is asked to map with AG1, what should happen?'''            &lt;br /&gt;
&lt;br /&gt;
'''What if the already applied rules are redundant to AG1's access rules.'''&lt;br /&gt;
Note:- its a redundant rule, not contradictory, as rules with 'same access_type and access_to' are&lt;br /&gt;
considered redundant..&lt;br /&gt;
&lt;br /&gt;
Ans: Its same as case, if we apply two redundant rules, even without access-groups. We will get an exception, 'access rule for (user, admin) &lt;br /&gt;
already exists'  and we will proceed to examine, rest of the rules, in access_group. '''We need to deny this rule first &amp;quot;to change its level if required.'''&lt;br /&gt;
&lt;br /&gt;
'''Ques 3. What if AG1 is made up of n rules, only one is redundant ?'''&lt;br /&gt;
&lt;br /&gt;
Ans:If any one of the access_rule, from this access_group, is already applied on share(individually)...&lt;br /&gt;
lets say due to 'allow-access' api. Then excluding that access_rule, rest of the rules, present in 'access_group' will be applied on share.&lt;br /&gt;
&lt;br /&gt;
'''Ques 4. What if AG1 is made up of 'n' rules, an error reported from backend for one of the rules?'''&lt;br /&gt;
&lt;br /&gt;
Ans: If there is an error, reported from backend, then error will be registered in share_instances table.&lt;br /&gt;
'access_rules_status' will go in 'error' state and 'access_status_message' will contain the descriptive message.&lt;br /&gt;
&lt;br /&gt;
'''Ques 5. What if access group is already mapped to other shares and this is a new mapping.'''&lt;br /&gt;
&lt;br /&gt;
Ans: Simply, rules from the access-group will be applied on the requested share.&lt;br /&gt;
   &lt;br /&gt;
'''Ques 6. Two compatible access-groups mapping request got out of order before reaching backend driver.'''&lt;br /&gt;
&lt;br /&gt;
Lets say two api requests for two access_groups where two access groups's rules are compatible as below:            &lt;br /&gt;
Two api requests come in this order chronologically, req1 then req2,            &lt;br /&gt;
AG1 has (user, admin, rw), AG2 has (ip, 10.1.1.1, None)            &lt;br /&gt;
req1 = allow_access_group(share1, AG1), req2 = allow_access_group(share1, AG2)&lt;br /&gt;
Let’s say these request reach driver layer, out of order, driver receives req2 then req1. &lt;br /&gt;
What will happen in such case?&lt;br /&gt;
&lt;br /&gt;
Ans: req1 creates a access_group_mapping in db for (share1 -&amp;gt; AG1) and passes “only set of rules in AG1&amp;quot; to driver layer.            &lt;br /&gt;
req2  also creates a access_group_mapping in db for (share1 -&amp;gt; AG2) and passes that “only set of rules in AG2&amp;quot; to driver layer.            &lt;br /&gt;
Driver layer gets req2 first, it will apply access_rules of req2 first and then access_rules from req1 will be applied on backend.&lt;br /&gt;
&lt;br /&gt;
'''Ques 7. What happens if an exception is raised for one of the access-rules in access-group in api layer itself?&lt;br /&gt;
Do we proceed for next rule or we come out ?'''&lt;br /&gt;
&lt;br /&gt;
Ans: These are such exceptions which come like&lt;br /&gt;
1)if share status is not AVAILABLE &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
2)If share_access entry already exists for this share ? &amp;gt;&amp;gt; we raise exception but continue to consider next access_rule&lt;br /&gt;
3)if access_level value requested for is not a valid value &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
4)If share_instance is invalid one &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
5)if access_rules_status is not active &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
&lt;br /&gt;
in all such cases we raise exception before rpc request is sent to driver layer. access_status_message&amp;quot; field in &amp;quot;share_instances&amp;quot; table - &lt;br /&gt;
does not show error messages for above mentioned exceptions.&lt;br /&gt;
Note:- in last two cases(4,5), though we come out, but 'share_access_group_mapping' and 'many share_access_map' entries &lt;br /&gt;
would have been created!!!&lt;br /&gt;
&lt;br /&gt;
'''Ques 8. What is purpose of access_rules_status and access_status_message field in share_instances table?'''&lt;br /&gt;
&lt;br /&gt;
Ans: access_status_message field, registers the error message, from the driver layer. if we get an error message back from driver, it gets registered in &lt;br /&gt;
'access_status_message' in 'share_instances' table. 'access_status_message' field in 'share_instances' table - does not register error messages for &lt;br /&gt;
above mentioned exceptions in Ques7. &lt;br /&gt;
  &lt;br /&gt;
'''Ques 9. Lets say an access-group that contains 4 access_rules, that is applied on a share1.'''&lt;br /&gt;
'''now these 4 access_rules have got their entries created in share_access_map too.'''&lt;br /&gt;
'''What is someone deleted/denies the access rule individually ?'''&lt;br /&gt;
'''that is sequence is like'''&lt;br /&gt;
'''1) manila access-group-allow &amp;lt;share-id&amp;gt; &amp;lt;access-group-id&amp;gt;'''&lt;br /&gt;
'''2) manila access-deny &amp;lt;share&amp;gt; &amp;lt;id&amp;gt;'''&lt;br /&gt;
'''3) manila access-group-deny &amp;lt;share-id&amp;gt; &amp;lt;access-group-id&amp;gt;'''&lt;br /&gt;
'''Now some rules of this access-group are denied individually .. when we go to 'deny-access-group''''&lt;br /&gt;
'''what will happen?&lt;br /&gt;
&lt;br /&gt;
Ans: For each of 4 rules, if anyone is not present in the DB, we raise exception Not-Found and&lt;br /&gt;
continue to next access_entry.&lt;br /&gt;
&lt;br /&gt;
'''Ques 10. Lets say a share share1 is mapped to an access_group AG1. Now we delete one of access_rule''' &lt;br /&gt;
'''of AG1 or we add an entry to mapped access_group AG1. What will happen?'''&lt;br /&gt;
&lt;br /&gt;
Ans: any addition or deletion of access_entry to an access_group after being mapped, will trigger 'update_access'&lt;br /&gt;
on the backend.&lt;br /&gt;
&lt;br /&gt;
== 2nd Alternative Approach ==&lt;br /&gt;
This approach suggests to tag/group share_access_map records by using a new field access_group_tag.&lt;br /&gt;
Here we do not create a separate entity access_group and access_group_entries. &lt;br /&gt;
Instead by using a string type tag with share_access_map records, we group a few entries together.&lt;br /&gt;
&lt;br /&gt;
For first share that wants to allow a group of ip addresses/user the access.&lt;br /&gt;
cli call will be like...&lt;br /&gt;
  manila access-allow %some_share% ip 1.1.1.1,2.2.2.2, 3.3.3.3   --tag %tag_name_1%&lt;br /&gt;
&lt;br /&gt;
After that any share that wants similar access will do &lt;br /&gt;
either:&lt;br /&gt;
  manila access-inherit %some_new_share% --by-share %some_source_share%&lt;br /&gt;
Or &lt;br /&gt;
  manila access-inherit %some_new_share% --by-tag %tag%&lt;br /&gt;
&lt;br /&gt;
=== Thinking impact of 2nd approach.. ===&lt;br /&gt;
* This approach is lighter and less amount of redundancy in database.&lt;br /&gt;
&lt;br /&gt;
* Access-group, being dynamic entity in 2nd approach/a no separate entity, which has its 'existence scope' same as the share its associated with, &lt;br /&gt;
so no further means, to deal with 'access-groups', independently OR after share deletion.&lt;br /&gt;
 &lt;br /&gt;
* Lets say, 'share1' is applied with set of access-rules tagged as 'AG1'. if 'share2' inherits all access_rules from 'share1'. &lt;br /&gt;
Now 'share1' adds a rule by old 'allow-access' api. How will we tackle such situation?&lt;br /&gt;
     * Will we keep these new individual access_rule records without tag?&lt;br /&gt;
     * Will we give every record which is in 'share_access_map' table, a tag..so this individual rule will have new access_group_tag???&lt;br /&gt;
&lt;br /&gt;
I think '''we can keep the new rule without tag.''' &lt;br /&gt;
Now, the next share 'share3' that inherits with --share from 'share1', will get all rules inclusive (share1, with tag) and (share1, without tag). okay.&lt;br /&gt;
But, if the next share 'share3' that inherits with --tag 'AG1' will get rules which is with ('share2' ,AG1) &lt;br /&gt;
&lt;br /&gt;
* If share is deleted the access-group existed/associated with is, will be considered deleted. &lt;br /&gt;
&lt;br /&gt;
* If a share1 has allowed access to 3 ip addresses tagged with 'AG1', now another 'share2' inherited all 3 rules with 'AG1' tag itself.&lt;br /&gt;
now, a old 'deny-access' request comes, to delete one of the rule with share1 from these 3 rules.&lt;br /&gt;
Now, access-group with 'AG1' tag - has got two separate set of access-rules, defining its members. &lt;br /&gt;
* one that's coming from share1(2 rules) &lt;br /&gt;
* other that's coming from  share2(3 rules).&lt;br /&gt;
Now, If a 'share3' is asking for rules same as tag 'AG1', what rules will be applied on it? &lt;br /&gt;
That needs to be decided in this approach.&lt;br /&gt;
Actually &lt;br /&gt;
'''A group/A tag can not have a static definition (set of rules) among all these allow/deny of different sorts.'''&lt;br /&gt;
&lt;br /&gt;
== 3rd approach - Simplifying More ==&lt;br /&gt;
Actually, As a tag doesn't have a individual independent identity, we can think of &amp;quot;NOT&amp;quot; providing, --tag the interface, to inherit from. &lt;br /&gt;
   manila access-inherit %some_new_share% --by-tag %tag%  (********* Lets '''NOT''' have it **********)&lt;br /&gt;
   manila access-inherit %some_new_share% --by-share %some_source_share%  (Lets '''&amp;quot;only&amp;quot;''' have this)&lt;br /&gt;
There should be only api to inherit access from a share.&lt;br /&gt;
&lt;br /&gt;
In such a case, we will allow, for first share like this...&lt;br /&gt;
  manila access-allow %some_share% ip 1.1.1.1,2.2.2.2, 3.3.3.3,4.4.4.4,5.5.5.5,6.6.6.6&lt;br /&gt;
we will create multiple access-records, for the share, in share_access_map table, '''without any tagging.'''&lt;br /&gt;
Next, a share, who wants similar access-scope, will do&lt;br /&gt;
  manila access-inherit %some_new_share% --by-share %some_source_share%&lt;br /&gt;
&lt;br /&gt;
* This solves the problem associated with tagging and trying to keep a static definition of a tag.&lt;br /&gt;
&lt;br /&gt;
* This solves the problem of redundancy, as present in 1st approach.&lt;br /&gt;
&lt;br /&gt;
* This has same problem, as in 2nd approach, of &amp;quot;not having an access-group after share-deletion&amp;quot;.&lt;br /&gt;
&lt;br /&gt;
* Once a share share1, has got a set of rules, it can be inherited by another share and rules-set that's inherited, &lt;br /&gt;
will be set of rules, associated &amp;quot;at that very moment&amp;quot; with share1. Things are dynamic. At some other moment in time,&lt;br /&gt;
some share might inherit separate set of rules, from same share, 'share1'.&lt;br /&gt;
&lt;br /&gt;
* There will be no such api deny-access-rules where we can just say, '''deny group of rules, which we gave access together.'''&lt;br /&gt;
Deny-access will be similar to &lt;br /&gt;
  manila access-deny %some_share% ip 1.1.1.1,2.2.2.2, 3.3.3.3,4.4.4.4,5.5.5.5,6.6.6.6&lt;/div&gt;</summary>
		<author><name>Nidhi Mittal Hada</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123469</id>
		<title>Manila/design/access groups</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123469"/>
				<updated>2016-04-05T06:38:08Z</updated>
		
		<summary type="html">&lt;p&gt;Nidhi Mittal Hada: /* Simplifying More */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Applying Access Rules == &lt;br /&gt;
=== Current approach ===&lt;br /&gt;
Today we use &amp;quot;manila allow-access&amp;quot; and &amp;quot;manila deny-access&amp;quot; cli command, to allow and deny, &amp;quot;one&amp;quot; ip address/user/cert the access, to a particular share. &lt;br /&gt;
In situation, when we want a &amp;quot;share&amp;quot; to be accessible by  &lt;br /&gt;
* a subnet OR &lt;br /&gt;
* a set of IP addresses together OR &lt;br /&gt;
* a set users together&lt;br /&gt;
we have to execute, allow-access for each combination of (IP address, share) '''one by one'''!!&lt;br /&gt;
That is, If we want to allow, a same set of 'n' ip addresses, for each of 'n' shares, then it requires '''&amp;quot;n iterations for each of n shares&amp;quot;''', &lt;br /&gt;
that's n^2 operations from user side. &lt;br /&gt;
''That's cumbersome hence access-groups were proposed''&lt;br /&gt;
&lt;br /&gt;
=== Requirement ===&lt;br /&gt;
Requirement is to have a mechanism, by which a set of 'ip addresses' can be considered as 'one entity' i.e. 'can be allowed the access to a share together.' &lt;br /&gt;
Henceforth, the 'same set of ip addresses', can be allowed access to any 'other share', in 'one single request' from user. &lt;br /&gt;
There comes the idea of '''&amp;quot;manila access-groups&amp;quot;.'''&lt;br /&gt;
&lt;br /&gt;
=== Manila Access Groups ===&lt;br /&gt;
A new object named 'access_group', can be created by user. Each 'access_group' contains, a bunch of homogeneous 'access_entries'. &lt;br /&gt;
Homogeneous here means, 'entries of same access_type &amp;amp; access_level(in case access_type is 'user'))'. Each 'access_entry' represents, &lt;br /&gt;
either one ip-address or one username. Bunch of access entries, associated to an &amp;quot;access-group&amp;quot;, can be &amp;quot;allowed or denied&amp;quot; access, &lt;br /&gt;
to a share in one go. &lt;br /&gt;
&lt;br /&gt;
'''Feature requirement is, to provide a mechanism, to allow the access to a share, for &amp;quot;a group of ip addresses/users&amp;quot;, in one go,'''&lt;br /&gt;
'''instead of allowing each ip-address/user one at a time.'''&lt;br /&gt;
&lt;br /&gt;
=== Challenges ===&lt;br /&gt;
* With new proposal, a set of access-rules can be applied together using &amp;quot;access-group&amp;quot;. Earlier &amp;quot;allow-access/deny-access&amp;quot; api worked on individual access rule. &lt;br /&gt;
So, that can interfere and allow/deny any access, without any knowledge of access-group api. This has to be understood and resolved.&lt;br /&gt;
&lt;br /&gt;
* A parallel api interface, serving same purpose, but in different granularity, causes redundancy in database and information.&lt;br /&gt;
&lt;br /&gt;
* Sending a bunch of rules together to backend, if any one rule throws an exception, status of whole access-group will be errored.&lt;br /&gt;
&lt;br /&gt;
* If backend driver doesn't implement 'update_access' newer version yet, then 'access-rules' will be sent to driver one by one only. &lt;br /&gt;
Though 'access-group' feature will allow user, to request access, to set of ip addresses, in one go, still backend will work on access-rules individually.&lt;br /&gt;
&lt;br /&gt;
Proposed Object Relationships:-&lt;br /&gt;
[[File: DB_relationships.png| center | 500px| Object Relationship Diagram]]&lt;br /&gt;
&lt;br /&gt;
== Important Actions == &lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Sr No !! Function !! Command&lt;br /&gt;
|-&lt;br /&gt;
| 1 || Create Access Group  || manila access-group-create [--access-level &amp;lt;access_level&amp;gt;] &amp;lt;name&amp;gt; &amp;lt;description&amp;gt; &amp;lt;access_type&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 2 || Add Access Group Entries in Access group || manila access-group-entry-create &amp;lt;access_to&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 3 || Allow Access Group to a share || manila access-group-allow &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 4 || Deny Access Group to a share || manila access-group-deny &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
=== Flow diagram ===&lt;br /&gt;
==== Allow Access Group ====&lt;br /&gt;
[[File : Allow_access_group_(2).png | center | 500px | Allow access group flow]]&lt;br /&gt;
&lt;br /&gt;
==== Deny Access Group ====&lt;br /&gt;
[[File : Deny_access_group.png | center | 500px| deny access group flow]]&lt;br /&gt;
&lt;br /&gt;
== How it works in different situations ==&lt;br /&gt;
'''Ques 1. Lets say a user requests allow-access-group for (share1, AG1)'''&lt;br /&gt;
'''What if the share is already mapped to another access_group/access_rule.'''&lt;br /&gt;
&lt;br /&gt;
Ans: Nothing, set of access_rules for AG1, will be applied on share, using 'add_rule' &lt;br /&gt;
field of 'update_access' helper function.&lt;br /&gt;
&lt;br /&gt;
'''Ques 2. lets say 'share1' has an already applied access rule i.e ( user ,admin, rw).'''&lt;br /&gt;
'''Now, 'AG1' contains (user, admin, ro). A request comes as 'allow_access_group(share1, AG1)'.'''            &lt;br /&gt;
'''share1 is asked to map with AG1, what should happen?'''            &lt;br /&gt;
&lt;br /&gt;
'''What if the already applied rules are redundant to AG1's access rules.'''&lt;br /&gt;
Note:- its a redundant rule, not contradictory, as rules with 'same access_type and access_to' are&lt;br /&gt;
considered redundant..&lt;br /&gt;
&lt;br /&gt;
Ans: Its same as case, if we apply two redundant rules, even without access-groups. We will get an exception, 'access rule for (user, admin) &lt;br /&gt;
already exists'  and we will proceed to examine, rest of the rules, in access_group. '''We need to deny this rule first &amp;quot;to change its level if required.'''&lt;br /&gt;
&lt;br /&gt;
'''Ques 3. What if AG1 is made up of n rules, only one is redundant ?'''&lt;br /&gt;
&lt;br /&gt;
Ans:If any one of the access_rule, from this access_group, is already applied on share(individually)...&lt;br /&gt;
lets say due to 'allow-access' api. Then excluding that access_rule, rest of the rules, present in 'access_group' will be applied on share.&lt;br /&gt;
&lt;br /&gt;
'''Ques 4. What if AG1 is made up of 'n' rules, an error reported from backend for one of the rules?'''&lt;br /&gt;
&lt;br /&gt;
Ans: If there is an error, reported from backend, then error will be registered in share_instances table.&lt;br /&gt;
'access_rules_status' will go in 'error' state and 'access_status_message' will contain the descriptive message.&lt;br /&gt;
&lt;br /&gt;
'''Ques 5. What if access group is already mapped to other shares and this is a new mapping.'''&lt;br /&gt;
&lt;br /&gt;
Ans: Simply, rules from the access-group will be applied on the requested share.&lt;br /&gt;
   &lt;br /&gt;
'''Ques 6. Two compatible access-groups mapping request got out of order before reaching backend driver.'''&lt;br /&gt;
&lt;br /&gt;
Lets say two api requests for two access_groups where two access groups's rules are compatible as below:            &lt;br /&gt;
Two api requests come in this order chronologically, req1 then req2,            &lt;br /&gt;
AG1 has (user, admin, rw), AG2 has (ip, 10.1.1.1, None)            &lt;br /&gt;
req1 = allow_access_group(share1, AG1), req2 = allow_access_group(share1, AG2)&lt;br /&gt;
Let’s say these request reach driver layer, out of order, driver receives req2 then req1. &lt;br /&gt;
What will happen in such case?&lt;br /&gt;
&lt;br /&gt;
Ans: req1 creates a access_group_mapping in db for (share1 -&amp;gt; AG1) and passes “only set of rules in AG1&amp;quot; to driver layer.            &lt;br /&gt;
req2  also creates a access_group_mapping in db for (share1 -&amp;gt; AG2) and passes that “only set of rules in AG2&amp;quot; to driver layer.            &lt;br /&gt;
Driver layer gets req2 first, it will apply access_rules of req2 first and then access_rules from req1 will be applied on backend.&lt;br /&gt;
&lt;br /&gt;
'''Ques 7. What happens if an exception is raised for one of the access-rules in access-group in api layer itself?&lt;br /&gt;
Do we proceed for next rule or we come out ?'''&lt;br /&gt;
&lt;br /&gt;
Ans: These are such exceptions which come like&lt;br /&gt;
1)if share status is not AVAILABLE &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
2)If share_access entry already exists for this share ? &amp;gt;&amp;gt; we raise exception but continue to consider next access_rule&lt;br /&gt;
3)if access_level value requested for is not a valid value &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
4)If share_instance is invalid one &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
5)if access_rules_status is not active &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
&lt;br /&gt;
in all such cases we raise exception before rpc request is sent to driver layer. access_status_message&amp;quot; field in &amp;quot;share_instances&amp;quot; table - &lt;br /&gt;
does not show error messages for above mentioned exceptions.&lt;br /&gt;
Note:- in last two cases(4,5), though we come out, but 'share_access_group_mapping' and 'many share_access_map' entries &lt;br /&gt;
would have been created!!!&lt;br /&gt;
&lt;br /&gt;
'''Ques 8. What is purpose of access_rules_status and access_status_message field in share_instances table?'''&lt;br /&gt;
&lt;br /&gt;
Ans: access_status_message field, registers the error message, from the driver layer. if we get an error message back from driver, it gets registered in &lt;br /&gt;
'access_status_message' in 'share_instances' table. 'access_status_message' field in 'share_instances' table - does not register error messages for &lt;br /&gt;
above mentioned exceptions in Ques7. &lt;br /&gt;
  &lt;br /&gt;
'''Ques 9. Lets say an access-group that contains 4 access_rules, that is applied on a share1.'''&lt;br /&gt;
'''now these 4 access_rules have got their entries created in share_access_map too.'''&lt;br /&gt;
'''What is someone deleted/denies the access rule individually ?'''&lt;br /&gt;
'''that is sequence is like'''&lt;br /&gt;
'''1) manila access-group-allow &amp;lt;share-id&amp;gt; &amp;lt;access-group-id&amp;gt;'''&lt;br /&gt;
'''2) manila access-deny &amp;lt;share&amp;gt; &amp;lt;id&amp;gt;'''&lt;br /&gt;
'''3) manila access-group-deny &amp;lt;share-id&amp;gt; &amp;lt;access-group-id&amp;gt;'''&lt;br /&gt;
'''Now some rules of this access-group are denied individually .. when we go to 'deny-access-group''''&lt;br /&gt;
'''what will happen?&lt;br /&gt;
&lt;br /&gt;
Ans: For each of 4 rules, if anyone is not present in the DB, we raise exception Not-Found and&lt;br /&gt;
continue to next access_entry.&lt;br /&gt;
&lt;br /&gt;
'''Ques 10. Lets say a share share1 is mapped to an access_group AG1. Now we delete one of access_rule''' &lt;br /&gt;
'''of AG1 or we add an entry to mapped access_group AG1. What will happen?'''&lt;br /&gt;
&lt;br /&gt;
Ans: any addition or deletion of access_entry to an access_group after being mapped, will trigger 'update_access'&lt;br /&gt;
on the backend.&lt;br /&gt;
&lt;br /&gt;
== Alternative Approach ==&lt;br /&gt;
This approach suggests to tag/group share_access_map records by using a new field access_group_tag.&lt;br /&gt;
Here we do not create a separate entity access_group and access_group_entries. &lt;br /&gt;
Instead by using a string type tag with share_access_map records, we group a few entries together.&lt;br /&gt;
&lt;br /&gt;
For first share that wants to allow a group of ip addresses/user the access.&lt;br /&gt;
cli call will be like...&lt;br /&gt;
  manila access-allow %some_share% ip 1.1.1.1,2.2.2.2, 3.3.3.3   --tag %tag_name_1%&lt;br /&gt;
&lt;br /&gt;
After that any share that wants similar access will do &lt;br /&gt;
either:&lt;br /&gt;
  manila access-inherit %some_new_share% --by-share %some_source_share%&lt;br /&gt;
Or &lt;br /&gt;
  manila access-inherit %some_new_share% --by-tag %tag%&lt;br /&gt;
&lt;br /&gt;
=== Thinking impact of 2nd approach.. ===&lt;br /&gt;
* This approach is lighter and less amount of redundancy in database.&lt;br /&gt;
&lt;br /&gt;
* Access-group, being dynamic entity in 2nd approach/a no separate entity, which has its 'existence scope' same as the share its associated with, &lt;br /&gt;
so no further means, to deal with 'access-groups', independently OR after share deletion.&lt;br /&gt;
 &lt;br /&gt;
* Lets say, 'share1' is applied with set of access-rules tagged as 'AG1'. if 'share2' inherits all access_rules from 'share1'. &lt;br /&gt;
Now 'share1' adds a rule by old 'allow-access' api. How will we tackle such situation?&lt;br /&gt;
     * Will we keep these new individual access_rule records without tag?&lt;br /&gt;
     * Will we give every record which is in 'share_access_map' table, a tag..so this individual rule will have new access_group_tag???&lt;br /&gt;
&lt;br /&gt;
I think '''we can keep the new rule without tag.''' &lt;br /&gt;
Now, the next share 'share3' that inherits with --share from 'share1', will get all rules inclusive (share1, with tag) and (share1, without tag). okay.&lt;br /&gt;
But, if the next share 'share3' that inherits with --tag 'AG1' will get rules which is with ('share2' ,AG1) &lt;br /&gt;
&lt;br /&gt;
* If share is deleted the access-group existed/associated with is, will be considered deleted. &lt;br /&gt;
&lt;br /&gt;
* If a share1 has allowed access to 3 ip addresses tagged with 'AG1', now another 'share2' inherited all 3 rules with 'AG1' tag itself.&lt;br /&gt;
now, a old 'deny-access' request comes, to delete one of the rule with share1 from these 3 rules.&lt;br /&gt;
Now, access-group with 'AG1' tag - has got two separate set of access-rules, defining its members. &lt;br /&gt;
* one that's coming from share1(2 rules) &lt;br /&gt;
* other that's coming from  share2(3 rules).&lt;br /&gt;
Now, If a 'share3' is asking for rules same as tag 'AG1', what rules will be applied on it? &lt;br /&gt;
That needs to be decided in this approach.&lt;br /&gt;
Actually &lt;br /&gt;
'''A group/A tag can not have a static definition (set of rules) among all these allow/deny of different sorts.'''&lt;br /&gt;
&lt;br /&gt;
== 3rd approach - Simplifying More ==&lt;br /&gt;
Actually, As a tag doesn't have a individual independent identity, we can think of &amp;quot;NOT&amp;quot; providing, --tag the interface, to inherit from. &lt;br /&gt;
   manila access-inherit %some_new_share% --by-tag %tag%  (********* Lets '''NOT''' have it **********)&lt;br /&gt;
   manila access-inherit %some_new_share% --by-share %some_source_share%  (Lets '''&amp;quot;only&amp;quot;''' have this)&lt;br /&gt;
There should be only api to inherit access from a share.&lt;br /&gt;
&lt;br /&gt;
In such a case, we will allow, for first share like this...&lt;br /&gt;
  manila access-allow %some_share% ip 1.1.1.1,2.2.2.2, 3.3.3.3,4.4.4.4,5.5.5.5,6.6.6.6&lt;br /&gt;
we will create multiple access-records, for the share, in share_access_map table, '''without any tagging.'''&lt;br /&gt;
Next, a share, who wants similar access-scope, will do&lt;br /&gt;
  manila access-inherit %some_new_share% --by-share %some_source_share%&lt;br /&gt;
&lt;br /&gt;
* This solves the problem associated with tagging and trying to keep a static definition of a tag.&lt;br /&gt;
&lt;br /&gt;
* This solves the problem of redundancy, as present in 1st approach.&lt;br /&gt;
&lt;br /&gt;
* This has same problem, as in 2nd approach, of &amp;quot;not having an access-group after share-deletion&amp;quot;.&lt;br /&gt;
&lt;br /&gt;
* Once a share share1, has got a set of rules, it can be inherited by another share and rules-set that's inherited, &lt;br /&gt;
will be set of rules, associated &amp;quot;at that very moment&amp;quot; with share1. Things are dynamic. At some other moment in time,&lt;br /&gt;
some share might inherit separate set of rules, from same share, 'share1'.&lt;br /&gt;
&lt;br /&gt;
* There will be no such api deny-access-rules where we can just say, '''deny group of rules, which we gave access together.'''&lt;br /&gt;
Deny-access will be similar to &lt;br /&gt;
  manila access-deny %some_share% ip 1.1.1.1,2.2.2.2, 3.3.3.3,4.4.4.4,5.5.5.5,6.6.6.6&lt;/div&gt;</summary>
		<author><name>Nidhi Mittal Hada</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123468</id>
		<title>Manila/design/access groups</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123468"/>
				<updated>2016-04-05T06:21:58Z</updated>
		
		<summary type="html">&lt;p&gt;Nidhi Mittal Hada: /* Simplifying More */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Applying Access Rules == &lt;br /&gt;
=== Current approach ===&lt;br /&gt;
Today we use &amp;quot;manila allow-access&amp;quot; and &amp;quot;manila deny-access&amp;quot; cli command, to allow and deny, &amp;quot;one&amp;quot; ip address/user/cert the access, to a particular share. &lt;br /&gt;
In situation, when we want a &amp;quot;share&amp;quot; to be accessible by  &lt;br /&gt;
* a subnet OR &lt;br /&gt;
* a set of IP addresses together OR &lt;br /&gt;
* a set users together&lt;br /&gt;
we have to execute, allow-access for each combination of (IP address, share) '''one by one'''!!&lt;br /&gt;
That is, If we want to allow, a same set of 'n' ip addresses, for each of 'n' shares, then it requires '''&amp;quot;n iterations for each of n shares&amp;quot;''', &lt;br /&gt;
that's n^2 operations from user side. &lt;br /&gt;
''That's cumbersome hence access-groups were proposed''&lt;br /&gt;
&lt;br /&gt;
=== Requirement ===&lt;br /&gt;
Requirement is to have a mechanism, by which a set of 'ip addresses' can be considered as 'one entity' i.e. 'can be allowed the access to a share together.' &lt;br /&gt;
Henceforth, the 'same set of ip addresses', can be allowed access to any 'other share', in 'one single request' from user. &lt;br /&gt;
There comes the idea of '''&amp;quot;manila access-groups&amp;quot;.'''&lt;br /&gt;
&lt;br /&gt;
=== Manila Access Groups ===&lt;br /&gt;
A new object named 'access_group', can be created by user. Each 'access_group' contains, a bunch of homogeneous 'access_entries'. &lt;br /&gt;
Homogeneous here means, 'entries of same access_type &amp;amp; access_level(in case access_type is 'user'))'. Each 'access_entry' represents, &lt;br /&gt;
either one ip-address or one username. Bunch of access entries, associated to an &amp;quot;access-group&amp;quot;, can be &amp;quot;allowed or denied&amp;quot; access, &lt;br /&gt;
to a share in one go. &lt;br /&gt;
&lt;br /&gt;
'''Feature requirement is, to provide a mechanism, to allow the access to a share, for &amp;quot;a group of ip addresses/users&amp;quot;, in one go,'''&lt;br /&gt;
'''instead of allowing each ip-address/user one at a time.'''&lt;br /&gt;
&lt;br /&gt;
=== Challenges ===&lt;br /&gt;
* With new proposal, a set of access-rules can be applied together using &amp;quot;access-group&amp;quot;. Earlier &amp;quot;allow-access/deny-access&amp;quot; api worked on individual access rule. &lt;br /&gt;
So, that can interfere and allow/deny any access, without any knowledge of access-group api. This has to be understood and resolved.&lt;br /&gt;
&lt;br /&gt;
* A parallel api interface, serving same purpose, but in different granularity, causes redundancy in database and information.&lt;br /&gt;
&lt;br /&gt;
* Sending a bunch of rules together to backend, if any one rule throws an exception, status of whole access-group will be errored.&lt;br /&gt;
&lt;br /&gt;
* If backend driver doesn't implement 'update_access' newer version yet, then 'access-rules' will be sent to driver one by one only. &lt;br /&gt;
Though 'access-group' feature will allow user, to request access, to set of ip addresses, in one go, still backend will work on access-rules individually.&lt;br /&gt;
&lt;br /&gt;
Proposed Object Relationships:-&lt;br /&gt;
[[File: DB_relationships.png| center | 500px| Object Relationship Diagram]]&lt;br /&gt;
&lt;br /&gt;
== Important Actions == &lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Sr No !! Function !! Command&lt;br /&gt;
|-&lt;br /&gt;
| 1 || Create Access Group  || manila access-group-create [--access-level &amp;lt;access_level&amp;gt;] &amp;lt;name&amp;gt; &amp;lt;description&amp;gt; &amp;lt;access_type&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 2 || Add Access Group Entries in Access group || manila access-group-entry-create &amp;lt;access_to&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 3 || Allow Access Group to a share || manila access-group-allow &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 4 || Deny Access Group to a share || manila access-group-deny &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
=== Flow diagram ===&lt;br /&gt;
==== Allow Access Group ====&lt;br /&gt;
[[File : Allow_access_group_(2).png | center | 500px | Allow access group flow]]&lt;br /&gt;
&lt;br /&gt;
==== Deny Access Group ====&lt;br /&gt;
[[File : Deny_access_group.png | center | 500px| deny access group flow]]&lt;br /&gt;
&lt;br /&gt;
== How it works in different situations ==&lt;br /&gt;
'''Ques 1. Lets say a user requests allow-access-group for (share1, AG1)'''&lt;br /&gt;
'''What if the share is already mapped to another access_group/access_rule.'''&lt;br /&gt;
&lt;br /&gt;
Ans: Nothing, set of access_rules for AG1, will be applied on share, using 'add_rule' &lt;br /&gt;
field of 'update_access' helper function.&lt;br /&gt;
&lt;br /&gt;
'''Ques 2. lets say 'share1' has an already applied access rule i.e ( user ,admin, rw).'''&lt;br /&gt;
'''Now, 'AG1' contains (user, admin, ro). A request comes as 'allow_access_group(share1, AG1)'.'''            &lt;br /&gt;
'''share1 is asked to map with AG1, what should happen?'''            &lt;br /&gt;
&lt;br /&gt;
'''What if the already applied rules are redundant to AG1's access rules.'''&lt;br /&gt;
Note:- its a redundant rule, not contradictory, as rules with 'same access_type and access_to' are&lt;br /&gt;
considered redundant..&lt;br /&gt;
&lt;br /&gt;
Ans: Its same as case, if we apply two redundant rules, even without access-groups. We will get an exception, 'access rule for (user, admin) &lt;br /&gt;
already exists'  and we will proceed to examine, rest of the rules, in access_group. '''We need to deny this rule first &amp;quot;to change its level if required.'''&lt;br /&gt;
&lt;br /&gt;
'''Ques 3. What if AG1 is made up of n rules, only one is redundant ?'''&lt;br /&gt;
&lt;br /&gt;
Ans:If any one of the access_rule, from this access_group, is already applied on share(individually)...&lt;br /&gt;
lets say due to 'allow-access' api. Then excluding that access_rule, rest of the rules, present in 'access_group' will be applied on share.&lt;br /&gt;
&lt;br /&gt;
'''Ques 4. What if AG1 is made up of 'n' rules, an error reported from backend for one of the rules?'''&lt;br /&gt;
&lt;br /&gt;
Ans: If there is an error, reported from backend, then error will be registered in share_instances table.&lt;br /&gt;
'access_rules_status' will go in 'error' state and 'access_status_message' will contain the descriptive message.&lt;br /&gt;
&lt;br /&gt;
'''Ques 5. What if access group is already mapped to other shares and this is a new mapping.'''&lt;br /&gt;
&lt;br /&gt;
Ans: Simply, rules from the access-group will be applied on the requested share.&lt;br /&gt;
   &lt;br /&gt;
'''Ques 6. Two compatible access-groups mapping request got out of order before reaching backend driver.'''&lt;br /&gt;
&lt;br /&gt;
Lets say two api requests for two access_groups where two access groups's rules are compatible as below:            &lt;br /&gt;
Two api requests come in this order chronologically, req1 then req2,            &lt;br /&gt;
AG1 has (user, admin, rw), AG2 has (ip, 10.1.1.1, None)            &lt;br /&gt;
req1 = allow_access_group(share1, AG1), req2 = allow_access_group(share1, AG2)&lt;br /&gt;
Let’s say these request reach driver layer, out of order, driver receives req2 then req1. &lt;br /&gt;
What will happen in such case?&lt;br /&gt;
&lt;br /&gt;
Ans: req1 creates a access_group_mapping in db for (share1 -&amp;gt; AG1) and passes “only set of rules in AG1&amp;quot; to driver layer.            &lt;br /&gt;
req2  also creates a access_group_mapping in db for (share1 -&amp;gt; AG2) and passes that “only set of rules in AG2&amp;quot; to driver layer.            &lt;br /&gt;
Driver layer gets req2 first, it will apply access_rules of req2 first and then access_rules from req1 will be applied on backend.&lt;br /&gt;
&lt;br /&gt;
'''Ques 7. What happens if an exception is raised for one of the access-rules in access-group in api layer itself?&lt;br /&gt;
Do we proceed for next rule or we come out ?'''&lt;br /&gt;
&lt;br /&gt;
Ans: These are such exceptions which come like&lt;br /&gt;
1)if share status is not AVAILABLE &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
2)If share_access entry already exists for this share ? &amp;gt;&amp;gt; we raise exception but continue to consider next access_rule&lt;br /&gt;
3)if access_level value requested for is not a valid value &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
4)If share_instance is invalid one &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
5)if access_rules_status is not active &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
&lt;br /&gt;
in all such cases we raise exception before rpc request is sent to driver layer. access_status_message&amp;quot; field in &amp;quot;share_instances&amp;quot; table - &lt;br /&gt;
does not show error messages for above mentioned exceptions.&lt;br /&gt;
Note:- in last two cases(4,5), though we come out, but 'share_access_group_mapping' and 'many share_access_map' entries &lt;br /&gt;
would have been created!!!&lt;br /&gt;
&lt;br /&gt;
'''Ques 8. What is purpose of access_rules_status and access_status_message field in share_instances table?'''&lt;br /&gt;
&lt;br /&gt;
Ans: access_status_message field, registers the error message, from the driver layer. if we get an error message back from driver, it gets registered in &lt;br /&gt;
'access_status_message' in 'share_instances' table. 'access_status_message' field in 'share_instances' table - does not register error messages for &lt;br /&gt;
above mentioned exceptions in Ques7. &lt;br /&gt;
  &lt;br /&gt;
'''Ques 9. Lets say an access-group that contains 4 access_rules, that is applied on a share1.'''&lt;br /&gt;
'''now these 4 access_rules have got their entries created in share_access_map too.'''&lt;br /&gt;
'''What is someone deleted/denies the access rule individually ?'''&lt;br /&gt;
'''that is sequence is like'''&lt;br /&gt;
'''1) manila access-group-allow &amp;lt;share-id&amp;gt; &amp;lt;access-group-id&amp;gt;'''&lt;br /&gt;
'''2) manila access-deny &amp;lt;share&amp;gt; &amp;lt;id&amp;gt;'''&lt;br /&gt;
'''3) manila access-group-deny &amp;lt;share-id&amp;gt; &amp;lt;access-group-id&amp;gt;'''&lt;br /&gt;
'''Now some rules of this access-group are denied individually .. when we go to 'deny-access-group''''&lt;br /&gt;
'''what will happen?&lt;br /&gt;
&lt;br /&gt;
Ans: For each of 4 rules, if anyone is not present in the DB, we raise exception Not-Found and&lt;br /&gt;
continue to next access_entry.&lt;br /&gt;
&lt;br /&gt;
'''Ques 10. Lets say a share share1 is mapped to an access_group AG1. Now we delete one of access_rule''' &lt;br /&gt;
'''of AG1 or we add an entry to mapped access_group AG1. What will happen?'''&lt;br /&gt;
&lt;br /&gt;
Ans: any addition or deletion of access_entry to an access_group after being mapped, will trigger 'update_access'&lt;br /&gt;
on the backend.&lt;br /&gt;
&lt;br /&gt;
== Alternative Approach ==&lt;br /&gt;
This approach suggests to tag/group share_access_map records by using a new field access_group_tag.&lt;br /&gt;
Here we do not create a separate entity access_group and access_group_entries. &lt;br /&gt;
Instead by using a string type tag with share_access_map records, we group a few entries together.&lt;br /&gt;
&lt;br /&gt;
For first share that wants to allow a group of ip addresses/user the access.&lt;br /&gt;
cli call will be like...&lt;br /&gt;
  manila access-allow %some_share% ip 1.1.1.1,2.2.2.2, 3.3.3.3   --tag %tag_name_1%&lt;br /&gt;
&lt;br /&gt;
After that any share that wants similar access will do &lt;br /&gt;
either:&lt;br /&gt;
  manila access-inherit %some_new_share% --by-share %some_source_share%&lt;br /&gt;
Or &lt;br /&gt;
  manila access-inherit %some_new_share% --by-tag %tag%&lt;br /&gt;
&lt;br /&gt;
=== Thinking impact of 2nd approach.. ===&lt;br /&gt;
* This approach is lighter and less amount of redundancy in database.&lt;br /&gt;
&lt;br /&gt;
* Access-group, being dynamic entity in 2nd approach/a no separate entity, which has its 'existence scope' same as the share its associated with, &lt;br /&gt;
so no further means, to deal with 'access-groups', independently OR after share deletion.&lt;br /&gt;
 &lt;br /&gt;
* Lets say, 'share1' is applied with set of access-rules tagged as 'AG1'. if 'share2' inherits all access_rules from 'share1'. &lt;br /&gt;
Now 'share1' adds a rule by old 'allow-access' api. How will we tackle such situation?&lt;br /&gt;
     * Will we keep these new individual access_rule records without tag?&lt;br /&gt;
     * Will we give every record which is in 'share_access_map' table, a tag..so this individual rule will have new access_group_tag???&lt;br /&gt;
&lt;br /&gt;
I think '''we can keep the new rule without tag.''' &lt;br /&gt;
Now, the next share 'share3' that inherits with --share from 'share1', will get all rules inclusive (share1, with tag) and (share1, without tag). okay.&lt;br /&gt;
But, if the next share 'share3' that inherits with --tag 'AG1' will get rules which is with ('share2' ,AG1) &lt;br /&gt;
&lt;br /&gt;
* If share is deleted the access-group existed/associated with is, will be considered deleted. &lt;br /&gt;
&lt;br /&gt;
* If a share1 has allowed access to 3 ip addresses tagged with 'AG1', now another 'share2' inherited all 3 rules with 'AG1' tag itself.&lt;br /&gt;
now, a old 'deny-access' request comes, to delete one of the rule with share1 from these 3 rules.&lt;br /&gt;
Now, access-group with 'AG1' tag - has got two separate set of access-rules, defining its members. &lt;br /&gt;
* one that's coming from share1(2 rules) &lt;br /&gt;
* other that's coming from  share2(3 rules).&lt;br /&gt;
Now, If a 'share3' is asking for rules same as tag 'AG1', what rules will be applied on it? &lt;br /&gt;
That needs to be decided in this approach.&lt;br /&gt;
Actually &lt;br /&gt;
'''A group/A tag can not have a static definition (set of rules) among all these allow/deny of different sorts.'''&lt;br /&gt;
&lt;br /&gt;
== Simplifying More ==&lt;br /&gt;
Actually, As a tag doesn't have a individual independent identity, we can think of &amp;quot;NOT&amp;quot; providing, --tag the interface, to inherit from. &lt;br /&gt;
   manila access-inherit %some_new_share% --by-tag %tag%  (********* Lets '''NOT''' have it **********)&lt;br /&gt;
   manila access-inherit %some_new_share% --by-share %some_source_share%  (Lets '''&amp;quot;only&amp;quot;''' have this)&lt;br /&gt;
There should be only api to inherit access from a share.&lt;br /&gt;
&lt;br /&gt;
In such a case, we will allow, for first share like this...&lt;br /&gt;
  manila access-allow %some_share% ip 1.1.1.1,2.2.2.2, 3.3.3.3,4.4.4.4,5.5.5.5,6.6.6.6&lt;br /&gt;
we will create multiple access-records, for the share, in share_access_map table, '''without any tagging.'''&lt;br /&gt;
Next, a share, who wants similar access-scope, will do&lt;br /&gt;
  manila access-inherit %some_new_share% --by-share %some_source_share%&lt;br /&gt;
&lt;br /&gt;
* This solves the problem associated with tagging and trying to keep a static definition of a tag.&lt;br /&gt;
&lt;br /&gt;
* This solves the problem of redundancy, as present in 1st approach.&lt;br /&gt;
&lt;br /&gt;
* This has same problem, as in 2nd approach, of &amp;quot;not having an access-group after share-deletion&amp;quot;.&lt;br /&gt;
&lt;br /&gt;
* Once a share share1, has got a set of rules, it can be inherited by another share and rules-set that's inherited, &lt;br /&gt;
will be set of rules, associated &amp;quot;at that very moment&amp;quot; with share1. Things are dynamic. At some other moment in time,&lt;br /&gt;
some share might inherit separate set of rules, from same share, 'share1'.&lt;br /&gt;
&lt;br /&gt;
* There will be no such api deny-access-rules where we can just say, '''deny group of rules, which we gave access together.'''&lt;br /&gt;
Deny-access will be similar to &lt;br /&gt;
  manila access-deny %some_share% ip 1.1.1.1,2.2.2.2, 3.3.3.3,4.4.4.4,5.5.5.5,6.6.6.6&lt;/div&gt;</summary>
		<author><name>Nidhi Mittal Hada</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123467</id>
		<title>Manila/design/access groups</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123467"/>
				<updated>2016-04-05T06:04:31Z</updated>
		
		<summary type="html">&lt;p&gt;Nidhi Mittal Hada: /* Simplifying More : */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Applying Access Rules == &lt;br /&gt;
=== Current approach ===&lt;br /&gt;
Today we use &amp;quot;manila allow-access&amp;quot; and &amp;quot;manila deny-access&amp;quot; cli command, to allow and deny, &amp;quot;one&amp;quot; ip address/user/cert the access, to a particular share. &lt;br /&gt;
In situation, when we want a &amp;quot;share&amp;quot; to be accessible by  &lt;br /&gt;
* a subnet OR &lt;br /&gt;
* a set of IP addresses together OR &lt;br /&gt;
* a set users together&lt;br /&gt;
we have to execute, allow-access for each combination of (IP address, share) '''one by one'''!!&lt;br /&gt;
That is, If we want to allow, a same set of 'n' ip addresses, for each of 'n' shares, then it requires '''&amp;quot;n iterations for each of n shares&amp;quot;''', &lt;br /&gt;
that's n^2 operations from user side. &lt;br /&gt;
''That's cumbersome hence access-groups were proposed''&lt;br /&gt;
&lt;br /&gt;
=== Requirement ===&lt;br /&gt;
Requirement is to have a mechanism, by which a set of 'ip addresses' can be considered as 'one entity' i.e. 'can be allowed the access to a share together.' &lt;br /&gt;
Henceforth, the 'same set of ip addresses', can be allowed access to any 'other share', in 'one single request' from user. &lt;br /&gt;
There comes the idea of '''&amp;quot;manila access-groups&amp;quot;.'''&lt;br /&gt;
&lt;br /&gt;
=== Manila Access Groups ===&lt;br /&gt;
A new object named 'access_group', can be created by user. Each 'access_group' contains, a bunch of homogeneous 'access_entries'. &lt;br /&gt;
Homogeneous here means, 'entries of same access_type &amp;amp; access_level(in case access_type is 'user'))'. Each 'access_entry' represents, &lt;br /&gt;
either one ip-address or one username. Bunch of access entries, associated to an &amp;quot;access-group&amp;quot;, can be &amp;quot;allowed or denied&amp;quot; access, &lt;br /&gt;
to a share in one go. &lt;br /&gt;
&lt;br /&gt;
'''Feature requirement is, to provide a mechanism, to allow the access to a share, for &amp;quot;a group of ip addresses/users&amp;quot;, in one go,'''&lt;br /&gt;
'''instead of allowing each ip-address/user one at a time.'''&lt;br /&gt;
&lt;br /&gt;
=== Challenges ===&lt;br /&gt;
* With new proposal, a set of access-rules can be applied together using &amp;quot;access-group&amp;quot;. Earlier &amp;quot;allow-access/deny-access&amp;quot; api worked on individual access rule. &lt;br /&gt;
So, that can interfere and allow/deny any access, without any knowledge of access-group api. This has to be understood and resolved.&lt;br /&gt;
&lt;br /&gt;
* A parallel api interface, serving same purpose, but in different granularity, causes redundancy in database and information.&lt;br /&gt;
&lt;br /&gt;
* Sending a bunch of rules together to backend, if any one rule throws an exception, status of whole access-group will be errored.&lt;br /&gt;
&lt;br /&gt;
* If backend driver doesn't implement 'update_access' newer version yet, then 'access-rules' will be sent to driver one by one only. &lt;br /&gt;
Though 'access-group' feature will allow user, to request access, to set of ip addresses, in one go, still backend will work on access-rules individually.&lt;br /&gt;
&lt;br /&gt;
Proposed Object Relationships:-&lt;br /&gt;
[[File: DB_relationships.png| center | 500px| Object Relationship Diagram]]&lt;br /&gt;
&lt;br /&gt;
== Important Actions == &lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Sr No !! Function !! Command&lt;br /&gt;
|-&lt;br /&gt;
| 1 || Create Access Group  || manila access-group-create [--access-level &amp;lt;access_level&amp;gt;] &amp;lt;name&amp;gt; &amp;lt;description&amp;gt; &amp;lt;access_type&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 2 || Add Access Group Entries in Access group || manila access-group-entry-create &amp;lt;access_to&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 3 || Allow Access Group to a share || manila access-group-allow &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 4 || Deny Access Group to a share || manila access-group-deny &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
=== Flow diagram ===&lt;br /&gt;
==== Allow Access Group ====&lt;br /&gt;
[[File : Allow_access_group_(2).png | center | 500px | Allow access group flow]]&lt;br /&gt;
&lt;br /&gt;
==== Deny Access Group ====&lt;br /&gt;
[[File : Deny_access_group.png | center | 500px| deny access group flow]]&lt;br /&gt;
&lt;br /&gt;
== How it works in different situations ==&lt;br /&gt;
'''Ques 1. Lets say a user requests allow-access-group for (share1, AG1)'''&lt;br /&gt;
'''What if the share is already mapped to another access_group/access_rule.'''&lt;br /&gt;
&lt;br /&gt;
Ans: Nothing, set of access_rules for AG1, will be applied on share, using 'add_rule' &lt;br /&gt;
field of 'update_access' helper function.&lt;br /&gt;
&lt;br /&gt;
'''Ques 2. lets say 'share1' has an already applied access rule i.e ( user ,admin, rw).'''&lt;br /&gt;
'''Now, 'AG1' contains (user, admin, ro). A request comes as 'allow_access_group(share1, AG1)'.'''            &lt;br /&gt;
'''share1 is asked to map with AG1, what should happen?'''            &lt;br /&gt;
&lt;br /&gt;
'''What if the already applied rules are redundant to AG1's access rules.'''&lt;br /&gt;
Note:- its a redundant rule, not contradictory, as rules with 'same access_type and access_to' are&lt;br /&gt;
considered redundant..&lt;br /&gt;
&lt;br /&gt;
Ans: Its same as case, if we apply two redundant rules, even without access-groups. We will get an exception, 'access rule for (user, admin) &lt;br /&gt;
already exists'  and we will proceed to examine, rest of the rules, in access_group. '''We need to deny this rule first &amp;quot;to change its level if required.'''&lt;br /&gt;
&lt;br /&gt;
'''Ques 3. What if AG1 is made up of n rules, only one is redundant ?'''&lt;br /&gt;
&lt;br /&gt;
Ans:If any one of the access_rule, from this access_group, is already applied on share(individually)...&lt;br /&gt;
lets say due to 'allow-access' api. Then excluding that access_rule, rest of the rules, present in 'access_group' will be applied on share.&lt;br /&gt;
&lt;br /&gt;
'''Ques 4. What if AG1 is made up of 'n' rules, an error reported from backend for one of the rules?'''&lt;br /&gt;
&lt;br /&gt;
Ans: If there is an error, reported from backend, then error will be registered in share_instances table.&lt;br /&gt;
'access_rules_status' will go in 'error' state and 'access_status_message' will contain the descriptive message.&lt;br /&gt;
&lt;br /&gt;
'''Ques 5. What if access group is already mapped to other shares and this is a new mapping.'''&lt;br /&gt;
&lt;br /&gt;
Ans: Simply, rules from the access-group will be applied on the requested share.&lt;br /&gt;
   &lt;br /&gt;
'''Ques 6. Two compatible access-groups mapping request got out of order before reaching backend driver.'''&lt;br /&gt;
&lt;br /&gt;
Lets say two api requests for two access_groups where two access groups's rules are compatible as below:            &lt;br /&gt;
Two api requests come in this order chronologically, req1 then req2,            &lt;br /&gt;
AG1 has (user, admin, rw), AG2 has (ip, 10.1.1.1, None)            &lt;br /&gt;
req1 = allow_access_group(share1, AG1), req2 = allow_access_group(share1, AG2)&lt;br /&gt;
Let’s say these request reach driver layer, out of order, driver receives req2 then req1. &lt;br /&gt;
What will happen in such case?&lt;br /&gt;
&lt;br /&gt;
Ans: req1 creates a access_group_mapping in db for (share1 -&amp;gt; AG1) and passes “only set of rules in AG1&amp;quot; to driver layer.            &lt;br /&gt;
req2  also creates a access_group_mapping in db for (share1 -&amp;gt; AG2) and passes that “only set of rules in AG2&amp;quot; to driver layer.            &lt;br /&gt;
Driver layer gets req2 first, it will apply access_rules of req2 first and then access_rules from req1 will be applied on backend.&lt;br /&gt;
&lt;br /&gt;
'''Ques 7. What happens if an exception is raised for one of the access-rules in access-group in api layer itself?&lt;br /&gt;
Do we proceed for next rule or we come out ?'''&lt;br /&gt;
&lt;br /&gt;
Ans: These are such exceptions which come like&lt;br /&gt;
1)if share status is not AVAILABLE &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
2)If share_access entry already exists for this share ? &amp;gt;&amp;gt; we raise exception but continue to consider next access_rule&lt;br /&gt;
3)if access_level value requested for is not a valid value &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
4)If share_instance is invalid one &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
5)if access_rules_status is not active &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
&lt;br /&gt;
in all such cases we raise exception before rpc request is sent to driver layer. access_status_message&amp;quot; field in &amp;quot;share_instances&amp;quot; table - &lt;br /&gt;
does not show error messages for above mentioned exceptions.&lt;br /&gt;
Note:- in last two cases(4,5), though we come out, but 'share_access_group_mapping' and 'many share_access_map' entries &lt;br /&gt;
would have been created!!!&lt;br /&gt;
&lt;br /&gt;
'''Ques 8. What is purpose of access_rules_status and access_status_message field in share_instances table?'''&lt;br /&gt;
&lt;br /&gt;
Ans: access_status_message field, registers the error message, from the driver layer. if we get an error message back from driver, it gets registered in &lt;br /&gt;
'access_status_message' in 'share_instances' table. 'access_status_message' field in 'share_instances' table - does not register error messages for &lt;br /&gt;
above mentioned exceptions in Ques7. &lt;br /&gt;
  &lt;br /&gt;
'''Ques 9. Lets say an access-group that contains 4 access_rules, that is applied on a share1.'''&lt;br /&gt;
'''now these 4 access_rules have got their entries created in share_access_map too.'''&lt;br /&gt;
'''What is someone deleted/denies the access rule individually ?'''&lt;br /&gt;
'''that is sequence is like'''&lt;br /&gt;
'''1) manila access-group-allow &amp;lt;share-id&amp;gt; &amp;lt;access-group-id&amp;gt;'''&lt;br /&gt;
'''2) manila access-deny &amp;lt;share&amp;gt; &amp;lt;id&amp;gt;'''&lt;br /&gt;
'''3) manila access-group-deny &amp;lt;share-id&amp;gt; &amp;lt;access-group-id&amp;gt;'''&lt;br /&gt;
'''Now some rules of this access-group are denied individually .. when we go to 'deny-access-group''''&lt;br /&gt;
'''what will happen?&lt;br /&gt;
&lt;br /&gt;
Ans: For each of 4 rules, if anyone is not present in the DB, we raise exception Not-Found and&lt;br /&gt;
continue to next access_entry.&lt;br /&gt;
&lt;br /&gt;
'''Ques 10. Lets say a share share1 is mapped to an access_group AG1. Now we delete one of access_rule''' &lt;br /&gt;
'''of AG1 or we add an entry to mapped access_group AG1. What will happen?'''&lt;br /&gt;
&lt;br /&gt;
Ans: any addition or deletion of access_entry to an access_group after being mapped, will trigger 'update_access'&lt;br /&gt;
on the backend.&lt;br /&gt;
&lt;br /&gt;
== Alternative Approach ==&lt;br /&gt;
This approach suggests to tag/group share_access_map records by using a new field access_group_tag.&lt;br /&gt;
Here we do not create a separate entity access_group and access_group_entries. &lt;br /&gt;
Instead by using a string type tag with share_access_map records, we group a few entries together.&lt;br /&gt;
&lt;br /&gt;
For first share that wants to allow a group of ip addresses/user the access.&lt;br /&gt;
cli call will be like...&lt;br /&gt;
  manila access-allow %some_share% ip 1.1.1.1,2.2.2.2, 3.3.3.3   --tag %tag_name_1%&lt;br /&gt;
&lt;br /&gt;
After that any share that wants similar access will do &lt;br /&gt;
either:&lt;br /&gt;
  manila access-inherit %some_new_share% --by-share %some_source_share%&lt;br /&gt;
Or &lt;br /&gt;
  manila access-inherit %some_new_share% --by-tag %tag%&lt;br /&gt;
&lt;br /&gt;
=== Thinking impact of 2nd approach.. ===&lt;br /&gt;
* This approach is lighter and less amount of redundancy in database.&lt;br /&gt;
&lt;br /&gt;
* Access-group, being dynamic entity in 2nd approach/a no separate entity, which has its 'existence scope' same as the share its associated with, &lt;br /&gt;
so no further means, to deal with 'access-groups', independently OR after share deletion.&lt;br /&gt;
 &lt;br /&gt;
* Lets say, 'share1' is applied with set of access-rules tagged as 'AG1'. if 'share2' inherits all access_rules from 'share1'. &lt;br /&gt;
Now 'share1' adds a rule by old 'allow-access' api. How will we tackle such situation?&lt;br /&gt;
     * Will we keep these new individual access_rule records without tag?&lt;br /&gt;
     * Will we give every record which is in 'share_access_map' table, a tag..so this individual rule will have new access_group_tag???&lt;br /&gt;
&lt;br /&gt;
I think '''we can keep the new rule without tag.''' &lt;br /&gt;
Now, the next share 'share3' that inherits with --share from 'share1', will get all rules inclusive (share1, with tag) and (share1, without tag). okay.&lt;br /&gt;
But, if the next share 'share3' that inherits with --tag 'AG1' will get rules which is with ('share2' ,AG1) &lt;br /&gt;
&lt;br /&gt;
* If share is deleted the access-group existed/associated with is, will be considered deleted. &lt;br /&gt;
&lt;br /&gt;
* If a share1 has allowed access to 3 ip addresses tagged with 'AG1', now another 'share2' inherited all 3 rules with 'AG1' tag itself.&lt;br /&gt;
now, a old 'deny-access' request comes, to delete one of the rule with share1 from these 3 rules.&lt;br /&gt;
Now, access-group with 'AG1' tag - has got two separate set of access-rules, defining its members. &lt;br /&gt;
* one that's coming from share1(2 rules) &lt;br /&gt;
* other that's coming from  share2(3 rules).&lt;br /&gt;
Now, If a 'share3' is asking for rules same as tag 'AG1', what rules will be applied on it? &lt;br /&gt;
That needs to be decided in this approach.&lt;br /&gt;
Actually &lt;br /&gt;
'''A group/A tag can not have a static definition (set of rules) among all these allow/deny of different sorts.'''&lt;br /&gt;
&lt;br /&gt;
== Simplifying More ==&lt;br /&gt;
Actually, As a tag doesn't have a individual independent identity, we can think of &amp;quot;NOT&amp;quot; providing the interface to inherit from --tag.&lt;br /&gt;
   manila access-inherit %some_new_share% --by-tag %tag%  (Lets not have it)&lt;br /&gt;
   manila access-inherit %some_new_share% --by-share %some_source_share%  (Lets only have this)&lt;br /&gt;
There should be only api to inherit access from a share.&lt;br /&gt;
In such a case, we will allow &lt;br /&gt;
For first share  &lt;br /&gt;
  manila access-allow %some_share% ip 1.1.1.1,2.2.2.2, 3.3.3.3,4.4.4.4,5.5.5.5,6.6.6.6&lt;br /&gt;
we will create multiple access-records for the share in share_access_map table without any tagging.&lt;br /&gt;
Next share who wants similar access-scope will do&lt;br /&gt;
  manila access-inherit %some_new_share% --by-share %some_source_share%&lt;/div&gt;</summary>
		<author><name>Nidhi Mittal Hada</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123466</id>
		<title>Manila/design/access groups</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123466"/>
				<updated>2016-04-05T06:03:55Z</updated>
		
		<summary type="html">&lt;p&gt;Nidhi Mittal Hada: &lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Applying Access Rules == &lt;br /&gt;
=== Current approach ===&lt;br /&gt;
Today we use &amp;quot;manila allow-access&amp;quot; and &amp;quot;manila deny-access&amp;quot; cli command, to allow and deny, &amp;quot;one&amp;quot; ip address/user/cert the access, to a particular share. &lt;br /&gt;
In situation, when we want a &amp;quot;share&amp;quot; to be accessible by  &lt;br /&gt;
* a subnet OR &lt;br /&gt;
* a set of IP addresses together OR &lt;br /&gt;
* a set users together&lt;br /&gt;
we have to execute, allow-access for each combination of (IP address, share) '''one by one'''!!&lt;br /&gt;
That is, If we want to allow, a same set of 'n' ip addresses, for each of 'n' shares, then it requires '''&amp;quot;n iterations for each of n shares&amp;quot;''', &lt;br /&gt;
that's n^2 operations from user side. &lt;br /&gt;
''That's cumbersome hence access-groups were proposed''&lt;br /&gt;
&lt;br /&gt;
=== Requirement ===&lt;br /&gt;
Requirement is to have a mechanism, by which a set of 'ip addresses' can be considered as 'one entity' i.e. 'can be allowed the access to a share together.' &lt;br /&gt;
Henceforth, the 'same set of ip addresses', can be allowed access to any 'other share', in 'one single request' from user. &lt;br /&gt;
There comes the idea of '''&amp;quot;manila access-groups&amp;quot;.'''&lt;br /&gt;
&lt;br /&gt;
=== Manila Access Groups ===&lt;br /&gt;
A new object named 'access_group', can be created by user. Each 'access_group' contains, a bunch of homogeneous 'access_entries'. &lt;br /&gt;
Homogeneous here means, 'entries of same access_type &amp;amp; access_level(in case access_type is 'user'))'. Each 'access_entry' represents, &lt;br /&gt;
either one ip-address or one username. Bunch of access entries, associated to an &amp;quot;access-group&amp;quot;, can be &amp;quot;allowed or denied&amp;quot; access, &lt;br /&gt;
to a share in one go. &lt;br /&gt;
&lt;br /&gt;
'''Feature requirement is, to provide a mechanism, to allow the access to a share, for &amp;quot;a group of ip addresses/users&amp;quot;, in one go,'''&lt;br /&gt;
'''instead of allowing each ip-address/user one at a time.'''&lt;br /&gt;
&lt;br /&gt;
=== Challenges ===&lt;br /&gt;
* With new proposal, a set of access-rules can be applied together using &amp;quot;access-group&amp;quot;. Earlier &amp;quot;allow-access/deny-access&amp;quot; api worked on individual access rule. &lt;br /&gt;
So, that can interfere and allow/deny any access, without any knowledge of access-group api. This has to be understood and resolved.&lt;br /&gt;
&lt;br /&gt;
* A parallel api interface, serving same purpose, but in different granularity, causes redundancy in database and information.&lt;br /&gt;
&lt;br /&gt;
* Sending a bunch of rules together to backend, if any one rule throws an exception, status of whole access-group will be errored.&lt;br /&gt;
&lt;br /&gt;
* If backend driver doesn't implement 'update_access' newer version yet, then 'access-rules' will be sent to driver one by one only. &lt;br /&gt;
Though 'access-group' feature will allow user, to request access, to set of ip addresses, in one go, still backend will work on access-rules individually.&lt;br /&gt;
&lt;br /&gt;
Proposed Object Relationships:-&lt;br /&gt;
[[File: DB_relationships.png| center | 500px| Object Relationship Diagram]]&lt;br /&gt;
&lt;br /&gt;
== Important Actions == &lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Sr No !! Function !! Command&lt;br /&gt;
|-&lt;br /&gt;
| 1 || Create Access Group  || manila access-group-create [--access-level &amp;lt;access_level&amp;gt;] &amp;lt;name&amp;gt; &amp;lt;description&amp;gt; &amp;lt;access_type&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 2 || Add Access Group Entries in Access group || manila access-group-entry-create &amp;lt;access_to&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 3 || Allow Access Group to a share || manila access-group-allow &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 4 || Deny Access Group to a share || manila access-group-deny &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
=== Flow diagram ===&lt;br /&gt;
==== Allow Access Group ====&lt;br /&gt;
[[File : Allow_access_group_(2).png | center | 500px | Allow access group flow]]&lt;br /&gt;
&lt;br /&gt;
==== Deny Access Group ====&lt;br /&gt;
[[File : Deny_access_group.png | center | 500px| deny access group flow]]&lt;br /&gt;
&lt;br /&gt;
== How it works in different situations ==&lt;br /&gt;
'''Ques 1. Lets say a user requests allow-access-group for (share1, AG1)'''&lt;br /&gt;
'''What if the share is already mapped to another access_group/access_rule.'''&lt;br /&gt;
&lt;br /&gt;
Ans: Nothing, set of access_rules for AG1, will be applied on share, using 'add_rule' &lt;br /&gt;
field of 'update_access' helper function.&lt;br /&gt;
&lt;br /&gt;
'''Ques 2. lets say 'share1' has an already applied access rule i.e ( user ,admin, rw).'''&lt;br /&gt;
'''Now, 'AG1' contains (user, admin, ro). A request comes as 'allow_access_group(share1, AG1)'.'''            &lt;br /&gt;
'''share1 is asked to map with AG1, what should happen?'''            &lt;br /&gt;
&lt;br /&gt;
'''What if the already applied rules are redundant to AG1's access rules.'''&lt;br /&gt;
Note:- its a redundant rule, not contradictory, as rules with 'same access_type and access_to' are&lt;br /&gt;
considered redundant..&lt;br /&gt;
&lt;br /&gt;
Ans: Its same as case, if we apply two redundant rules, even without access-groups. We will get an exception, 'access rule for (user, admin) &lt;br /&gt;
already exists'  and we will proceed to examine, rest of the rules, in access_group. '''We need to deny this rule first &amp;quot;to change its level if required.'''&lt;br /&gt;
&lt;br /&gt;
'''Ques 3. What if AG1 is made up of n rules, only one is redundant ?'''&lt;br /&gt;
&lt;br /&gt;
Ans:If any one of the access_rule, from this access_group, is already applied on share(individually)...&lt;br /&gt;
lets say due to 'allow-access' api. Then excluding that access_rule, rest of the rules, present in 'access_group' will be applied on share.&lt;br /&gt;
&lt;br /&gt;
'''Ques 4. What if AG1 is made up of 'n' rules, an error reported from backend for one of the rules?'''&lt;br /&gt;
&lt;br /&gt;
Ans: If there is an error, reported from backend, then error will be registered in share_instances table.&lt;br /&gt;
'access_rules_status' will go in 'error' state and 'access_status_message' will contain the descriptive message.&lt;br /&gt;
&lt;br /&gt;
'''Ques 5. What if access group is already mapped to other shares and this is a new mapping.'''&lt;br /&gt;
&lt;br /&gt;
Ans: Simply, rules from the access-group will be applied on the requested share.&lt;br /&gt;
   &lt;br /&gt;
'''Ques 6. Two compatible access-groups mapping request got out of order before reaching backend driver.'''&lt;br /&gt;
&lt;br /&gt;
Lets say two api requests for two access_groups where two access groups's rules are compatible as below:            &lt;br /&gt;
Two api requests come in this order chronologically, req1 then req2,            &lt;br /&gt;
AG1 has (user, admin, rw), AG2 has (ip, 10.1.1.1, None)            &lt;br /&gt;
req1 = allow_access_group(share1, AG1), req2 = allow_access_group(share1, AG2)&lt;br /&gt;
Let’s say these request reach driver layer, out of order, driver receives req2 then req1. &lt;br /&gt;
What will happen in such case?&lt;br /&gt;
&lt;br /&gt;
Ans: req1 creates a access_group_mapping in db for (share1 -&amp;gt; AG1) and passes “only set of rules in AG1&amp;quot; to driver layer.            &lt;br /&gt;
req2  also creates a access_group_mapping in db for (share1 -&amp;gt; AG2) and passes that “only set of rules in AG2&amp;quot; to driver layer.            &lt;br /&gt;
Driver layer gets req2 first, it will apply access_rules of req2 first and then access_rules from req1 will be applied on backend.&lt;br /&gt;
&lt;br /&gt;
'''Ques 7. What happens if an exception is raised for one of the access-rules in access-group in api layer itself?&lt;br /&gt;
Do we proceed for next rule or we come out ?'''&lt;br /&gt;
&lt;br /&gt;
Ans: These are such exceptions which come like&lt;br /&gt;
1)if share status is not AVAILABLE &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
2)If share_access entry already exists for this share ? &amp;gt;&amp;gt; we raise exception but continue to consider next access_rule&lt;br /&gt;
3)if access_level value requested for is not a valid value &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
4)If share_instance is invalid one &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
5)if access_rules_status is not active &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
&lt;br /&gt;
in all such cases we raise exception before rpc request is sent to driver layer. access_status_message&amp;quot; field in &amp;quot;share_instances&amp;quot; table - &lt;br /&gt;
does not show error messages for above mentioned exceptions.&lt;br /&gt;
Note:- in last two cases(4,5), though we come out, but 'share_access_group_mapping' and 'many share_access_map' entries &lt;br /&gt;
would have been created!!!&lt;br /&gt;
&lt;br /&gt;
'''Ques 8. What is purpose of access_rules_status and access_status_message field in share_instances table?'''&lt;br /&gt;
&lt;br /&gt;
Ans: access_status_message field, registers the error message, from the driver layer. if we get an error message back from driver, it gets registered in &lt;br /&gt;
'access_status_message' in 'share_instances' table. 'access_status_message' field in 'share_instances' table - does not register error messages for &lt;br /&gt;
above mentioned exceptions in Ques7. &lt;br /&gt;
  &lt;br /&gt;
'''Ques 9. Lets say an access-group that contains 4 access_rules, that is applied on a share1.'''&lt;br /&gt;
'''now these 4 access_rules have got their entries created in share_access_map too.'''&lt;br /&gt;
'''What is someone deleted/denies the access rule individually ?'''&lt;br /&gt;
'''that is sequence is like'''&lt;br /&gt;
'''1) manila access-group-allow &amp;lt;share-id&amp;gt; &amp;lt;access-group-id&amp;gt;'''&lt;br /&gt;
'''2) manila access-deny &amp;lt;share&amp;gt; &amp;lt;id&amp;gt;'''&lt;br /&gt;
'''3) manila access-group-deny &amp;lt;share-id&amp;gt; &amp;lt;access-group-id&amp;gt;'''&lt;br /&gt;
'''Now some rules of this access-group are denied individually .. when we go to 'deny-access-group''''&lt;br /&gt;
'''what will happen?&lt;br /&gt;
&lt;br /&gt;
Ans: For each of 4 rules, if anyone is not present in the DB, we raise exception Not-Found and&lt;br /&gt;
continue to next access_entry.&lt;br /&gt;
&lt;br /&gt;
'''Ques 10. Lets say a share share1 is mapped to an access_group AG1. Now we delete one of access_rule''' &lt;br /&gt;
'''of AG1 or we add an entry to mapped access_group AG1. What will happen?'''&lt;br /&gt;
&lt;br /&gt;
Ans: any addition or deletion of access_entry to an access_group after being mapped, will trigger 'update_access'&lt;br /&gt;
on the backend.&lt;br /&gt;
&lt;br /&gt;
== Alternative Approach ==&lt;br /&gt;
This approach suggests to tag/group share_access_map records by using a new field access_group_tag.&lt;br /&gt;
Here we do not create a separate entity access_group and access_group_entries. &lt;br /&gt;
Instead by using a string type tag with share_access_map records, we group a few entries together.&lt;br /&gt;
&lt;br /&gt;
For first share that wants to allow a group of ip addresses/user the access.&lt;br /&gt;
cli call will be like...&lt;br /&gt;
  manila access-allow %some_share% ip 1.1.1.1,2.2.2.2, 3.3.3.3   --tag %tag_name_1%&lt;br /&gt;
&lt;br /&gt;
After that any share that wants similar access will do &lt;br /&gt;
either:&lt;br /&gt;
  manila access-inherit %some_new_share% --by-share %some_source_share%&lt;br /&gt;
Or &lt;br /&gt;
  manila access-inherit %some_new_share% --by-tag %tag%&lt;br /&gt;
&lt;br /&gt;
=== Thinking impact of 2nd approach.. ===&lt;br /&gt;
* This approach is lighter and less amount of redundancy in database.&lt;br /&gt;
&lt;br /&gt;
* Access-group, being dynamic entity in 2nd approach/a no separate entity, which has its 'existence scope' same as the share its associated with, &lt;br /&gt;
so no further means, to deal with 'access-groups', independently OR after share deletion.&lt;br /&gt;
 &lt;br /&gt;
* Lets say, 'share1' is applied with set of access-rules tagged as 'AG1'. if 'share2' inherits all access_rules from 'share1'. &lt;br /&gt;
Now 'share1' adds a rule by old 'allow-access' api. How will we tackle such situation?&lt;br /&gt;
     * Will we keep these new individual access_rule records without tag?&lt;br /&gt;
     * Will we give every record which is in 'share_access_map' table, a tag..so this individual rule will have new access_group_tag???&lt;br /&gt;
&lt;br /&gt;
I think '''we can keep the new rule without tag.''' &lt;br /&gt;
Now, the next share 'share3' that inherits with --share from 'share1', will get all rules inclusive (share1, with tag) and (share1, without tag). okay.&lt;br /&gt;
But, if the next share 'share3' that inherits with --tag 'AG1' will get rules which is with ('share2' ,AG1) &lt;br /&gt;
&lt;br /&gt;
* If share is deleted the access-group existed/associated with is, will be considered deleted. &lt;br /&gt;
&lt;br /&gt;
* If a share1 has allowed access to 3 ip addresses tagged with 'AG1', now another 'share2' inherited all 3 rules with 'AG1' tag itself.&lt;br /&gt;
now, a old 'deny-access' request comes, to delete one of the rule with share1 from these 3 rules.&lt;br /&gt;
Now, access-group with 'AG1' tag - has got two separate set of access-rules, defining its members. &lt;br /&gt;
* one that's coming from share1(2 rules) &lt;br /&gt;
* other that's coming from  share2(3 rules).&lt;br /&gt;
Now, If a 'share3' is asking for rules same as tag 'AG1', what rules will be applied on it? &lt;br /&gt;
That needs to be decided in this approach.&lt;br /&gt;
Actually &lt;br /&gt;
'''A group/A tag can not have a static definition (set of rules) among all these allow/deny of different sorts.'''&lt;br /&gt;
&lt;br /&gt;
== Simplifying More : ==&lt;br /&gt;
Actually, As a tag doesn't have a individual independent identity, we can think of &amp;quot;NOT&amp;quot; providing the interface to inherit from --tag.&lt;br /&gt;
   manila access-inherit %some_new_share% --by-tag %tag%  (Lets not have it)&lt;br /&gt;
   manila access-inherit %some_new_share% --by-share %some_source_share%  (Lets only have this)&lt;br /&gt;
There should be only api to inherit access from a share.&lt;br /&gt;
In such a case, we will allow &lt;br /&gt;
For first share  &lt;br /&gt;
  manila access-allow %some_share% ip 1.1.1.1,2.2.2.2, 3.3.3.3,4.4.4.4,5.5.5.5,6.6.6.6&lt;br /&gt;
we will create multiple access-records for the share in share_access_map table without any tagging.&lt;br /&gt;
Next share who wants similar access-scope will do&lt;br /&gt;
  manila access-inherit %some_new_share% --by-share %some_source_share%&lt;/div&gt;</summary>
		<author><name>Nidhi Mittal Hada</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123465</id>
		<title>Manila/design/access groups</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123465"/>
				<updated>2016-04-05T05:57:56Z</updated>
		
		<summary type="html">&lt;p&gt;Nidhi Mittal Hada: /* Thinking impact of 2nd approach.. */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Applying Access Rules == &lt;br /&gt;
=== Current approach ===&lt;br /&gt;
Today we use &amp;quot;manila allow-access&amp;quot; and &amp;quot;manila deny-access&amp;quot; cli command, to allow and deny, &amp;quot;one&amp;quot; ip address/user/cert the access, to a particular share. &lt;br /&gt;
In situation, when we want a &amp;quot;share&amp;quot; to be accessible by  &lt;br /&gt;
* a subnet OR &lt;br /&gt;
* a set of IP addresses together OR &lt;br /&gt;
* a set users together&lt;br /&gt;
we have to execute, allow-access for each combination of (IP address, share) '''one by one'''!!&lt;br /&gt;
That is, If we want to allow, a same set of 'n' ip addresses, for each of 'n' shares, then it requires '''&amp;quot;n iterations for each of n shares&amp;quot;''', &lt;br /&gt;
that's n^2 operations from user side. &lt;br /&gt;
''That's cumbersome hence access-groups were proposed''&lt;br /&gt;
&lt;br /&gt;
=== Requirement ===&lt;br /&gt;
Requirement is to have a mechanism, by which a set of 'ip addresses' can be considered as 'one entity' i.e. 'can be allowed the access to a share together.' &lt;br /&gt;
Henceforth, the 'same set of ip addresses', can be allowed access to any 'other share', in 'one single request' from user. &lt;br /&gt;
There comes the idea of '''&amp;quot;manila access-groups&amp;quot;.'''&lt;br /&gt;
&lt;br /&gt;
=== Manila Access Groups ===&lt;br /&gt;
A new object named 'access_group', can be created by user. Each 'access_group' contains, a bunch of homogeneous 'access_entries'. &lt;br /&gt;
Homogeneous here means, 'entries of same access_type &amp;amp; access_level(in case access_type is 'user'))'. Each 'access_entry' represents, &lt;br /&gt;
either one ip-address or one username. Bunch of access entries, associated to an &amp;quot;access-group&amp;quot;, can be &amp;quot;allowed or denied&amp;quot; access, &lt;br /&gt;
to a share in one go. &lt;br /&gt;
&lt;br /&gt;
'''Feature requirement is, to provide a mechanism, to allow the access to a share, for &amp;quot;a group of ip addresses/users&amp;quot;, in one go,'''&lt;br /&gt;
'''instead of allowing each ip-address/user one at a time.'''&lt;br /&gt;
&lt;br /&gt;
=== Challenges ===&lt;br /&gt;
* With new proposal, a set of access-rules can be applied together using &amp;quot;access-group&amp;quot;. Earlier &amp;quot;allow-access/deny-access&amp;quot; api worked on individual access rule. &lt;br /&gt;
So, that can interfere and allow/deny any access, without any knowledge of access-group api. This has to be understood and resolved.&lt;br /&gt;
&lt;br /&gt;
* A parallel api interface, serving same purpose, but in different granularity, causes redundancy in database and information.&lt;br /&gt;
&lt;br /&gt;
* Sending a bunch of rules together to backend, if any one rule throws an exception, status of whole access-group will be errored.&lt;br /&gt;
&lt;br /&gt;
* If backend driver doesn't implement 'update_access' newer version yet, then 'access-rules' will be sent to driver one by one only. &lt;br /&gt;
Though 'access-group' feature will allow user, to request access, to set of ip addresses, in one go, still backend will work on access-rules individually.&lt;br /&gt;
&lt;br /&gt;
Proposed Object Relationships:-&lt;br /&gt;
[[File: DB_relationships.png| center | 500px| Object Relationship Diagram]]&lt;br /&gt;
&lt;br /&gt;
== Important Actions == &lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Sr No !! Function !! Command&lt;br /&gt;
|-&lt;br /&gt;
| 1 || Create Access Group  || manila access-group-create [--access-level &amp;lt;access_level&amp;gt;] &amp;lt;name&amp;gt; &amp;lt;description&amp;gt; &amp;lt;access_type&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 2 || Add Access Group Entries in Access group || manila access-group-entry-create &amp;lt;access_to&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 3 || Allow Access Group to a share || manila access-group-allow &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 4 || Deny Access Group to a share || manila access-group-deny &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
=== Flow diagram ===&lt;br /&gt;
==== Allow Access Group ====&lt;br /&gt;
[[File : Allow_access_group_(2).png | center | 500px | Allow access group flow]]&lt;br /&gt;
&lt;br /&gt;
==== Deny Access Group ====&lt;br /&gt;
[[File : Deny_access_group.png | center | 500px| deny access group flow]]&lt;br /&gt;
&lt;br /&gt;
== How it works in different situations ==&lt;br /&gt;
'''Ques 1. Lets say a user requests allow-access-group for (share1, AG1)'''&lt;br /&gt;
'''What if the share is already mapped to another access_group/access_rule.'''&lt;br /&gt;
&lt;br /&gt;
Ans: Nothing, set of access_rules for AG1, will be applied on share, using 'add_rule' &lt;br /&gt;
field of 'update_access' helper function.&lt;br /&gt;
&lt;br /&gt;
'''Ques 2. lets say 'share1' has an already applied access rule i.e ( user ,admin, rw).'''&lt;br /&gt;
'''Now, 'AG1' contains (user, admin, ro). A request comes as 'allow_access_group(share1, AG1)'.'''            &lt;br /&gt;
'''share1 is asked to map with AG1, what should happen?'''            &lt;br /&gt;
&lt;br /&gt;
'''What if the already applied rules are redundant to AG1's access rules.'''&lt;br /&gt;
Note:- its a redundant rule, not contradictory, as rules with 'same access_type and access_to' are&lt;br /&gt;
considered redundant..&lt;br /&gt;
&lt;br /&gt;
Ans: Its same as case, if we apply two redundant rules, even without access-groups. We will get an exception, 'access rule for (user, admin) &lt;br /&gt;
already exists'  and we will proceed to examine, rest of the rules, in access_group. '''We need to deny this rule first &amp;quot;to change its level if required.'''&lt;br /&gt;
&lt;br /&gt;
'''Ques 3. What if AG1 is made up of n rules, only one is redundant ?'''&lt;br /&gt;
&lt;br /&gt;
Ans:If any one of the access_rule, from this access_group, is already applied on share(individually)...&lt;br /&gt;
lets say due to 'allow-access' api. Then excluding that access_rule, rest of the rules, present in 'access_group' will be applied on share.&lt;br /&gt;
&lt;br /&gt;
'''Ques 4. What if AG1 is made up of 'n' rules, an error reported from backend for one of the rules?'''&lt;br /&gt;
&lt;br /&gt;
Ans: If there is an error, reported from backend, then error will be registered in share_instances table.&lt;br /&gt;
'access_rules_status' will go in 'error' state and 'access_status_message' will contain the descriptive message.&lt;br /&gt;
&lt;br /&gt;
'''Ques 5. What if access group is already mapped to other shares and this is a new mapping.'''&lt;br /&gt;
&lt;br /&gt;
Ans: Simply, rules from the access-group will be applied on the requested share.&lt;br /&gt;
   &lt;br /&gt;
'''Ques 6. Two compatible access-groups mapping request got out of order before reaching backend driver.'''&lt;br /&gt;
&lt;br /&gt;
Lets say two api requests for two access_groups where two access groups's rules are compatible as below:            &lt;br /&gt;
Two api requests come in this order chronologically, req1 then req2,            &lt;br /&gt;
AG1 has (user, admin, rw), AG2 has (ip, 10.1.1.1, None)            &lt;br /&gt;
req1 = allow_access_group(share1, AG1), req2 = allow_access_group(share1, AG2)&lt;br /&gt;
Let’s say these request reach driver layer, out of order, driver receives req2 then req1. &lt;br /&gt;
What will happen in such case?&lt;br /&gt;
&lt;br /&gt;
Ans: req1 creates a access_group_mapping in db for (share1 -&amp;gt; AG1) and passes “only set of rules in AG1&amp;quot; to driver layer.            &lt;br /&gt;
req2  also creates a access_group_mapping in db for (share1 -&amp;gt; AG2) and passes that “only set of rules in AG2&amp;quot; to driver layer.            &lt;br /&gt;
Driver layer gets req2 first, it will apply access_rules of req2 first and then access_rules from req1 will be applied on backend.&lt;br /&gt;
&lt;br /&gt;
'''Ques 7. What happens if an exception is raised for one of the access-rules in access-group in api layer itself?&lt;br /&gt;
Do we proceed for next rule or we come out ?'''&lt;br /&gt;
&lt;br /&gt;
Ans: These are such exceptions which come like&lt;br /&gt;
1)if share status is not AVAILABLE &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
2)If share_access entry already exists for this share ? &amp;gt;&amp;gt; we raise exception but continue to consider next access_rule&lt;br /&gt;
3)if access_level value requested for is not a valid value &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
4)If share_instance is invalid one &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
5)if access_rules_status is not active &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
&lt;br /&gt;
in all such cases we raise exception before rpc request is sent to driver layer. access_status_message&amp;quot; field in &amp;quot;share_instances&amp;quot; table - &lt;br /&gt;
does not show error messages for above mentioned exceptions.&lt;br /&gt;
Note:- in last two cases(4,5), though we come out, but 'share_access_group_mapping' and 'many share_access_map' entries &lt;br /&gt;
would have been created!!!&lt;br /&gt;
&lt;br /&gt;
'''Ques 8. What is purpose of access_rules_status and access_status_message field in share_instances table?'''&lt;br /&gt;
&lt;br /&gt;
Ans: access_status_message field, registers the error message, from the driver layer. if we get an error message back from driver, it gets registered in &lt;br /&gt;
'access_status_message' in 'share_instances' table. 'access_status_message' field in 'share_instances' table - does not register error messages for &lt;br /&gt;
above mentioned exceptions in Ques7. &lt;br /&gt;
  &lt;br /&gt;
'''Ques 9. Lets say an access-group that contains 4 access_rules, that is applied on a share1.'''&lt;br /&gt;
'''now these 4 access_rules have got their entries created in share_access_map too.'''&lt;br /&gt;
'''What is someone deleted/denies the access rule individually ?'''&lt;br /&gt;
'''that is sequence is like'''&lt;br /&gt;
'''1) manila access-group-allow &amp;lt;share-id&amp;gt; &amp;lt;access-group-id&amp;gt;'''&lt;br /&gt;
'''2) manila access-deny &amp;lt;share&amp;gt; &amp;lt;id&amp;gt;'''&lt;br /&gt;
'''3) manila access-group-deny &amp;lt;share-id&amp;gt; &amp;lt;access-group-id&amp;gt;'''&lt;br /&gt;
'''Now some rules of this access-group are denied individually .. when we go to 'deny-access-group''''&lt;br /&gt;
'''what will happen?&lt;br /&gt;
&lt;br /&gt;
Ans: For each of 4 rules, if anyone is not present in the DB, we raise exception Not-Found and&lt;br /&gt;
continue to next access_entry.&lt;br /&gt;
&lt;br /&gt;
'''Ques 10. Lets say a share share1 is mapped to an access_group AG1. Now we delete one of access_rule''' &lt;br /&gt;
'''of AG1 or we add an entry to mapped access_group AG1. What will happen?'''&lt;br /&gt;
&lt;br /&gt;
Ans: any addition or deletion of access_entry to an access_group after being mapped, will trigger 'update_access'&lt;br /&gt;
on the backend.&lt;br /&gt;
&lt;br /&gt;
== Alternative Approach ==&lt;br /&gt;
This approach suggests to tag/group share_access_map records by using a new field access_group_tag.&lt;br /&gt;
Here we do not create a separate entity access_group and access_group_entries. &lt;br /&gt;
Instead by using a string type tag with share_access_map records, we group a few entries together.&lt;br /&gt;
&lt;br /&gt;
For first share that wants to allow a group of ip addresses/user the access.&lt;br /&gt;
cli call will be like...&lt;br /&gt;
  manila access-allow %some_share% ip 1.1.1.1,2.2.2.2, 3.3.3.3   --tag %tag_name_1%&lt;br /&gt;
&lt;br /&gt;
After that any share that wants similar access will do &lt;br /&gt;
either:&lt;br /&gt;
  manila access-inherit %some_new_share% --by-share %some_source_share%&lt;br /&gt;
Or &lt;br /&gt;
  manila access-inherit %some_new_share% --by-tag %tag%&lt;br /&gt;
&lt;br /&gt;
=== Thinking impact of 2nd approach.. ===&lt;br /&gt;
* This approach is lighter and less amount of redundancy in database.&lt;br /&gt;
&lt;br /&gt;
* Access-group, being dynamic entity in 2nd approach/a no separate entity, which has its 'existence scope' same as the share its associated with, &lt;br /&gt;
so no further means, to deal with 'access-groups', independently OR after share deletion.&lt;br /&gt;
 &lt;br /&gt;
* Lets say, 'share1' is applied with set of access-rules tagged as 'AG1'. if 'share2' inherits all access_rules from 'share1'. &lt;br /&gt;
Now 'share1' adds a rule by old 'allow-access' api. How will we tackle such situation?&lt;br /&gt;
     * Will we keep these new individual access_rule records without tag?&lt;br /&gt;
     * Will we give every record which is in 'share_access_map' table, a tag..so this individual rule will have new access_group_tag???&lt;br /&gt;
&lt;br /&gt;
I think '''we can keep the new rule without tag.''' &lt;br /&gt;
Now, the next share 'share3' that inherits with --share from 'share1', will get all rules inclusive (share1, with tag) and (share1, without tag). okay.&lt;br /&gt;
But, if the next share 'share3' that inherits with --tag 'AG1' will get rules which is with ('share2' ,AG1) &lt;br /&gt;
&lt;br /&gt;
* If share is deleted the access-group existed/associated with is, will be considered deleted. &lt;br /&gt;
&lt;br /&gt;
* If a share1 has allowed access to 3 ip addresses tagged with 'AG1', now another 'share2' inherited all 3 rules with 'AG1' tag itself.&lt;br /&gt;
now, a old 'deny-access' request comes, to delete one of the rule with share1 from these 3 rules.&lt;br /&gt;
Now, access-group with 'AG1' tag - has got two separate set of access-rules, defining its members. &lt;br /&gt;
* one that's coming from share1(2 rules) &lt;br /&gt;
* other that's coming from  share2(3 rules).&lt;br /&gt;
Now, If a 'share3' is asking for rules same as tag 'AG1', what rules will be applied on it? &lt;br /&gt;
That needs to be decided in this approach.&lt;br /&gt;
Actually &lt;br /&gt;
'''A group/A tag can not have a static definition (set of rules) among all these allow/deny of different sorts.'''&lt;/div&gt;</summary>
		<author><name>Nidhi Mittal Hada</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123408</id>
		<title>Manila/design/access groups</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123408"/>
				<updated>2016-04-04T12:32:09Z</updated>
		
		<summary type="html">&lt;p&gt;Nidhi Mittal Hada: /* Thinking impact of 2nd approach.. */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Applying Access Rules == &lt;br /&gt;
=== Current approach ===&lt;br /&gt;
Today we use &amp;quot;manila allow-access&amp;quot; and &amp;quot;manila deny-access&amp;quot; cli command, to allow and deny, &amp;quot;one&amp;quot; ip address/user/cert the access, to a particular share. &lt;br /&gt;
In situation, when we want a &amp;quot;share&amp;quot; to be accessible by  &lt;br /&gt;
* a subnet OR &lt;br /&gt;
* a set of IP addresses together OR &lt;br /&gt;
* a set users together&lt;br /&gt;
we have to execute, allow-access for each combination of (IP address, share) '''one by one'''!!&lt;br /&gt;
That is, If we want to allow, a same set of 'n' ip addresses, for each of 'n' shares, then it requires '''&amp;quot;n iterations for each of n shares&amp;quot;''', &lt;br /&gt;
that's n^2 operations from user side. &lt;br /&gt;
''That's cumbersome hence access-groups were proposed''&lt;br /&gt;
&lt;br /&gt;
=== Requirement ===&lt;br /&gt;
Requirement is to have a mechanism, by which a set of 'ip addresses' can be considered as 'one entity' i.e. 'can be allowed the access to a share together.' &lt;br /&gt;
Henceforth, the 'same set of ip addresses', can be allowed access to any 'other share', in 'one single request' from user. &lt;br /&gt;
There comes the idea of '''&amp;quot;manila access-groups&amp;quot;.'''&lt;br /&gt;
&lt;br /&gt;
=== Manila Access Groups ===&lt;br /&gt;
A new object named 'access_group', can be created by user. Each 'access_group' contains, a bunch of homogeneous 'access_entries'. &lt;br /&gt;
Homogeneous here means, 'entries of same access_type &amp;amp; access_level(in case access_type is 'user'))'. Each 'access_entry' represents, &lt;br /&gt;
either one ip-address or one username. Bunch of access entries, associated to an &amp;quot;access-group&amp;quot;, can be &amp;quot;allowed or denied&amp;quot; access, &lt;br /&gt;
to a share in one go. &lt;br /&gt;
&lt;br /&gt;
'''Feature requirement is, to provide a mechanism, to allow the access to a share, for &amp;quot;a group of ip addresses/users&amp;quot;, in one go,'''&lt;br /&gt;
'''instead of allowing each ip-address/user one at a time.'''&lt;br /&gt;
&lt;br /&gt;
=== Challenges ===&lt;br /&gt;
* With new proposal, a set of access-rules can be applied together using &amp;quot;access-group&amp;quot;. Earlier &amp;quot;allow-access/deny-access&amp;quot; api worked on individual access rule. &lt;br /&gt;
So, that can interfere and allow/deny any access, without any knowledge of access-group api. This has to be understood and resolved.&lt;br /&gt;
&lt;br /&gt;
* A parallel api interface, serving same purpose, but in different granularity, causes redundancy in database and information.&lt;br /&gt;
&lt;br /&gt;
* Sending a bunch of rules together to backend, if any one rule throws an exception, status of whole access-group will be errored.&lt;br /&gt;
&lt;br /&gt;
* If backend driver doesn't implement 'update_access' newer version yet, then 'access-rules' will be sent to driver one by one only. &lt;br /&gt;
Though 'access-group' feature will allow user, to request access, to set of ip addresses, in one go, still backend will work on access-rules individually.&lt;br /&gt;
&lt;br /&gt;
Proposed Object Relationships:-&lt;br /&gt;
[[File: DB_relationships.png| center | 500px| Object Relationship Diagram]]&lt;br /&gt;
&lt;br /&gt;
== Important Actions == &lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Sr No !! Function !! Command&lt;br /&gt;
|-&lt;br /&gt;
| 1 || Create Access Group  || manila access-group-create [--access-level &amp;lt;access_level&amp;gt;] &amp;lt;name&amp;gt; &amp;lt;description&amp;gt; &amp;lt;access_type&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 2 || Add Access Group Entries in Access group || manila access-group-entry-create &amp;lt;access_to&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 3 || Allow Access Group to a share || manila access-group-allow &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 4 || Deny Access Group to a share || manila access-group-deny &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
=== Flow diagram ===&lt;br /&gt;
==== Allow Access Group ====&lt;br /&gt;
[[File : Allow_access_group_(2).png | center | 500px | Allow access group flow]]&lt;br /&gt;
&lt;br /&gt;
==== Deny Access Group ====&lt;br /&gt;
[[File : Deny_access_group.png | center | 500px| deny access group flow]]&lt;br /&gt;
&lt;br /&gt;
== How it works in different situations ==&lt;br /&gt;
'''Ques 1. Lets say a user requests allow-access-group for (share1, AG1)'''&lt;br /&gt;
'''What if the share is already mapped to another access_group/access_rule.'''&lt;br /&gt;
&lt;br /&gt;
Ans: Nothing, set of access_rules for AG1, will be applied on share, using 'add_rule' &lt;br /&gt;
field of 'update_access' helper function.&lt;br /&gt;
&lt;br /&gt;
'''Ques 2. lets say 'share1' has an already applied access rule i.e ( user ,admin, rw).'''&lt;br /&gt;
'''Now, 'AG1' contains (user, admin, ro). A request comes as 'allow_access_group(share1, AG1)'.'''            &lt;br /&gt;
'''share1 is asked to map with AG1, what should happen?'''            &lt;br /&gt;
&lt;br /&gt;
'''What if the already applied rules are redundant to AG1's access rules.'''&lt;br /&gt;
Note:- its a redundant rule, not contradictory, as rules with 'same access_type and access_to' are&lt;br /&gt;
considered redundant..&lt;br /&gt;
&lt;br /&gt;
Ans: Its same as case, if we apply two redundant rules, even without access-groups. We will get an exception, 'access rule for (user, admin) &lt;br /&gt;
already exists'  and we will proceed to examine, rest of the rules, in access_group. '''We need to deny this rule first &amp;quot;to change its level if required.'''&lt;br /&gt;
&lt;br /&gt;
'''Ques 3. What if AG1 is made up of n rules, only one is redundant ?'''&lt;br /&gt;
&lt;br /&gt;
Ans:If any one of the access_rule, from this access_group, is already applied on share(individually)...&lt;br /&gt;
lets say due to 'allow-access' api. Then excluding that access_rule, rest of the rules, present in 'access_group' will be applied on share.&lt;br /&gt;
&lt;br /&gt;
'''Ques 4. What if AG1 is made up of 'n' rules, an error reported from backend for one of the rules?'''&lt;br /&gt;
&lt;br /&gt;
Ans: If there is an error, reported from backend, then error will be registered in share_instances table.&lt;br /&gt;
'access_rules_status' will go in 'error' state and 'access_status_message' will contain the descriptive message.&lt;br /&gt;
&lt;br /&gt;
'''Ques 5. What if access group is already mapped to other shares and this is a new mapping.'''&lt;br /&gt;
&lt;br /&gt;
Ans: Simply, rules from the access-group will be applied on the requested share.&lt;br /&gt;
   &lt;br /&gt;
'''Ques 6. Two compatible access-groups mapping request got out of order before reaching backend driver.'''&lt;br /&gt;
&lt;br /&gt;
Lets say two api requests for two access_groups where two access groups's rules are compatible as below:            &lt;br /&gt;
Two api requests come in this order chronologically, req1 then req2,            &lt;br /&gt;
AG1 has (user, admin, rw), AG2 has (ip, 10.1.1.1, None)            &lt;br /&gt;
req1 = allow_access_group(share1, AG1), req2 = allow_access_group(share1, AG2)&lt;br /&gt;
Let’s say these request reach driver layer, out of order, driver receives req2 then req1. &lt;br /&gt;
What will happen in such case?&lt;br /&gt;
&lt;br /&gt;
Ans: req1 creates a access_group_mapping in db for (share1 -&amp;gt; AG1) and passes “only set of rules in AG1&amp;quot; to driver layer.            &lt;br /&gt;
req2  also creates a access_group_mapping in db for (share1 -&amp;gt; AG2) and passes that “only set of rules in AG2&amp;quot; to driver layer.            &lt;br /&gt;
Driver layer gets req2 first, it will apply access_rules of req2 first and then access_rules from req1 will be applied on backend.&lt;br /&gt;
&lt;br /&gt;
'''Ques 7. What happens if an exception is raised for one of the access-rules in access-group in api layer itself?&lt;br /&gt;
Do we proceed for next rule or we come out ?'''&lt;br /&gt;
&lt;br /&gt;
Ans: These are such exceptions which come like&lt;br /&gt;
1)if share status is not AVAILABLE &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
2)If share_access entry already exists for this share ? &amp;gt;&amp;gt; we raise exception but continue to consider next access_rule&lt;br /&gt;
3)if access_level value requested for is not a valid value &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
4)If share_instance is invalid one &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
5)if access_rules_status is not active &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
&lt;br /&gt;
in all such cases we raise exception before rpc request is sent to driver layer. access_status_message&amp;quot; field in &amp;quot;share_instances&amp;quot; table - &lt;br /&gt;
does not show error messages for above mentioned exceptions.&lt;br /&gt;
Note:- in last two cases(4,5), though we come out, but 'share_access_group_mapping' and 'many share_access_map' entries &lt;br /&gt;
would have been created!!!&lt;br /&gt;
&lt;br /&gt;
'''Ques 8. What is purpose of access_rules_status and access_status_message field in share_instances table?'''&lt;br /&gt;
&lt;br /&gt;
Ans: access_status_message field, registers the error message, from the driver layer. if we get an error message back from driver, it gets registered in &lt;br /&gt;
'access_status_message' in 'share_instances' table. 'access_status_message' field in 'share_instances' table - does not register error messages for &lt;br /&gt;
above mentioned exceptions in Ques7. &lt;br /&gt;
  &lt;br /&gt;
'''Ques 9. Lets say an access-group that contains 4 access_rules, that is applied on a share1.'''&lt;br /&gt;
'''now these 4 access_rules have got their entries created in share_access_map too.'''&lt;br /&gt;
'''What is someone deleted/denies the access rule individually ?'''&lt;br /&gt;
'''that is sequence is like'''&lt;br /&gt;
'''1) manila access-group-allow &amp;lt;share-id&amp;gt; &amp;lt;access-group-id&amp;gt;'''&lt;br /&gt;
'''2) manila access-deny &amp;lt;share&amp;gt; &amp;lt;id&amp;gt;'''&lt;br /&gt;
'''3) manila access-group-deny &amp;lt;share-id&amp;gt; &amp;lt;access-group-id&amp;gt;'''&lt;br /&gt;
'''Now some rules of this access-group are denied individually .. when we go to 'deny-access-group''''&lt;br /&gt;
'''what will happen?&lt;br /&gt;
&lt;br /&gt;
Ans: For each of 4 rules, if anyone is not present in the DB, we raise exception Not-Found and&lt;br /&gt;
continue to next access_entry.&lt;br /&gt;
&lt;br /&gt;
'''Ques 10. Lets say a share share1 is mapped to an access_group AG1. Now we delete one of access_rule''' &lt;br /&gt;
'''of AG1 or we add an entry to mapped access_group AG1. What will happen?'''&lt;br /&gt;
&lt;br /&gt;
Ans: any addition or deletion of access_entry to an access_group after being mapped, will trigger 'update_access'&lt;br /&gt;
on the backend.&lt;br /&gt;
&lt;br /&gt;
== Alternative Approach ==&lt;br /&gt;
This approach suggests to tag/group share_access_map records by using a new field access_group_tag.&lt;br /&gt;
Here we do not create a separate entity access_group and access_group_entries. &lt;br /&gt;
Instead by using a string type tag with share_access_map records, we group a few entries together.&lt;br /&gt;
&lt;br /&gt;
For first share that wants to allow a group of ip addresses/user the access.&lt;br /&gt;
cli call will be like...&lt;br /&gt;
  manila access-allow %some_share% ip 1.1.1.1,2.2.2.2, 3.3.3.3   --tag %tag_name_1%&lt;br /&gt;
&lt;br /&gt;
After that any share that wants similar access will do &lt;br /&gt;
either:&lt;br /&gt;
  manila access-inherit %some_new_share% --by-share %some_source_share%&lt;br /&gt;
Or &lt;br /&gt;
  manila access-inherit %some_new_share% --by-tag %tag%&lt;br /&gt;
&lt;br /&gt;
=== Thinking impact of 2nd approach.. ===&lt;br /&gt;
&lt;br /&gt;
* This approach is lighter and less amount of redundancy in database.&lt;br /&gt;
&lt;br /&gt;
* Access-group, being dynamic entity in 2nd approach/a no separate entity, which has its 'existence scope' same as the share its associated with, &lt;br /&gt;
so no further means, to deal with 'access-groups', independently OR after share deletion.&lt;br /&gt;
 &lt;br /&gt;
* What if 'share2' inherits all access_rules from 'share1' and now share1 adds a rule by old 'allow-access' api without any tag. &lt;br /&gt;
Now how will we tackle such situation?&lt;br /&gt;
     * Will we keep these new individual access_rule records without tag?&lt;br /&gt;
     * Will we give every record which is in share_access_map, a tag..so this individual rule will have new access_group_tag?&lt;br /&gt;
We can keep the new rule without tag. &lt;br /&gt;
&lt;br /&gt;
Now, the next share share3 that inherits with --tag from share1 will get set of rules with combination (share1, tag1) &lt;br /&gt;
the next share share3 that inherits with --share from share1 will get all rules inclusive (share1, with tag) and (share1, without tag) &lt;br /&gt;
&lt;br /&gt;
* If share is deleted the access-group existed/associated with is, will be considered deleted. &lt;br /&gt;
&lt;br /&gt;
* If a share1 has allowed access to 3 ip addresses tagged with 'AG1', now another 'share2' inherited all 3 rules with 'AG1' tag itself.&lt;br /&gt;
now, a 'deny-access' request comes, to delete one of the rule with share1 from these 3 rules.&lt;br /&gt;
Now, access-group with 'AG1' tag - has got two separate set of access-rules, one that's coming from share1(2 rules) &lt;br /&gt;
and other thats coming from  share2(3 rules).&lt;br /&gt;
If a share3 is asking for rules same as tag AG1 what rules will be applied on it? That's need to be decided in this approach.&lt;br /&gt;
Actually &lt;br /&gt;
'''A group/A tag can not have a static definition (set of rules) among all these allow/deny of different sorts.'''&lt;/div&gt;</summary>
		<author><name>Nidhi Mittal Hada</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123407</id>
		<title>Manila/design/access groups</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123407"/>
				<updated>2016-04-04T12:31:02Z</updated>
		
		<summary type="html">&lt;p&gt;Nidhi Mittal Hada: /* Comparison with 1st approach */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Applying Access Rules == &lt;br /&gt;
=== Current approach ===&lt;br /&gt;
Today we use &amp;quot;manila allow-access&amp;quot; and &amp;quot;manila deny-access&amp;quot; cli command, to allow and deny, &amp;quot;one&amp;quot; ip address/user/cert the access, to a particular share. &lt;br /&gt;
In situation, when we want a &amp;quot;share&amp;quot; to be accessible by  &lt;br /&gt;
* a subnet OR &lt;br /&gt;
* a set of IP addresses together OR &lt;br /&gt;
* a set users together&lt;br /&gt;
we have to execute, allow-access for each combination of (IP address, share) '''one by one'''!!&lt;br /&gt;
That is, If we want to allow, a same set of 'n' ip addresses, for each of 'n' shares, then it requires '''&amp;quot;n iterations for each of n shares&amp;quot;''', &lt;br /&gt;
that's n^2 operations from user side. &lt;br /&gt;
''That's cumbersome hence access-groups were proposed''&lt;br /&gt;
&lt;br /&gt;
=== Requirement ===&lt;br /&gt;
Requirement is to have a mechanism, by which a set of 'ip addresses' can be considered as 'one entity' i.e. 'can be allowed the access to a share together.' &lt;br /&gt;
Henceforth, the 'same set of ip addresses', can be allowed access to any 'other share', in 'one single request' from user. &lt;br /&gt;
There comes the idea of '''&amp;quot;manila access-groups&amp;quot;.'''&lt;br /&gt;
&lt;br /&gt;
=== Manila Access Groups ===&lt;br /&gt;
A new object named 'access_group', can be created by user. Each 'access_group' contains, a bunch of homogeneous 'access_entries'. &lt;br /&gt;
Homogeneous here means, 'entries of same access_type &amp;amp; access_level(in case access_type is 'user'))'. Each 'access_entry' represents, &lt;br /&gt;
either one ip-address or one username. Bunch of access entries, associated to an &amp;quot;access-group&amp;quot;, can be &amp;quot;allowed or denied&amp;quot; access, &lt;br /&gt;
to a share in one go. &lt;br /&gt;
&lt;br /&gt;
'''Feature requirement is, to provide a mechanism, to allow the access to a share, for &amp;quot;a group of ip addresses/users&amp;quot;, in one go,'''&lt;br /&gt;
'''instead of allowing each ip-address/user one at a time.'''&lt;br /&gt;
&lt;br /&gt;
=== Challenges ===&lt;br /&gt;
* With new proposal, a set of access-rules can be applied together using &amp;quot;access-group&amp;quot;. Earlier &amp;quot;allow-access/deny-access&amp;quot; api worked on individual access rule. &lt;br /&gt;
So, that can interfere and allow/deny any access, without any knowledge of access-group api. This has to be understood and resolved.&lt;br /&gt;
&lt;br /&gt;
* A parallel api interface, serving same purpose, but in different granularity, causes redundancy in database and information.&lt;br /&gt;
&lt;br /&gt;
* Sending a bunch of rules together to backend, if any one rule throws an exception, status of whole access-group will be errored.&lt;br /&gt;
&lt;br /&gt;
* If backend driver doesn't implement 'update_access' newer version yet, then 'access-rules' will be sent to driver one by one only. &lt;br /&gt;
Though 'access-group' feature will allow user, to request access, to set of ip addresses, in one go, still backend will work on access-rules individually.&lt;br /&gt;
&lt;br /&gt;
Proposed Object Relationships:-&lt;br /&gt;
[[File: DB_relationships.png| center | 500px| Object Relationship Diagram]]&lt;br /&gt;
&lt;br /&gt;
== Important Actions == &lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Sr No !! Function !! Command&lt;br /&gt;
|-&lt;br /&gt;
| 1 || Create Access Group  || manila access-group-create [--access-level &amp;lt;access_level&amp;gt;] &amp;lt;name&amp;gt; &amp;lt;description&amp;gt; &amp;lt;access_type&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 2 || Add Access Group Entries in Access group || manila access-group-entry-create &amp;lt;access_to&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 3 || Allow Access Group to a share || manila access-group-allow &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 4 || Deny Access Group to a share || manila access-group-deny &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
=== Flow diagram ===&lt;br /&gt;
==== Allow Access Group ====&lt;br /&gt;
[[File : Allow_access_group_(2).png | center | 500px | Allow access group flow]]&lt;br /&gt;
&lt;br /&gt;
==== Deny Access Group ====&lt;br /&gt;
[[File : Deny_access_group.png | center | 500px| deny access group flow]]&lt;br /&gt;
&lt;br /&gt;
== How it works in different situations ==&lt;br /&gt;
'''Ques 1. Lets say a user requests allow-access-group for (share1, AG1)'''&lt;br /&gt;
'''What if the share is already mapped to another access_group/access_rule.'''&lt;br /&gt;
&lt;br /&gt;
Ans: Nothing, set of access_rules for AG1, will be applied on share, using 'add_rule' &lt;br /&gt;
field of 'update_access' helper function.&lt;br /&gt;
&lt;br /&gt;
'''Ques 2. lets say 'share1' has an already applied access rule i.e ( user ,admin, rw).'''&lt;br /&gt;
'''Now, 'AG1' contains (user, admin, ro). A request comes as 'allow_access_group(share1, AG1)'.'''            &lt;br /&gt;
'''share1 is asked to map with AG1, what should happen?'''            &lt;br /&gt;
&lt;br /&gt;
'''What if the already applied rules are redundant to AG1's access rules.'''&lt;br /&gt;
Note:- its a redundant rule, not contradictory, as rules with 'same access_type and access_to' are&lt;br /&gt;
considered redundant..&lt;br /&gt;
&lt;br /&gt;
Ans: Its same as case, if we apply two redundant rules, even without access-groups. We will get an exception, 'access rule for (user, admin) &lt;br /&gt;
already exists'  and we will proceed to examine, rest of the rules, in access_group. '''We need to deny this rule first &amp;quot;to change its level if required.'''&lt;br /&gt;
&lt;br /&gt;
'''Ques 3. What if AG1 is made up of n rules, only one is redundant ?'''&lt;br /&gt;
&lt;br /&gt;
Ans:If any one of the access_rule, from this access_group, is already applied on share(individually)...&lt;br /&gt;
lets say due to 'allow-access' api. Then excluding that access_rule, rest of the rules, present in 'access_group' will be applied on share.&lt;br /&gt;
&lt;br /&gt;
'''Ques 4. What if AG1 is made up of 'n' rules, an error reported from backend for one of the rules?'''&lt;br /&gt;
&lt;br /&gt;
Ans: If there is an error, reported from backend, then error will be registered in share_instances table.&lt;br /&gt;
'access_rules_status' will go in 'error' state and 'access_status_message' will contain the descriptive message.&lt;br /&gt;
&lt;br /&gt;
'''Ques 5. What if access group is already mapped to other shares and this is a new mapping.'''&lt;br /&gt;
&lt;br /&gt;
Ans: Simply, rules from the access-group will be applied on the requested share.&lt;br /&gt;
   &lt;br /&gt;
'''Ques 6. Two compatible access-groups mapping request got out of order before reaching backend driver.'''&lt;br /&gt;
&lt;br /&gt;
Lets say two api requests for two access_groups where two access groups's rules are compatible as below:            &lt;br /&gt;
Two api requests come in this order chronologically, req1 then req2,            &lt;br /&gt;
AG1 has (user, admin, rw), AG2 has (ip, 10.1.1.1, None)            &lt;br /&gt;
req1 = allow_access_group(share1, AG1), req2 = allow_access_group(share1, AG2)&lt;br /&gt;
Let’s say these request reach driver layer, out of order, driver receives req2 then req1. &lt;br /&gt;
What will happen in such case?&lt;br /&gt;
&lt;br /&gt;
Ans: req1 creates a access_group_mapping in db for (share1 -&amp;gt; AG1) and passes “only set of rules in AG1&amp;quot; to driver layer.            &lt;br /&gt;
req2  also creates a access_group_mapping in db for (share1 -&amp;gt; AG2) and passes that “only set of rules in AG2&amp;quot; to driver layer.            &lt;br /&gt;
Driver layer gets req2 first, it will apply access_rules of req2 first and then access_rules from req1 will be applied on backend.&lt;br /&gt;
&lt;br /&gt;
'''Ques 7. What happens if an exception is raised for one of the access-rules in access-group in api layer itself?&lt;br /&gt;
Do we proceed for next rule or we come out ?'''&lt;br /&gt;
&lt;br /&gt;
Ans: These are such exceptions which come like&lt;br /&gt;
1)if share status is not AVAILABLE &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
2)If share_access entry already exists for this share ? &amp;gt;&amp;gt; we raise exception but continue to consider next access_rule&lt;br /&gt;
3)if access_level value requested for is not a valid value &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
4)If share_instance is invalid one &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
5)if access_rules_status is not active &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
&lt;br /&gt;
in all such cases we raise exception before rpc request is sent to driver layer. access_status_message&amp;quot; field in &amp;quot;share_instances&amp;quot; table - &lt;br /&gt;
does not show error messages for above mentioned exceptions.&lt;br /&gt;
Note:- in last two cases(4,5), though we come out, but 'share_access_group_mapping' and 'many share_access_map' entries &lt;br /&gt;
would have been created!!!&lt;br /&gt;
&lt;br /&gt;
'''Ques 8. What is purpose of access_rules_status and access_status_message field in share_instances table?'''&lt;br /&gt;
&lt;br /&gt;
Ans: access_status_message field, registers the error message, from the driver layer. if we get an error message back from driver, it gets registered in &lt;br /&gt;
'access_status_message' in 'share_instances' table. 'access_status_message' field in 'share_instances' table - does not register error messages for &lt;br /&gt;
above mentioned exceptions in Ques7. &lt;br /&gt;
  &lt;br /&gt;
'''Ques 9. Lets say an access-group that contains 4 access_rules, that is applied on a share1.'''&lt;br /&gt;
'''now these 4 access_rules have got their entries created in share_access_map too.'''&lt;br /&gt;
'''What is someone deleted/denies the access rule individually ?'''&lt;br /&gt;
'''that is sequence is like'''&lt;br /&gt;
'''1) manila access-group-allow &amp;lt;share-id&amp;gt; &amp;lt;access-group-id&amp;gt;'''&lt;br /&gt;
'''2) manila access-deny &amp;lt;share&amp;gt; &amp;lt;id&amp;gt;'''&lt;br /&gt;
'''3) manila access-group-deny &amp;lt;share-id&amp;gt; &amp;lt;access-group-id&amp;gt;'''&lt;br /&gt;
'''Now some rules of this access-group are denied individually .. when we go to 'deny-access-group''''&lt;br /&gt;
'''what will happen?&lt;br /&gt;
&lt;br /&gt;
Ans: For each of 4 rules, if anyone is not present in the DB, we raise exception Not-Found and&lt;br /&gt;
continue to next access_entry.&lt;br /&gt;
&lt;br /&gt;
'''Ques 10. Lets say a share share1 is mapped to an access_group AG1. Now we delete one of access_rule''' &lt;br /&gt;
'''of AG1 or we add an entry to mapped access_group AG1. What will happen?'''&lt;br /&gt;
&lt;br /&gt;
Ans: any addition or deletion of access_entry to an access_group after being mapped, will trigger 'update_access'&lt;br /&gt;
on the backend.&lt;br /&gt;
&lt;br /&gt;
== Alternative Approach ==&lt;br /&gt;
This approach suggests to tag/group share_access_map records by using a new field access_group_tag.&lt;br /&gt;
Here we do not create a separate entity access_group and access_group_entries. &lt;br /&gt;
Instead by using a string type tag with share_access_map records, we group a few entries together.&lt;br /&gt;
&lt;br /&gt;
For first share that wants to allow a group of ip addresses/user the access.&lt;br /&gt;
cli call will be like...&lt;br /&gt;
  manila access-allow %some_share% ip 1.1.1.1,2.2.2.2, 3.3.3.3   --tag %tag_name_1%&lt;br /&gt;
&lt;br /&gt;
After that any share that wants similar access will do &lt;br /&gt;
either:&lt;br /&gt;
  manila access-inherit %some_new_share% --by-share %some_source_share%&lt;br /&gt;
Or &lt;br /&gt;
  manila access-inherit %some_new_share% --by-tag %tag%&lt;br /&gt;
&lt;br /&gt;
=== Thinking impact of 2nd approach.. ===&lt;br /&gt;
* This approach is lighter and less amount of redundancy in database.&lt;br /&gt;
&lt;br /&gt;
* Access-group being dynamic entity in 2nd approach/a no separate entity, which has its 'existence scope' same as the share its associated with, &lt;br /&gt;
so no further means, to deal with 'access-groups', independently OR after share deletion.&lt;br /&gt;
 &lt;br /&gt;
* What if 'share2' inherits all access_rules from 'share1' and now share1 adds a rule by old 'allow-access' api without any tag. &lt;br /&gt;
Now how will we tackle such situation?&lt;br /&gt;
     * Will we keep these new individual access_rule records without tag?&lt;br /&gt;
     * Will we give every record which is in share_access_map, a tag..so this individual rule will have new access_group_tag?&lt;br /&gt;
We can keep the new rule without tag. &lt;br /&gt;
&lt;br /&gt;
Now, the next share share3 that inherits with --tag from share1 will get set of rules with combination (share1, tag1) &lt;br /&gt;
the next share share3 that inherits with --share from share1 will get all rules inclusive (share1, with tag) and (share1, without tag) &lt;br /&gt;
&lt;br /&gt;
* If share is deleted the access-group existed/associated with is, will be considered deleted. &lt;br /&gt;
&lt;br /&gt;
* If a share1 has allowed access to 3 ip addresses tagged with 'AG1', now another 'share2' inherited all 3 rules with 'AG1' tag itself.&lt;br /&gt;
now, a 'deny-access' request comes, to delete one of the rule with share1 from these 3 rules.&lt;br /&gt;
Now, access-group with 'AG1' tag - has got two separate set of access-rules, one that's coming from share1(2 rules) &lt;br /&gt;
and other thats coming from  share2(3 rules).&lt;br /&gt;
If a share3 is asking for rules same as tag AG1 what rules will be applied on it? That's need to be decided in this approach.&lt;br /&gt;
Actually &lt;br /&gt;
'''A group/A tag can not have a static definition (set of rules) among all these allow/deny of different sorts.'''&lt;/div&gt;</summary>
		<author><name>Nidhi Mittal Hada</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123406</id>
		<title>Manila/design/access groups</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123406"/>
				<updated>2016-04-04T12:20:09Z</updated>
		
		<summary type="html">&lt;p&gt;Nidhi Mittal Hada: /* Comparison with 1st approach */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Applying Access Rules == &lt;br /&gt;
=== Current approach ===&lt;br /&gt;
Today we use &amp;quot;manila allow-access&amp;quot; and &amp;quot;manila deny-access&amp;quot; cli command, to allow and deny, &amp;quot;one&amp;quot; ip address/user/cert the access, to a particular share. &lt;br /&gt;
In situation, when we want a &amp;quot;share&amp;quot; to be accessible by  &lt;br /&gt;
* a subnet OR &lt;br /&gt;
* a set of IP addresses together OR &lt;br /&gt;
* a set users together&lt;br /&gt;
we have to execute, allow-access for each combination of (IP address, share) '''one by one'''!!&lt;br /&gt;
That is, If we want to allow, a same set of 'n' ip addresses, for each of 'n' shares, then it requires '''&amp;quot;n iterations for each of n shares&amp;quot;''', &lt;br /&gt;
that's n^2 operations from user side. &lt;br /&gt;
''That's cumbersome hence access-groups were proposed''&lt;br /&gt;
&lt;br /&gt;
=== Requirement ===&lt;br /&gt;
Requirement is to have a mechanism, by which a set of 'ip addresses' can be considered as 'one entity' i.e. 'can be allowed the access to a share together.' &lt;br /&gt;
Henceforth, the 'same set of ip addresses', can be allowed access to any 'other share', in 'one single request' from user. &lt;br /&gt;
There comes the idea of '''&amp;quot;manila access-groups&amp;quot;.'''&lt;br /&gt;
&lt;br /&gt;
=== Manila Access Groups ===&lt;br /&gt;
A new object named 'access_group', can be created by user. Each 'access_group' contains, a bunch of homogeneous 'access_entries'. &lt;br /&gt;
Homogeneous here means, 'entries of same access_type &amp;amp; access_level(in case access_type is 'user'))'. Each 'access_entry' represents, &lt;br /&gt;
either one ip-address or one username. Bunch of access entries, associated to an &amp;quot;access-group&amp;quot;, can be &amp;quot;allowed or denied&amp;quot; access, &lt;br /&gt;
to a share in one go. &lt;br /&gt;
&lt;br /&gt;
'''Feature requirement is, to provide a mechanism, to allow the access to a share, for &amp;quot;a group of ip addresses/users&amp;quot;, in one go,'''&lt;br /&gt;
'''instead of allowing each ip-address/user one at a time.'''&lt;br /&gt;
&lt;br /&gt;
=== Challenges ===&lt;br /&gt;
* With new proposal, a set of access-rules can be applied together using &amp;quot;access-group&amp;quot;. Earlier &amp;quot;allow-access/deny-access&amp;quot; api worked on individual access rule. &lt;br /&gt;
So, that can interfere and allow/deny any access, without any knowledge of access-group api. This has to be understood and resolved.&lt;br /&gt;
&lt;br /&gt;
* A parallel api interface, serving same purpose, but in different granularity, causes redundancy in database and information.&lt;br /&gt;
&lt;br /&gt;
* Sending a bunch of rules together to backend, if any one rule throws an exception, status of whole access-group will be errored.&lt;br /&gt;
&lt;br /&gt;
* If backend driver doesn't implement 'update_access' newer version yet, then 'access-rules' will be sent to driver one by one only. &lt;br /&gt;
Though 'access-group' feature will allow user, to request access, to set of ip addresses, in one go, still backend will work on access-rules individually.&lt;br /&gt;
&lt;br /&gt;
Proposed Object Relationships:-&lt;br /&gt;
[[File: DB_relationships.png| center | 500px| Object Relationship Diagram]]&lt;br /&gt;
&lt;br /&gt;
== Important Actions == &lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Sr No !! Function !! Command&lt;br /&gt;
|-&lt;br /&gt;
| 1 || Create Access Group  || manila access-group-create [--access-level &amp;lt;access_level&amp;gt;] &amp;lt;name&amp;gt; &amp;lt;description&amp;gt; &amp;lt;access_type&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 2 || Add Access Group Entries in Access group || manila access-group-entry-create &amp;lt;access_to&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 3 || Allow Access Group to a share || manila access-group-allow &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 4 || Deny Access Group to a share || manila access-group-deny &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
=== Flow diagram ===&lt;br /&gt;
==== Allow Access Group ====&lt;br /&gt;
[[File : Allow_access_group_(2).png | center | 500px | Allow access group flow]]&lt;br /&gt;
&lt;br /&gt;
==== Deny Access Group ====&lt;br /&gt;
[[File : Deny_access_group.png | center | 500px| deny access group flow]]&lt;br /&gt;
&lt;br /&gt;
== How it works in different situations ==&lt;br /&gt;
'''Ques 1. Lets say a user requests allow-access-group for (share1, AG1)'''&lt;br /&gt;
'''What if the share is already mapped to another access_group/access_rule.'''&lt;br /&gt;
&lt;br /&gt;
Ans: Nothing, set of access_rules for AG1, will be applied on share, using 'add_rule' &lt;br /&gt;
field of 'update_access' helper function.&lt;br /&gt;
&lt;br /&gt;
'''Ques 2. lets say 'share1' has an already applied access rule i.e ( user ,admin, rw).'''&lt;br /&gt;
'''Now, 'AG1' contains (user, admin, ro). A request comes as 'allow_access_group(share1, AG1)'.'''            &lt;br /&gt;
'''share1 is asked to map with AG1, what should happen?'''            &lt;br /&gt;
&lt;br /&gt;
'''What if the already applied rules are redundant to AG1's access rules.'''&lt;br /&gt;
Note:- its a redundant rule, not contradictory, as rules with 'same access_type and access_to' are&lt;br /&gt;
considered redundant..&lt;br /&gt;
&lt;br /&gt;
Ans: Its same as case, if we apply two redundant rules, even without access-groups. We will get an exception, 'access rule for (user, admin) &lt;br /&gt;
already exists'  and we will proceed to examine, rest of the rules, in access_group. '''We need to deny this rule first &amp;quot;to change its level if required.'''&lt;br /&gt;
&lt;br /&gt;
'''Ques 3. What if AG1 is made up of n rules, only one is redundant ?'''&lt;br /&gt;
&lt;br /&gt;
Ans:If any one of the access_rule, from this access_group, is already applied on share(individually)...&lt;br /&gt;
lets say due to 'allow-access' api. Then excluding that access_rule, rest of the rules, present in 'access_group' will be applied on share.&lt;br /&gt;
&lt;br /&gt;
'''Ques 4. What if AG1 is made up of 'n' rules, an error reported from backend for one of the rules?'''&lt;br /&gt;
&lt;br /&gt;
Ans: If there is an error, reported from backend, then error will be registered in share_instances table.&lt;br /&gt;
'access_rules_status' will go in 'error' state and 'access_status_message' will contain the descriptive message.&lt;br /&gt;
&lt;br /&gt;
'''Ques 5. What if access group is already mapped to other shares and this is a new mapping.'''&lt;br /&gt;
&lt;br /&gt;
Ans: Simply, rules from the access-group will be applied on the requested share.&lt;br /&gt;
   &lt;br /&gt;
'''Ques 6. Two compatible access-groups mapping request got out of order before reaching backend driver.'''&lt;br /&gt;
&lt;br /&gt;
Lets say two api requests for two access_groups where two access groups's rules are compatible as below:            &lt;br /&gt;
Two api requests come in this order chronologically, req1 then req2,            &lt;br /&gt;
AG1 has (user, admin, rw), AG2 has (ip, 10.1.1.1, None)            &lt;br /&gt;
req1 = allow_access_group(share1, AG1), req2 = allow_access_group(share1, AG2)&lt;br /&gt;
Let’s say these request reach driver layer, out of order, driver receives req2 then req1. &lt;br /&gt;
What will happen in such case?&lt;br /&gt;
&lt;br /&gt;
Ans: req1 creates a access_group_mapping in db for (share1 -&amp;gt; AG1) and passes “only set of rules in AG1&amp;quot; to driver layer.            &lt;br /&gt;
req2  also creates a access_group_mapping in db for (share1 -&amp;gt; AG2) and passes that “only set of rules in AG2&amp;quot; to driver layer.            &lt;br /&gt;
Driver layer gets req2 first, it will apply access_rules of req2 first and then access_rules from req1 will be applied on backend.&lt;br /&gt;
&lt;br /&gt;
'''Ques 7. What happens if an exception is raised for one of the access-rules in access-group in api layer itself?&lt;br /&gt;
Do we proceed for next rule or we come out ?'''&lt;br /&gt;
&lt;br /&gt;
Ans: These are such exceptions which come like&lt;br /&gt;
1)if share status is not AVAILABLE &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
2)If share_access entry already exists for this share ? &amp;gt;&amp;gt; we raise exception but continue to consider next access_rule&lt;br /&gt;
3)if access_level value requested for is not a valid value &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
4)If share_instance is invalid one &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
5)if access_rules_status is not active &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
&lt;br /&gt;
in all such cases we raise exception before rpc request is sent to driver layer. access_status_message&amp;quot; field in &amp;quot;share_instances&amp;quot; table - &lt;br /&gt;
does not show error messages for above mentioned exceptions.&lt;br /&gt;
Note:- in last two cases(4,5), though we come out, but 'share_access_group_mapping' and 'many share_access_map' entries &lt;br /&gt;
would have been created!!!&lt;br /&gt;
&lt;br /&gt;
'''Ques 8. What is purpose of access_rules_status and access_status_message field in share_instances table?'''&lt;br /&gt;
&lt;br /&gt;
Ans: access_status_message field, registers the error message, from the driver layer. if we get an error message back from driver, it gets registered in &lt;br /&gt;
'access_status_message' in 'share_instances' table. 'access_status_message' field in 'share_instances' table - does not register error messages for &lt;br /&gt;
above mentioned exceptions in Ques7. &lt;br /&gt;
  &lt;br /&gt;
'''Ques 9. Lets say an access-group that contains 4 access_rules, that is applied on a share1.'''&lt;br /&gt;
'''now these 4 access_rules have got their entries created in share_access_map too.'''&lt;br /&gt;
'''What is someone deleted/denies the access rule individually ?'''&lt;br /&gt;
'''that is sequence is like'''&lt;br /&gt;
'''1) manila access-group-allow &amp;lt;share-id&amp;gt; &amp;lt;access-group-id&amp;gt;'''&lt;br /&gt;
'''2) manila access-deny &amp;lt;share&amp;gt; &amp;lt;id&amp;gt;'''&lt;br /&gt;
'''3) manila access-group-deny &amp;lt;share-id&amp;gt; &amp;lt;access-group-id&amp;gt;'''&lt;br /&gt;
'''Now some rules of this access-group are denied individually .. when we go to 'deny-access-group''''&lt;br /&gt;
'''what will happen?&lt;br /&gt;
&lt;br /&gt;
Ans: For each of 4 rules, if anyone is not present in the DB, we raise exception Not-Found and&lt;br /&gt;
continue to next access_entry.&lt;br /&gt;
&lt;br /&gt;
'''Ques 10. Lets say a share share1 is mapped to an access_group AG1. Now we delete one of access_rule''' &lt;br /&gt;
'''of AG1 or we add an entry to mapped access_group AG1. What will happen?'''&lt;br /&gt;
&lt;br /&gt;
Ans: any addition or deletion of access_entry to an access_group after being mapped, will trigger 'update_access'&lt;br /&gt;
on the backend.&lt;br /&gt;
&lt;br /&gt;
== Alternative Approach ==&lt;br /&gt;
This approach suggests to tag/group share_access_map records by using a new field access_group_tag.&lt;br /&gt;
Here we do not create a separate entity access_group and access_group_entries. &lt;br /&gt;
Instead by using a string type tag with share_access_map records, we group a few entries together.&lt;br /&gt;
&lt;br /&gt;
For first share that wants to allow a group of ip addresses/user the access.&lt;br /&gt;
cli call will be like...&lt;br /&gt;
  manila access-allow %some_share% ip 1.1.1.1,2.2.2.2, 3.3.3.3   --tag %tag_name_1%&lt;br /&gt;
&lt;br /&gt;
After that any share that wants similar access will do &lt;br /&gt;
either:&lt;br /&gt;
  manila access-inherit %some_new_share% --by-share %some_source_share%&lt;br /&gt;
Or &lt;br /&gt;
  manila access-inherit %some_new_share% --by-tag %tag%&lt;br /&gt;
&lt;br /&gt;
=== Comparison with 1st approach ===&lt;br /&gt;
* This approach is lighter and less amount of redundancy in database.&lt;br /&gt;
&lt;br /&gt;
* Access-group being dynamic entity in 2nd approach/a no separate entity, which has its 'existence scope' same as the share its associated with, &lt;br /&gt;
so no further means, to deal with 'access-groups', independently OR after share deletion.&lt;br /&gt;
 &lt;br /&gt;
* What if 'share2' inherits all access_rules from 'share1' and now share1 adds a rule by old 'allow-access' api without any tag. &lt;br /&gt;
Now how will we tackle such situation?&lt;br /&gt;
     * Will we keep these new individual access_rule records without tag?&lt;br /&gt;
     * Will we give every record which is in share_access_map, a tag..so this individual rule will have new access_group_tag?&lt;br /&gt;
We can keep the new rule without tag. &lt;br /&gt;
&lt;br /&gt;
Now, the next share share3 that inherits with --tag from share1 will get set of rules with combination (share1, tag1) &lt;br /&gt;
the next share share3 that inherits with --share from share1 will get all rules inclusive (share1, with tag) and (share1, without tag) &lt;br /&gt;
&lt;br /&gt;
* If share is deleted the access-group existed/associated with is, will be considered deleted. &lt;br /&gt;
&lt;br /&gt;
* If a share1 has allowed access to 3 ip addresses tagged with 'AG1', now another 'share2' inherited all 3 rules with 'AG1' tag itself.&lt;br /&gt;
now, a 'deny-access' request comes, to delete one of the rule with share1 from these 3 rules.&lt;br /&gt;
Now, access-group with 'AG1' tag - has got two separate set of access-rules, one that's coming from share1(2 rules) &lt;br /&gt;
and other thats coming from  share2(3 rules).&lt;br /&gt;
If a share3 is asking for rules same as tag AG1 what rules will be applied on it ?&lt;/div&gt;</summary>
		<author><name>Nidhi Mittal Hada</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123405</id>
		<title>Manila/design/access groups</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123405"/>
				<updated>2016-04-04T12:08:38Z</updated>
		
		<summary type="html">&lt;p&gt;Nidhi Mittal Hada: /* Comparison with 1st approach */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Applying Access Rules == &lt;br /&gt;
=== Current approach ===&lt;br /&gt;
Today we use &amp;quot;manila allow-access&amp;quot; and &amp;quot;manila deny-access&amp;quot; cli command, to allow and deny, &amp;quot;one&amp;quot; ip address/user/cert the access, to a particular share. &lt;br /&gt;
In situation, when we want a &amp;quot;share&amp;quot; to be accessible by  &lt;br /&gt;
* a subnet OR &lt;br /&gt;
* a set of IP addresses together OR &lt;br /&gt;
* a set users together&lt;br /&gt;
we have to execute, allow-access for each combination of (IP address, share) '''one by one'''!!&lt;br /&gt;
That is, If we want to allow, a same set of 'n' ip addresses, for each of 'n' shares, then it requires '''&amp;quot;n iterations for each of n shares&amp;quot;''', &lt;br /&gt;
that's n^2 operations from user side. &lt;br /&gt;
''That's cumbersome hence access-groups were proposed''&lt;br /&gt;
&lt;br /&gt;
=== Requirement ===&lt;br /&gt;
Requirement is to have a mechanism, by which a set of 'ip addresses' can be considered as 'one entity' i.e. 'can be allowed the access to a share together.' &lt;br /&gt;
Henceforth, the 'same set of ip addresses', can be allowed access to any 'other share', in 'one single request' from user. &lt;br /&gt;
There comes the idea of '''&amp;quot;manila access-groups&amp;quot;.'''&lt;br /&gt;
&lt;br /&gt;
=== Manila Access Groups ===&lt;br /&gt;
A new object named 'access_group', can be created by user. Each 'access_group' contains, a bunch of homogeneous 'access_entries'. &lt;br /&gt;
Homogeneous here means, 'entries of same access_type &amp;amp; access_level(in case access_type is 'user'))'. Each 'access_entry' represents, &lt;br /&gt;
either one ip-address or one username. Bunch of access entries, associated to an &amp;quot;access-group&amp;quot;, can be &amp;quot;allowed or denied&amp;quot; access, &lt;br /&gt;
to a share in one go. &lt;br /&gt;
&lt;br /&gt;
'''Feature requirement is, to provide a mechanism, to allow the access to a share, for &amp;quot;a group of ip addresses/users&amp;quot;, in one go,'''&lt;br /&gt;
'''instead of allowing each ip-address/user one at a time.'''&lt;br /&gt;
&lt;br /&gt;
=== Challenges ===&lt;br /&gt;
* With new proposal, a set of access-rules can be applied together using &amp;quot;access-group&amp;quot;. Earlier &amp;quot;allow-access/deny-access&amp;quot; api worked on individual access rule. &lt;br /&gt;
So, that can interfere and allow/deny any access, without any knowledge of access-group api. This has to be understood and resolved.&lt;br /&gt;
&lt;br /&gt;
* A parallel api interface, serving same purpose, but in different granularity, causes redundancy in database and information.&lt;br /&gt;
&lt;br /&gt;
* Sending a bunch of rules together to backend, if any one rule throws an exception, status of whole access-group will be errored.&lt;br /&gt;
&lt;br /&gt;
* If backend driver doesn't implement 'update_access' newer version yet, then 'access-rules' will be sent to driver one by one only. &lt;br /&gt;
Though 'access-group' feature will allow user, to request access, to set of ip addresses, in one go, still backend will work on access-rules individually.&lt;br /&gt;
&lt;br /&gt;
Proposed Object Relationships:-&lt;br /&gt;
[[File: DB_relationships.png| center | 500px| Object Relationship Diagram]]&lt;br /&gt;
&lt;br /&gt;
== Important Actions == &lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Sr No !! Function !! Command&lt;br /&gt;
|-&lt;br /&gt;
| 1 || Create Access Group  || manila access-group-create [--access-level &amp;lt;access_level&amp;gt;] &amp;lt;name&amp;gt; &amp;lt;description&amp;gt; &amp;lt;access_type&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 2 || Add Access Group Entries in Access group || manila access-group-entry-create &amp;lt;access_to&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 3 || Allow Access Group to a share || manila access-group-allow &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 4 || Deny Access Group to a share || manila access-group-deny &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
=== Flow diagram ===&lt;br /&gt;
==== Allow Access Group ====&lt;br /&gt;
[[File : Allow_access_group_(2).png | center | 500px | Allow access group flow]]&lt;br /&gt;
&lt;br /&gt;
==== Deny Access Group ====&lt;br /&gt;
[[File : Deny_access_group.png | center | 500px| deny access group flow]]&lt;br /&gt;
&lt;br /&gt;
== How it works in different situations ==&lt;br /&gt;
'''Ques 1. Lets say a user requests allow-access-group for (share1, AG1)'''&lt;br /&gt;
'''What if the share is already mapped to another access_group/access_rule.'''&lt;br /&gt;
&lt;br /&gt;
Ans: Nothing, set of access_rules for AG1, will be applied on share, using 'add_rule' &lt;br /&gt;
field of 'update_access' helper function.&lt;br /&gt;
&lt;br /&gt;
'''Ques 2. lets say 'share1' has an already applied access rule i.e ( user ,admin, rw).'''&lt;br /&gt;
'''Now, 'AG1' contains (user, admin, ro). A request comes as 'allow_access_group(share1, AG1)'.'''            &lt;br /&gt;
'''share1 is asked to map with AG1, what should happen?'''            &lt;br /&gt;
&lt;br /&gt;
'''What if the already applied rules are redundant to AG1's access rules.'''&lt;br /&gt;
Note:- its a redundant rule, not contradictory, as rules with 'same access_type and access_to' are&lt;br /&gt;
considered redundant..&lt;br /&gt;
&lt;br /&gt;
Ans: Its same as case, if we apply two redundant rules, even without access-groups. We will get an exception, 'access rule for (user, admin) &lt;br /&gt;
already exists'  and we will proceed to examine, rest of the rules, in access_group. '''We need to deny this rule first &amp;quot;to change its level if required.'''&lt;br /&gt;
&lt;br /&gt;
'''Ques 3. What if AG1 is made up of n rules, only one is redundant ?'''&lt;br /&gt;
&lt;br /&gt;
Ans:If any one of the access_rule, from this access_group, is already applied on share(individually)...&lt;br /&gt;
lets say due to 'allow-access' api. Then excluding that access_rule, rest of the rules, present in 'access_group' will be applied on share.&lt;br /&gt;
&lt;br /&gt;
'''Ques 4. What if AG1 is made up of 'n' rules, an error reported from backend for one of the rules?'''&lt;br /&gt;
&lt;br /&gt;
Ans: If there is an error, reported from backend, then error will be registered in share_instances table.&lt;br /&gt;
'access_rules_status' will go in 'error' state and 'access_status_message' will contain the descriptive message.&lt;br /&gt;
&lt;br /&gt;
'''Ques 5. What if access group is already mapped to other shares and this is a new mapping.'''&lt;br /&gt;
&lt;br /&gt;
Ans: Simply, rules from the access-group will be applied on the requested share.&lt;br /&gt;
   &lt;br /&gt;
'''Ques 6. Two compatible access-groups mapping request got out of order before reaching backend driver.'''&lt;br /&gt;
&lt;br /&gt;
Lets say two api requests for two access_groups where two access groups's rules are compatible as below:            &lt;br /&gt;
Two api requests come in this order chronologically, req1 then req2,            &lt;br /&gt;
AG1 has (user, admin, rw), AG2 has (ip, 10.1.1.1, None)            &lt;br /&gt;
req1 = allow_access_group(share1, AG1), req2 = allow_access_group(share1, AG2)&lt;br /&gt;
Let’s say these request reach driver layer, out of order, driver receives req2 then req1. &lt;br /&gt;
What will happen in such case?&lt;br /&gt;
&lt;br /&gt;
Ans: req1 creates a access_group_mapping in db for (share1 -&amp;gt; AG1) and passes “only set of rules in AG1&amp;quot; to driver layer.            &lt;br /&gt;
req2  also creates a access_group_mapping in db for (share1 -&amp;gt; AG2) and passes that “only set of rules in AG2&amp;quot; to driver layer.            &lt;br /&gt;
Driver layer gets req2 first, it will apply access_rules of req2 first and then access_rules from req1 will be applied on backend.&lt;br /&gt;
&lt;br /&gt;
'''Ques 7. What happens if an exception is raised for one of the access-rules in access-group in api layer itself?&lt;br /&gt;
Do we proceed for next rule or we come out ?'''&lt;br /&gt;
&lt;br /&gt;
Ans: These are such exceptions which come like&lt;br /&gt;
1)if share status is not AVAILABLE &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
2)If share_access entry already exists for this share ? &amp;gt;&amp;gt; we raise exception but continue to consider next access_rule&lt;br /&gt;
3)if access_level value requested for is not a valid value &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
4)If share_instance is invalid one &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
5)if access_rules_status is not active &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
&lt;br /&gt;
in all such cases we raise exception before rpc request is sent to driver layer. access_status_message&amp;quot; field in &amp;quot;share_instances&amp;quot; table - &lt;br /&gt;
does not show error messages for above mentioned exceptions.&lt;br /&gt;
Note:- in last two cases(4,5), though we come out, but 'share_access_group_mapping' and 'many share_access_map' entries &lt;br /&gt;
would have been created!!!&lt;br /&gt;
&lt;br /&gt;
'''Ques 8. What is purpose of access_rules_status and access_status_message field in share_instances table?'''&lt;br /&gt;
&lt;br /&gt;
Ans: access_status_message field, registers the error message, from the driver layer. if we get an error message back from driver, it gets registered in &lt;br /&gt;
'access_status_message' in 'share_instances' table. 'access_status_message' field in 'share_instances' table - does not register error messages for &lt;br /&gt;
above mentioned exceptions in Ques7. &lt;br /&gt;
  &lt;br /&gt;
'''Ques 9. Lets say an access-group that contains 4 access_rules, that is applied on a share1.'''&lt;br /&gt;
'''now these 4 access_rules have got their entries created in share_access_map too.'''&lt;br /&gt;
'''What is someone deleted/denies the access rule individually ?'''&lt;br /&gt;
'''that is sequence is like'''&lt;br /&gt;
'''1) manila access-group-allow &amp;lt;share-id&amp;gt; &amp;lt;access-group-id&amp;gt;'''&lt;br /&gt;
'''2) manila access-deny &amp;lt;share&amp;gt; &amp;lt;id&amp;gt;'''&lt;br /&gt;
'''3) manila access-group-deny &amp;lt;share-id&amp;gt; &amp;lt;access-group-id&amp;gt;'''&lt;br /&gt;
'''Now some rules of this access-group are denied individually .. when we go to 'deny-access-group''''&lt;br /&gt;
'''what will happen?&lt;br /&gt;
&lt;br /&gt;
Ans: For each of 4 rules, if anyone is not present in the DB, we raise exception Not-Found and&lt;br /&gt;
continue to next access_entry.&lt;br /&gt;
&lt;br /&gt;
'''Ques 10. Lets say a share share1 is mapped to an access_group AG1. Now we delete one of access_rule''' &lt;br /&gt;
'''of AG1 or we add an entry to mapped access_group AG1. What will happen?'''&lt;br /&gt;
&lt;br /&gt;
Ans: any addition or deletion of access_entry to an access_group after being mapped, will trigger 'update_access'&lt;br /&gt;
on the backend.&lt;br /&gt;
&lt;br /&gt;
== Alternative Approach ==&lt;br /&gt;
This approach suggests to tag/group share_access_map records by using a new field access_group_tag.&lt;br /&gt;
Here we do not create a separate entity access_group and access_group_entries. &lt;br /&gt;
Instead by using a string type tag with share_access_map records, we group a few entries together.&lt;br /&gt;
&lt;br /&gt;
For first share that wants to allow a group of ip addresses/user the access.&lt;br /&gt;
cli call will be like...&lt;br /&gt;
  manila access-allow %some_share% ip 1.1.1.1,2.2.2.2, 3.3.3.3   --tag %tag_name_1%&lt;br /&gt;
&lt;br /&gt;
After that any share that wants similar access will do &lt;br /&gt;
either:&lt;br /&gt;
  manila access-inherit %some_new_share% --by-share %some_source_share%&lt;br /&gt;
Or &lt;br /&gt;
  manila access-inherit %some_new_share% --by-tag %tag%&lt;br /&gt;
&lt;br /&gt;
=== Comparison with 1st approach ===&lt;br /&gt;
* This approach is lighter and less amount of redundancy in database.&lt;br /&gt;
&lt;br /&gt;
* Access-group being dynamic entity in 2nd approach/a no separate entity, which has its 'existence scope' same as the share its associated with, &lt;br /&gt;
so no further means, to deal with 'access-groups', independently OR after share deletion.&lt;br /&gt;
 &lt;br /&gt;
* What if 'share2' inherits all access_rules from 'share1' and now share1 adds a rule by old 'allow-access' api without any tag. &lt;br /&gt;
Now how will we tackle such situation?&lt;br /&gt;
     * Will we keep these new individual access_rule records without tag?&lt;br /&gt;
     * Will we give every record which is in share_access_map, a tag..so this individual rule will have new access_group_tag?&lt;br /&gt;
We can keep the new rule without tag. &lt;br /&gt;
&lt;br /&gt;
Now, the next share share3 that inherits with --tag from share1 will get set of rules with combination (share1, tag1) &lt;br /&gt;
the next share share3 that inherits with --share from share1 will get all rules inclusive (share1, with tag) and (share1, without tag) &lt;br /&gt;
&lt;br /&gt;
* If share is deleted the access-group associated will be considered deleted..  is it okay?&lt;br /&gt;
&lt;br /&gt;
* If a share1 is allowed access to three ip addresses in AG1, now another share2 inherited all 3 rules with AG1 tag itself.&lt;br /&gt;
now, a deny access request comes, to delete one of the rule with share1.&lt;br /&gt;
Now, access-group with AG1 tag - has got two separate set of access-rules, one thats coming from share1(2 rules) and other thats coming from  share2(3 rules).&lt;br /&gt;
If a share3 is asking for AG1's rules what rules will be applied on it ?&lt;/div&gt;</summary>
		<author><name>Nidhi Mittal Hada</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123404</id>
		<title>Manila/design/access groups</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123404"/>
				<updated>2016-04-04T12:07:26Z</updated>
		
		<summary type="html">&lt;p&gt;Nidhi Mittal Hada: /* Comparison with 1st approach */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Applying Access Rules == &lt;br /&gt;
=== Current approach ===&lt;br /&gt;
Today we use &amp;quot;manila allow-access&amp;quot; and &amp;quot;manila deny-access&amp;quot; cli command, to allow and deny, &amp;quot;one&amp;quot; ip address/user/cert the access, to a particular share. &lt;br /&gt;
In situation, when we want a &amp;quot;share&amp;quot; to be accessible by  &lt;br /&gt;
* a subnet OR &lt;br /&gt;
* a set of IP addresses together OR &lt;br /&gt;
* a set users together&lt;br /&gt;
we have to execute, allow-access for each combination of (IP address, share) '''one by one'''!!&lt;br /&gt;
That is, If we want to allow, a same set of 'n' ip addresses, for each of 'n' shares, then it requires '''&amp;quot;n iterations for each of n shares&amp;quot;''', &lt;br /&gt;
that's n^2 operations from user side. &lt;br /&gt;
''That's cumbersome hence access-groups were proposed''&lt;br /&gt;
&lt;br /&gt;
=== Requirement ===&lt;br /&gt;
Requirement is to have a mechanism, by which a set of 'ip addresses' can be considered as 'one entity' i.e. 'can be allowed the access to a share together.' &lt;br /&gt;
Henceforth, the 'same set of ip addresses', can be allowed access to any 'other share', in 'one single request' from user. &lt;br /&gt;
There comes the idea of '''&amp;quot;manila access-groups&amp;quot;.'''&lt;br /&gt;
&lt;br /&gt;
=== Manila Access Groups ===&lt;br /&gt;
A new object named 'access_group', can be created by user. Each 'access_group' contains, a bunch of homogeneous 'access_entries'. &lt;br /&gt;
Homogeneous here means, 'entries of same access_type &amp;amp; access_level(in case access_type is 'user'))'. Each 'access_entry' represents, &lt;br /&gt;
either one ip-address or one username. Bunch of access entries, associated to an &amp;quot;access-group&amp;quot;, can be &amp;quot;allowed or denied&amp;quot; access, &lt;br /&gt;
to a share in one go. &lt;br /&gt;
&lt;br /&gt;
'''Feature requirement is, to provide a mechanism, to allow the access to a share, for &amp;quot;a group of ip addresses/users&amp;quot;, in one go,'''&lt;br /&gt;
'''instead of allowing each ip-address/user one at a time.'''&lt;br /&gt;
&lt;br /&gt;
=== Challenges ===&lt;br /&gt;
* With new proposal, a set of access-rules can be applied together using &amp;quot;access-group&amp;quot;. Earlier &amp;quot;allow-access/deny-access&amp;quot; api worked on individual access rule. &lt;br /&gt;
So, that can interfere and allow/deny any access, without any knowledge of access-group api. This has to be understood and resolved.&lt;br /&gt;
&lt;br /&gt;
* A parallel api interface, serving same purpose, but in different granularity, causes redundancy in database and information.&lt;br /&gt;
&lt;br /&gt;
* Sending a bunch of rules together to backend, if any one rule throws an exception, status of whole access-group will be errored.&lt;br /&gt;
&lt;br /&gt;
* If backend driver doesn't implement 'update_access' newer version yet, then 'access-rules' will be sent to driver one by one only. &lt;br /&gt;
Though 'access-group' feature will allow user, to request access, to set of ip addresses, in one go, still backend will work on access-rules individually.&lt;br /&gt;
&lt;br /&gt;
Proposed Object Relationships:-&lt;br /&gt;
[[File: DB_relationships.png| center | 500px| Object Relationship Diagram]]&lt;br /&gt;
&lt;br /&gt;
== Important Actions == &lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Sr No !! Function !! Command&lt;br /&gt;
|-&lt;br /&gt;
| 1 || Create Access Group  || manila access-group-create [--access-level &amp;lt;access_level&amp;gt;] &amp;lt;name&amp;gt; &amp;lt;description&amp;gt; &amp;lt;access_type&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 2 || Add Access Group Entries in Access group || manila access-group-entry-create &amp;lt;access_to&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 3 || Allow Access Group to a share || manila access-group-allow &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 4 || Deny Access Group to a share || manila access-group-deny &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
=== Flow diagram ===&lt;br /&gt;
==== Allow Access Group ====&lt;br /&gt;
[[File : Allow_access_group_(2).png | center | 500px | Allow access group flow]]&lt;br /&gt;
&lt;br /&gt;
==== Deny Access Group ====&lt;br /&gt;
[[File : Deny_access_group.png | center | 500px| deny access group flow]]&lt;br /&gt;
&lt;br /&gt;
== How it works in different situations ==&lt;br /&gt;
'''Ques 1. Lets say a user requests allow-access-group for (share1, AG1)'''&lt;br /&gt;
'''What if the share is already mapped to another access_group/access_rule.'''&lt;br /&gt;
&lt;br /&gt;
Ans: Nothing, set of access_rules for AG1, will be applied on share, using 'add_rule' &lt;br /&gt;
field of 'update_access' helper function.&lt;br /&gt;
&lt;br /&gt;
'''Ques 2. lets say 'share1' has an already applied access rule i.e ( user ,admin, rw).'''&lt;br /&gt;
'''Now, 'AG1' contains (user, admin, ro). A request comes as 'allow_access_group(share1, AG1)'.'''            &lt;br /&gt;
'''share1 is asked to map with AG1, what should happen?'''            &lt;br /&gt;
&lt;br /&gt;
'''What if the already applied rules are redundant to AG1's access rules.'''&lt;br /&gt;
Note:- its a redundant rule, not contradictory, as rules with 'same access_type and access_to' are&lt;br /&gt;
considered redundant..&lt;br /&gt;
&lt;br /&gt;
Ans: Its same as case, if we apply two redundant rules, even without access-groups. We will get an exception, 'access rule for (user, admin) &lt;br /&gt;
already exists'  and we will proceed to examine, rest of the rules, in access_group. '''We need to deny this rule first &amp;quot;to change its level if required.'''&lt;br /&gt;
&lt;br /&gt;
'''Ques 3. What if AG1 is made up of n rules, only one is redundant ?'''&lt;br /&gt;
&lt;br /&gt;
Ans:If any one of the access_rule, from this access_group, is already applied on share(individually)...&lt;br /&gt;
lets say due to 'allow-access' api. Then excluding that access_rule, rest of the rules, present in 'access_group' will be applied on share.&lt;br /&gt;
&lt;br /&gt;
'''Ques 4. What if AG1 is made up of 'n' rules, an error reported from backend for one of the rules?'''&lt;br /&gt;
&lt;br /&gt;
Ans: If there is an error, reported from backend, then error will be registered in share_instances table.&lt;br /&gt;
'access_rules_status' will go in 'error' state and 'access_status_message' will contain the descriptive message.&lt;br /&gt;
&lt;br /&gt;
'''Ques 5. What if access group is already mapped to other shares and this is a new mapping.'''&lt;br /&gt;
&lt;br /&gt;
Ans: Simply, rules from the access-group will be applied on the requested share.&lt;br /&gt;
   &lt;br /&gt;
'''Ques 6. Two compatible access-groups mapping request got out of order before reaching backend driver.'''&lt;br /&gt;
&lt;br /&gt;
Lets say two api requests for two access_groups where two access groups's rules are compatible as below:            &lt;br /&gt;
Two api requests come in this order chronologically, req1 then req2,            &lt;br /&gt;
AG1 has (user, admin, rw), AG2 has (ip, 10.1.1.1, None)            &lt;br /&gt;
req1 = allow_access_group(share1, AG1), req2 = allow_access_group(share1, AG2)&lt;br /&gt;
Let’s say these request reach driver layer, out of order, driver receives req2 then req1. &lt;br /&gt;
What will happen in such case?&lt;br /&gt;
&lt;br /&gt;
Ans: req1 creates a access_group_mapping in db for (share1 -&amp;gt; AG1) and passes “only set of rules in AG1&amp;quot; to driver layer.            &lt;br /&gt;
req2  also creates a access_group_mapping in db for (share1 -&amp;gt; AG2) and passes that “only set of rules in AG2&amp;quot; to driver layer.            &lt;br /&gt;
Driver layer gets req2 first, it will apply access_rules of req2 first and then access_rules from req1 will be applied on backend.&lt;br /&gt;
&lt;br /&gt;
'''Ques 7. What happens if an exception is raised for one of the access-rules in access-group in api layer itself?&lt;br /&gt;
Do we proceed for next rule or we come out ?'''&lt;br /&gt;
&lt;br /&gt;
Ans: These are such exceptions which come like&lt;br /&gt;
1)if share status is not AVAILABLE &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
2)If share_access entry already exists for this share ? &amp;gt;&amp;gt; we raise exception but continue to consider next access_rule&lt;br /&gt;
3)if access_level value requested for is not a valid value &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
4)If share_instance is invalid one &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
5)if access_rules_status is not active &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
&lt;br /&gt;
in all such cases we raise exception before rpc request is sent to driver layer. access_status_message&amp;quot; field in &amp;quot;share_instances&amp;quot; table - &lt;br /&gt;
does not show error messages for above mentioned exceptions.&lt;br /&gt;
Note:- in last two cases(4,5), though we come out, but 'share_access_group_mapping' and 'many share_access_map' entries &lt;br /&gt;
would have been created!!!&lt;br /&gt;
&lt;br /&gt;
'''Ques 8. What is purpose of access_rules_status and access_status_message field in share_instances table?'''&lt;br /&gt;
&lt;br /&gt;
Ans: access_status_message field, registers the error message, from the driver layer. if we get an error message back from driver, it gets registered in &lt;br /&gt;
'access_status_message' in 'share_instances' table. 'access_status_message' field in 'share_instances' table - does not register error messages for &lt;br /&gt;
above mentioned exceptions in Ques7. &lt;br /&gt;
  &lt;br /&gt;
'''Ques 9. Lets say an access-group that contains 4 access_rules, that is applied on a share1.'''&lt;br /&gt;
'''now these 4 access_rules have got their entries created in share_access_map too.'''&lt;br /&gt;
'''What is someone deleted/denies the access rule individually ?'''&lt;br /&gt;
'''that is sequence is like'''&lt;br /&gt;
'''1) manila access-group-allow &amp;lt;share-id&amp;gt; &amp;lt;access-group-id&amp;gt;'''&lt;br /&gt;
'''2) manila access-deny &amp;lt;share&amp;gt; &amp;lt;id&amp;gt;'''&lt;br /&gt;
'''3) manila access-group-deny &amp;lt;share-id&amp;gt; &amp;lt;access-group-id&amp;gt;'''&lt;br /&gt;
'''Now some rules of this access-group are denied individually .. when we go to 'deny-access-group''''&lt;br /&gt;
'''what will happen?&lt;br /&gt;
&lt;br /&gt;
Ans: For each of 4 rules, if anyone is not present in the DB, we raise exception Not-Found and&lt;br /&gt;
continue to next access_entry.&lt;br /&gt;
&lt;br /&gt;
'''Ques 10. Lets say a share share1 is mapped to an access_group AG1. Now we delete one of access_rule''' &lt;br /&gt;
'''of AG1 or we add an entry to mapped access_group AG1. What will happen?'''&lt;br /&gt;
&lt;br /&gt;
Ans: any addition or deletion of access_entry to an access_group after being mapped, will trigger 'update_access'&lt;br /&gt;
on the backend.&lt;br /&gt;
&lt;br /&gt;
== Alternative Approach ==&lt;br /&gt;
This approach suggests to tag/group share_access_map records by using a new field access_group_tag.&lt;br /&gt;
Here we do not create a separate entity access_group and access_group_entries. &lt;br /&gt;
Instead by using a string type tag with share_access_map records, we group a few entries together.&lt;br /&gt;
&lt;br /&gt;
For first share that wants to allow a group of ip addresses/user the access.&lt;br /&gt;
cli call will be like...&lt;br /&gt;
  manila access-allow %some_share% ip 1.1.1.1,2.2.2.2, 3.3.3.3   --tag %tag_name_1%&lt;br /&gt;
&lt;br /&gt;
After that any share that wants similar access will do &lt;br /&gt;
either:&lt;br /&gt;
  manila access-inherit %some_new_share% --by-share %some_source_share%&lt;br /&gt;
Or &lt;br /&gt;
  manila access-inherit %some_new_share% --by-tag %tag%&lt;br /&gt;
&lt;br /&gt;
=== Comparison with 1st approach ===&lt;br /&gt;
* This approach is lighter and less amount of redundancy in database.&lt;br /&gt;
&lt;br /&gt;
* Access-group being dynamic entity in 2nd approach/a no separate entity, which has its 'existence scope' same as the share its associated with, &lt;br /&gt;
so no further means, to deal with 'access-groups', independently OR after share deletion.&lt;br /&gt;
 &lt;br /&gt;
* What if 'share2' inherits all access_rules from 'share1' and now share1 adds a rule by old 'allow-access' api without any tag. &lt;br /&gt;
Now how will we tackle such situation?&lt;br /&gt;
     * Will we keep these new individual access_rule records without tag?&lt;br /&gt;
     * Will we give every record which is in share_access_map, a tag..so this individual rule will have new access_group_tag?&lt;br /&gt;
We can keep the new rule without tag. &lt;br /&gt;
now a share3 which &lt;br /&gt;
the next share share3 that inherits with --tag from share1 will get set of rules with combination (share1, tag1) &lt;br /&gt;
the next share share3 that inherits with --share from share1 will get all rules inclusive (share1, with tag) and (share1, without tag) &lt;br /&gt;
&lt;br /&gt;
* If share is deleted the access-group associated will be considered deleted..  is it okay?&lt;br /&gt;
&lt;br /&gt;
* If a share1 is allowed access to three ip addresses in AG1, now another share2 inherited all 3 rules with AG1 tag itself.&lt;br /&gt;
now, a deny access request comes, to delete one of the rule with share1.&lt;br /&gt;
Now, access-group with AG1 tag - has got two separate set of access-rules, one thats coming from share1(2 rules) and other thats coming from  share2(3 rules).&lt;br /&gt;
If a share3 is asking for AG1's rules what rules will be applied on it ?&lt;/div&gt;</summary>
		<author><name>Nidhi Mittal Hada</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123403</id>
		<title>Manila/design/access groups</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123403"/>
				<updated>2016-04-04T12:05:30Z</updated>
		
		<summary type="html">&lt;p&gt;Nidhi Mittal Hada: /* Comparison with 1st approach */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Applying Access Rules == &lt;br /&gt;
=== Current approach ===&lt;br /&gt;
Today we use &amp;quot;manila allow-access&amp;quot; and &amp;quot;manila deny-access&amp;quot; cli command, to allow and deny, &amp;quot;one&amp;quot; ip address/user/cert the access, to a particular share. &lt;br /&gt;
In situation, when we want a &amp;quot;share&amp;quot; to be accessible by  &lt;br /&gt;
* a subnet OR &lt;br /&gt;
* a set of IP addresses together OR &lt;br /&gt;
* a set users together&lt;br /&gt;
we have to execute, allow-access for each combination of (IP address, share) '''one by one'''!!&lt;br /&gt;
That is, If we want to allow, a same set of 'n' ip addresses, for each of 'n' shares, then it requires '''&amp;quot;n iterations for each of n shares&amp;quot;''', &lt;br /&gt;
that's n^2 operations from user side. &lt;br /&gt;
''That's cumbersome hence access-groups were proposed''&lt;br /&gt;
&lt;br /&gt;
=== Requirement ===&lt;br /&gt;
Requirement is to have a mechanism, by which a set of 'ip addresses' can be considered as 'one entity' i.e. 'can be allowed the access to a share together.' &lt;br /&gt;
Henceforth, the 'same set of ip addresses', can be allowed access to any 'other share', in 'one single request' from user. &lt;br /&gt;
There comes the idea of '''&amp;quot;manila access-groups&amp;quot;.'''&lt;br /&gt;
&lt;br /&gt;
=== Manila Access Groups ===&lt;br /&gt;
A new object named 'access_group', can be created by user. Each 'access_group' contains, a bunch of homogeneous 'access_entries'. &lt;br /&gt;
Homogeneous here means, 'entries of same access_type &amp;amp; access_level(in case access_type is 'user'))'. Each 'access_entry' represents, &lt;br /&gt;
either one ip-address or one username. Bunch of access entries, associated to an &amp;quot;access-group&amp;quot;, can be &amp;quot;allowed or denied&amp;quot; access, &lt;br /&gt;
to a share in one go. &lt;br /&gt;
&lt;br /&gt;
'''Feature requirement is, to provide a mechanism, to allow the access to a share, for &amp;quot;a group of ip addresses/users&amp;quot;, in one go,'''&lt;br /&gt;
'''instead of allowing each ip-address/user one at a time.'''&lt;br /&gt;
&lt;br /&gt;
=== Challenges ===&lt;br /&gt;
* With new proposal, a set of access-rules can be applied together using &amp;quot;access-group&amp;quot;. Earlier &amp;quot;allow-access/deny-access&amp;quot; api worked on individual access rule. &lt;br /&gt;
So, that can interfere and allow/deny any access, without any knowledge of access-group api. This has to be understood and resolved.&lt;br /&gt;
&lt;br /&gt;
* A parallel api interface, serving same purpose, but in different granularity, causes redundancy in database and information.&lt;br /&gt;
&lt;br /&gt;
* Sending a bunch of rules together to backend, if any one rule throws an exception, status of whole access-group will be errored.&lt;br /&gt;
&lt;br /&gt;
* If backend driver doesn't implement 'update_access' newer version yet, then 'access-rules' will be sent to driver one by one only. &lt;br /&gt;
Though 'access-group' feature will allow user, to request access, to set of ip addresses, in one go, still backend will work on access-rules individually.&lt;br /&gt;
&lt;br /&gt;
Proposed Object Relationships:-&lt;br /&gt;
[[File: DB_relationships.png| center | 500px| Object Relationship Diagram]]&lt;br /&gt;
&lt;br /&gt;
== Important Actions == &lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Sr No !! Function !! Command&lt;br /&gt;
|-&lt;br /&gt;
| 1 || Create Access Group  || manila access-group-create [--access-level &amp;lt;access_level&amp;gt;] &amp;lt;name&amp;gt; &amp;lt;description&amp;gt; &amp;lt;access_type&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 2 || Add Access Group Entries in Access group || manila access-group-entry-create &amp;lt;access_to&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 3 || Allow Access Group to a share || manila access-group-allow &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 4 || Deny Access Group to a share || manila access-group-deny &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
=== Flow diagram ===&lt;br /&gt;
==== Allow Access Group ====&lt;br /&gt;
[[File : Allow_access_group_(2).png | center | 500px | Allow access group flow]]&lt;br /&gt;
&lt;br /&gt;
==== Deny Access Group ====&lt;br /&gt;
[[File : Deny_access_group.png | center | 500px| deny access group flow]]&lt;br /&gt;
&lt;br /&gt;
== How it works in different situations ==&lt;br /&gt;
'''Ques 1. Lets say a user requests allow-access-group for (share1, AG1)'''&lt;br /&gt;
'''What if the share is already mapped to another access_group/access_rule.'''&lt;br /&gt;
&lt;br /&gt;
Ans: Nothing, set of access_rules for AG1, will be applied on share, using 'add_rule' &lt;br /&gt;
field of 'update_access' helper function.&lt;br /&gt;
&lt;br /&gt;
'''Ques 2. lets say 'share1' has an already applied access rule i.e ( user ,admin, rw).'''&lt;br /&gt;
'''Now, 'AG1' contains (user, admin, ro). A request comes as 'allow_access_group(share1, AG1)'.'''            &lt;br /&gt;
'''share1 is asked to map with AG1, what should happen?'''            &lt;br /&gt;
&lt;br /&gt;
'''What if the already applied rules are redundant to AG1's access rules.'''&lt;br /&gt;
Note:- its a redundant rule, not contradictory, as rules with 'same access_type and access_to' are&lt;br /&gt;
considered redundant..&lt;br /&gt;
&lt;br /&gt;
Ans: Its same as case, if we apply two redundant rules, even without access-groups. We will get an exception, 'access rule for (user, admin) &lt;br /&gt;
already exists'  and we will proceed to examine, rest of the rules, in access_group. '''We need to deny this rule first &amp;quot;to change its level if required.'''&lt;br /&gt;
&lt;br /&gt;
'''Ques 3. What if AG1 is made up of n rules, only one is redundant ?'''&lt;br /&gt;
&lt;br /&gt;
Ans:If any one of the access_rule, from this access_group, is already applied on share(individually)...&lt;br /&gt;
lets say due to 'allow-access' api. Then excluding that access_rule, rest of the rules, present in 'access_group' will be applied on share.&lt;br /&gt;
&lt;br /&gt;
'''Ques 4. What if AG1 is made up of 'n' rules, an error reported from backend for one of the rules?'''&lt;br /&gt;
&lt;br /&gt;
Ans: If there is an error, reported from backend, then error will be registered in share_instances table.&lt;br /&gt;
'access_rules_status' will go in 'error' state and 'access_status_message' will contain the descriptive message.&lt;br /&gt;
&lt;br /&gt;
'''Ques 5. What if access group is already mapped to other shares and this is a new mapping.'''&lt;br /&gt;
&lt;br /&gt;
Ans: Simply, rules from the access-group will be applied on the requested share.&lt;br /&gt;
   &lt;br /&gt;
'''Ques 6. Two compatible access-groups mapping request got out of order before reaching backend driver.'''&lt;br /&gt;
&lt;br /&gt;
Lets say two api requests for two access_groups where two access groups's rules are compatible as below:            &lt;br /&gt;
Two api requests come in this order chronologically, req1 then req2,            &lt;br /&gt;
AG1 has (user, admin, rw), AG2 has (ip, 10.1.1.1, None)            &lt;br /&gt;
req1 = allow_access_group(share1, AG1), req2 = allow_access_group(share1, AG2)&lt;br /&gt;
Let’s say these request reach driver layer, out of order, driver receives req2 then req1. &lt;br /&gt;
What will happen in such case?&lt;br /&gt;
&lt;br /&gt;
Ans: req1 creates a access_group_mapping in db for (share1 -&amp;gt; AG1) and passes “only set of rules in AG1&amp;quot; to driver layer.            &lt;br /&gt;
req2  also creates a access_group_mapping in db for (share1 -&amp;gt; AG2) and passes that “only set of rules in AG2&amp;quot; to driver layer.            &lt;br /&gt;
Driver layer gets req2 first, it will apply access_rules of req2 first and then access_rules from req1 will be applied on backend.&lt;br /&gt;
&lt;br /&gt;
'''Ques 7. What happens if an exception is raised for one of the access-rules in access-group in api layer itself?&lt;br /&gt;
Do we proceed for next rule or we come out ?'''&lt;br /&gt;
&lt;br /&gt;
Ans: These are such exceptions which come like&lt;br /&gt;
1)if share status is not AVAILABLE &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
2)If share_access entry already exists for this share ? &amp;gt;&amp;gt; we raise exception but continue to consider next access_rule&lt;br /&gt;
3)if access_level value requested for is not a valid value &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
4)If share_instance is invalid one &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
5)if access_rules_status is not active &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
&lt;br /&gt;
in all such cases we raise exception before rpc request is sent to driver layer. access_status_message&amp;quot; field in &amp;quot;share_instances&amp;quot; table - &lt;br /&gt;
does not show error messages for above mentioned exceptions.&lt;br /&gt;
Note:- in last two cases(4,5), though we come out, but 'share_access_group_mapping' and 'many share_access_map' entries &lt;br /&gt;
would have been created!!!&lt;br /&gt;
&lt;br /&gt;
'''Ques 8. What is purpose of access_rules_status and access_status_message field in share_instances table?'''&lt;br /&gt;
&lt;br /&gt;
Ans: access_status_message field, registers the error message, from the driver layer. if we get an error message back from driver, it gets registered in &lt;br /&gt;
'access_status_message' in 'share_instances' table. 'access_status_message' field in 'share_instances' table - does not register error messages for &lt;br /&gt;
above mentioned exceptions in Ques7. &lt;br /&gt;
  &lt;br /&gt;
'''Ques 9. Lets say an access-group that contains 4 access_rules, that is applied on a share1.'''&lt;br /&gt;
'''now these 4 access_rules have got their entries created in share_access_map too.'''&lt;br /&gt;
'''What is someone deleted/denies the access rule individually ?'''&lt;br /&gt;
'''that is sequence is like'''&lt;br /&gt;
'''1) manila access-group-allow &amp;lt;share-id&amp;gt; &amp;lt;access-group-id&amp;gt;'''&lt;br /&gt;
'''2) manila access-deny &amp;lt;share&amp;gt; &amp;lt;id&amp;gt;'''&lt;br /&gt;
'''3) manila access-group-deny &amp;lt;share-id&amp;gt; &amp;lt;access-group-id&amp;gt;'''&lt;br /&gt;
'''Now some rules of this access-group are denied individually .. when we go to 'deny-access-group''''&lt;br /&gt;
'''what will happen?&lt;br /&gt;
&lt;br /&gt;
Ans: For each of 4 rules, if anyone is not present in the DB, we raise exception Not-Found and&lt;br /&gt;
continue to next access_entry.&lt;br /&gt;
&lt;br /&gt;
'''Ques 10. Lets say a share share1 is mapped to an access_group AG1. Now we delete one of access_rule''' &lt;br /&gt;
'''of AG1 or we add an entry to mapped access_group AG1. What will happen?'''&lt;br /&gt;
&lt;br /&gt;
Ans: any addition or deletion of access_entry to an access_group after being mapped, will trigger 'update_access'&lt;br /&gt;
on the backend.&lt;br /&gt;
&lt;br /&gt;
== Alternative Approach ==&lt;br /&gt;
This approach suggests to tag/group share_access_map records by using a new field access_group_tag.&lt;br /&gt;
Here we do not create a separate entity access_group and access_group_entries. &lt;br /&gt;
Instead by using a string type tag with share_access_map records, we group a few entries together.&lt;br /&gt;
&lt;br /&gt;
For first share that wants to allow a group of ip addresses/user the access.&lt;br /&gt;
cli call will be like...&lt;br /&gt;
  manila access-allow %some_share% ip 1.1.1.1,2.2.2.2, 3.3.3.3   --tag %tag_name_1%&lt;br /&gt;
&lt;br /&gt;
After that any share that wants similar access will do &lt;br /&gt;
either:&lt;br /&gt;
  manila access-inherit %some_new_share% --by-share %some_source_share%&lt;br /&gt;
Or &lt;br /&gt;
  manila access-inherit %some_new_share% --by-tag %tag%&lt;br /&gt;
&lt;br /&gt;
=== Comparison with 1st approach ===&lt;br /&gt;
* This approach is lighter and less amount of redundancy in database.&lt;br /&gt;
&lt;br /&gt;
* Access-group being dynamic entity in 2nd approach/a no separate entity, which has its 'existence scope' same as the share its associated with, &lt;br /&gt;
so no further means, to deal with 'access-groups', independently OR after share deletion.&lt;br /&gt;
 &lt;br /&gt;
* What if 'share2' inherits all access_rules from 'share1' and now share1 adds a rule by old 'allow-access' api without any tag. &lt;br /&gt;
Now how will we tackle such situation?&lt;br /&gt;
* Will we keep these new individual access_rule records without tag?&lt;br /&gt;
* Will we give every record which is in share_access_map, a tag..so this individual rule will have new access_group_tag?&lt;br /&gt;
we can keep the new rule without tag. &lt;br /&gt;
now a share3 which &lt;br /&gt;
the next share share3 that inherits with --tag from share1 will get set of rules with combination (share1, tag1) &lt;br /&gt;
the next share share3 that inherits with --share from share1 will get all rules inclusive (share1, with tag) and (share1, without tag) &lt;br /&gt;
&lt;br /&gt;
* If share is deleted the access-group associated will be considered deleted..  is it okay?&lt;br /&gt;
&lt;br /&gt;
* If a share1 is allowed access to three ip addresses in AG1, now another share2 inherited all 3 rules with AG1 tag itself.&lt;br /&gt;
now, a deny access request comes, to delete one of the rule with share1.&lt;br /&gt;
Now, access-group with AG1 tag - has got two separate set of access-rules, one thats coming from share1(2 rules) and other thats coming from  share2(3 rules).&lt;br /&gt;
If a share3 is asking for AG1's rules what rules will be applied on it ?&lt;/div&gt;</summary>
		<author><name>Nidhi Mittal Hada</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123402</id>
		<title>Manila/design/access groups</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123402"/>
				<updated>2016-04-04T12:04:42Z</updated>
		
		<summary type="html">&lt;p&gt;Nidhi Mittal Hada: /* Comparison with 1st approach */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Applying Access Rules == &lt;br /&gt;
=== Current approach ===&lt;br /&gt;
Today we use &amp;quot;manila allow-access&amp;quot; and &amp;quot;manila deny-access&amp;quot; cli command, to allow and deny, &amp;quot;one&amp;quot; ip address/user/cert the access, to a particular share. &lt;br /&gt;
In situation, when we want a &amp;quot;share&amp;quot; to be accessible by  &lt;br /&gt;
* a subnet OR &lt;br /&gt;
* a set of IP addresses together OR &lt;br /&gt;
* a set users together&lt;br /&gt;
we have to execute, allow-access for each combination of (IP address, share) '''one by one'''!!&lt;br /&gt;
That is, If we want to allow, a same set of 'n' ip addresses, for each of 'n' shares, then it requires '''&amp;quot;n iterations for each of n shares&amp;quot;''', &lt;br /&gt;
that's n^2 operations from user side. &lt;br /&gt;
''That's cumbersome hence access-groups were proposed''&lt;br /&gt;
&lt;br /&gt;
=== Requirement ===&lt;br /&gt;
Requirement is to have a mechanism, by which a set of 'ip addresses' can be considered as 'one entity' i.e. 'can be allowed the access to a share together.' &lt;br /&gt;
Henceforth, the 'same set of ip addresses', can be allowed access to any 'other share', in 'one single request' from user. &lt;br /&gt;
There comes the idea of '''&amp;quot;manila access-groups&amp;quot;.'''&lt;br /&gt;
&lt;br /&gt;
=== Manila Access Groups ===&lt;br /&gt;
A new object named 'access_group', can be created by user. Each 'access_group' contains, a bunch of homogeneous 'access_entries'. &lt;br /&gt;
Homogeneous here means, 'entries of same access_type &amp;amp; access_level(in case access_type is 'user'))'. Each 'access_entry' represents, &lt;br /&gt;
either one ip-address or one username. Bunch of access entries, associated to an &amp;quot;access-group&amp;quot;, can be &amp;quot;allowed or denied&amp;quot; access, &lt;br /&gt;
to a share in one go. &lt;br /&gt;
&lt;br /&gt;
'''Feature requirement is, to provide a mechanism, to allow the access to a share, for &amp;quot;a group of ip addresses/users&amp;quot;, in one go,'''&lt;br /&gt;
'''instead of allowing each ip-address/user one at a time.'''&lt;br /&gt;
&lt;br /&gt;
=== Challenges ===&lt;br /&gt;
* With new proposal, a set of access-rules can be applied together using &amp;quot;access-group&amp;quot;. Earlier &amp;quot;allow-access/deny-access&amp;quot; api worked on individual access rule. &lt;br /&gt;
So, that can interfere and allow/deny any access, without any knowledge of access-group api. This has to be understood and resolved.&lt;br /&gt;
&lt;br /&gt;
* A parallel api interface, serving same purpose, but in different granularity, causes redundancy in database and information.&lt;br /&gt;
&lt;br /&gt;
* Sending a bunch of rules together to backend, if any one rule throws an exception, status of whole access-group will be errored.&lt;br /&gt;
&lt;br /&gt;
* If backend driver doesn't implement 'update_access' newer version yet, then 'access-rules' will be sent to driver one by one only. &lt;br /&gt;
Though 'access-group' feature will allow user, to request access, to set of ip addresses, in one go, still backend will work on access-rules individually.&lt;br /&gt;
&lt;br /&gt;
Proposed Object Relationships:-&lt;br /&gt;
[[File: DB_relationships.png| center | 500px| Object Relationship Diagram]]&lt;br /&gt;
&lt;br /&gt;
== Important Actions == &lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Sr No !! Function !! Command&lt;br /&gt;
|-&lt;br /&gt;
| 1 || Create Access Group  || manila access-group-create [--access-level &amp;lt;access_level&amp;gt;] &amp;lt;name&amp;gt; &amp;lt;description&amp;gt; &amp;lt;access_type&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 2 || Add Access Group Entries in Access group || manila access-group-entry-create &amp;lt;access_to&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 3 || Allow Access Group to a share || manila access-group-allow &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 4 || Deny Access Group to a share || manila access-group-deny &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
=== Flow diagram ===&lt;br /&gt;
==== Allow Access Group ====&lt;br /&gt;
[[File : Allow_access_group_(2).png | center | 500px | Allow access group flow]]&lt;br /&gt;
&lt;br /&gt;
==== Deny Access Group ====&lt;br /&gt;
[[File : Deny_access_group.png | center | 500px| deny access group flow]]&lt;br /&gt;
&lt;br /&gt;
== How it works in different situations ==&lt;br /&gt;
'''Ques 1. Lets say a user requests allow-access-group for (share1, AG1)'''&lt;br /&gt;
'''What if the share is already mapped to another access_group/access_rule.'''&lt;br /&gt;
&lt;br /&gt;
Ans: Nothing, set of access_rules for AG1, will be applied on share, using 'add_rule' &lt;br /&gt;
field of 'update_access' helper function.&lt;br /&gt;
&lt;br /&gt;
'''Ques 2. lets say 'share1' has an already applied access rule i.e ( user ,admin, rw).'''&lt;br /&gt;
'''Now, 'AG1' contains (user, admin, ro). A request comes as 'allow_access_group(share1, AG1)'.'''            &lt;br /&gt;
'''share1 is asked to map with AG1, what should happen?'''            &lt;br /&gt;
&lt;br /&gt;
'''What if the already applied rules are redundant to AG1's access rules.'''&lt;br /&gt;
Note:- its a redundant rule, not contradictory, as rules with 'same access_type and access_to' are&lt;br /&gt;
considered redundant..&lt;br /&gt;
&lt;br /&gt;
Ans: Its same as case, if we apply two redundant rules, even without access-groups. We will get an exception, 'access rule for (user, admin) &lt;br /&gt;
already exists'  and we will proceed to examine, rest of the rules, in access_group. '''We need to deny this rule first &amp;quot;to change its level if required.'''&lt;br /&gt;
&lt;br /&gt;
'''Ques 3. What if AG1 is made up of n rules, only one is redundant ?'''&lt;br /&gt;
&lt;br /&gt;
Ans:If any one of the access_rule, from this access_group, is already applied on share(individually)...&lt;br /&gt;
lets say due to 'allow-access' api. Then excluding that access_rule, rest of the rules, present in 'access_group' will be applied on share.&lt;br /&gt;
&lt;br /&gt;
'''Ques 4. What if AG1 is made up of 'n' rules, an error reported from backend for one of the rules?'''&lt;br /&gt;
&lt;br /&gt;
Ans: If there is an error, reported from backend, then error will be registered in share_instances table.&lt;br /&gt;
'access_rules_status' will go in 'error' state and 'access_status_message' will contain the descriptive message.&lt;br /&gt;
&lt;br /&gt;
'''Ques 5. What if access group is already mapped to other shares and this is a new mapping.'''&lt;br /&gt;
&lt;br /&gt;
Ans: Simply, rules from the access-group will be applied on the requested share.&lt;br /&gt;
   &lt;br /&gt;
'''Ques 6. Two compatible access-groups mapping request got out of order before reaching backend driver.'''&lt;br /&gt;
&lt;br /&gt;
Lets say two api requests for two access_groups where two access groups's rules are compatible as below:            &lt;br /&gt;
Two api requests come in this order chronologically, req1 then req2,            &lt;br /&gt;
AG1 has (user, admin, rw), AG2 has (ip, 10.1.1.1, None)            &lt;br /&gt;
req1 = allow_access_group(share1, AG1), req2 = allow_access_group(share1, AG2)&lt;br /&gt;
Let’s say these request reach driver layer, out of order, driver receives req2 then req1. &lt;br /&gt;
What will happen in such case?&lt;br /&gt;
&lt;br /&gt;
Ans: req1 creates a access_group_mapping in db for (share1 -&amp;gt; AG1) and passes “only set of rules in AG1&amp;quot; to driver layer.            &lt;br /&gt;
req2  also creates a access_group_mapping in db for (share1 -&amp;gt; AG2) and passes that “only set of rules in AG2&amp;quot; to driver layer.            &lt;br /&gt;
Driver layer gets req2 first, it will apply access_rules of req2 first and then access_rules from req1 will be applied on backend.&lt;br /&gt;
&lt;br /&gt;
'''Ques 7. What happens if an exception is raised for one of the access-rules in access-group in api layer itself?&lt;br /&gt;
Do we proceed for next rule or we come out ?'''&lt;br /&gt;
&lt;br /&gt;
Ans: These are such exceptions which come like&lt;br /&gt;
1)if share status is not AVAILABLE &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
2)If share_access entry already exists for this share ? &amp;gt;&amp;gt; we raise exception but continue to consider next access_rule&lt;br /&gt;
3)if access_level value requested for is not a valid value &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
4)If share_instance is invalid one &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
5)if access_rules_status is not active &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
&lt;br /&gt;
in all such cases we raise exception before rpc request is sent to driver layer. access_status_message&amp;quot; field in &amp;quot;share_instances&amp;quot; table - &lt;br /&gt;
does not show error messages for above mentioned exceptions.&lt;br /&gt;
Note:- in last two cases(4,5), though we come out, but 'share_access_group_mapping' and 'many share_access_map' entries &lt;br /&gt;
would have been created!!!&lt;br /&gt;
&lt;br /&gt;
'''Ques 8. What is purpose of access_rules_status and access_status_message field in share_instances table?'''&lt;br /&gt;
&lt;br /&gt;
Ans: access_status_message field, registers the error message, from the driver layer. if we get an error message back from driver, it gets registered in &lt;br /&gt;
'access_status_message' in 'share_instances' table. 'access_status_message' field in 'share_instances' table - does not register error messages for &lt;br /&gt;
above mentioned exceptions in Ques7. &lt;br /&gt;
  &lt;br /&gt;
'''Ques 9. Lets say an access-group that contains 4 access_rules, that is applied on a share1.'''&lt;br /&gt;
'''now these 4 access_rules have got their entries created in share_access_map too.'''&lt;br /&gt;
'''What is someone deleted/denies the access rule individually ?'''&lt;br /&gt;
'''that is sequence is like'''&lt;br /&gt;
'''1) manila access-group-allow &amp;lt;share-id&amp;gt; &amp;lt;access-group-id&amp;gt;'''&lt;br /&gt;
'''2) manila access-deny &amp;lt;share&amp;gt; &amp;lt;id&amp;gt;'''&lt;br /&gt;
'''3) manila access-group-deny &amp;lt;share-id&amp;gt; &amp;lt;access-group-id&amp;gt;'''&lt;br /&gt;
'''Now some rules of this access-group are denied individually .. when we go to 'deny-access-group''''&lt;br /&gt;
'''what will happen?&lt;br /&gt;
&lt;br /&gt;
Ans: For each of 4 rules, if anyone is not present in the DB, we raise exception Not-Found and&lt;br /&gt;
continue to next access_entry.&lt;br /&gt;
&lt;br /&gt;
'''Ques 10. Lets say a share share1 is mapped to an access_group AG1. Now we delete one of access_rule''' &lt;br /&gt;
'''of AG1 or we add an entry to mapped access_group AG1. What will happen?'''&lt;br /&gt;
&lt;br /&gt;
Ans: any addition or deletion of access_entry to an access_group after being mapped, will trigger 'update_access'&lt;br /&gt;
on the backend.&lt;br /&gt;
&lt;br /&gt;
== Alternative Approach ==&lt;br /&gt;
This approach suggests to tag/group share_access_map records by using a new field access_group_tag.&lt;br /&gt;
Here we do not create a separate entity access_group and access_group_entries. &lt;br /&gt;
Instead by using a string type tag with share_access_map records, we group a few entries together.&lt;br /&gt;
&lt;br /&gt;
For first share that wants to allow a group of ip addresses/user the access.&lt;br /&gt;
cli call will be like...&lt;br /&gt;
  manila access-allow %some_share% ip 1.1.1.1,2.2.2.2, 3.3.3.3   --tag %tag_name_1%&lt;br /&gt;
&lt;br /&gt;
After that any share that wants similar access will do &lt;br /&gt;
either:&lt;br /&gt;
  manila access-inherit %some_new_share% --by-share %some_source_share%&lt;br /&gt;
Or &lt;br /&gt;
  manila access-inherit %some_new_share% --by-tag %tag%&lt;br /&gt;
&lt;br /&gt;
=== Comparison with 1st approach ===&lt;br /&gt;
* This approach is lighter and less amount of redundancy in database.&lt;br /&gt;
&lt;br /&gt;
* Access-group being dynamic entity in 2nd approach/a no separate entity, which has its 'existence scope' same as the share its associated with, &lt;br /&gt;
so no further means, to deal with 'access-groups', independently OR after share deletion.&lt;br /&gt;
 &lt;br /&gt;
* What if 'share2' inherits all access_rules from 'share1' and now share1 adds a rule by old 'allow-access' api without any tag. &lt;br /&gt;
Now how will we tackle such situation?&lt;br /&gt;
* Will we keep these new individual access_rule records without tag?&lt;br /&gt;
* Will we give every record which is in share_access_map, a tag..so this individual rule will have new access_group_tag?&lt;br /&gt;
we can keep the new rule without tag. &lt;br /&gt;
now a share3 which &lt;br /&gt;
the next share share3 that inherits with --tag from share1 will get set of rules with combination (share1, tag1) &lt;br /&gt;
the next share share3 that inherits with --share from share1 will get all rules inclusive (share1, with tag) and (share1, without tag) &lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
* If share is deleted the access-group associated will be considered deleted..  is it okay?&lt;br /&gt;
 &lt;br /&gt;
* If a share1 is allowed access to three ip addresses in AG1, now another share2 inherited all 3 rules with AG1 tag itself.&lt;br /&gt;
now, a deny access request comes, to delete one of the rule with share1.&lt;br /&gt;
Now, access-group with AG1 tag - has got two separate set of access-rules, one thats coming from share1(2 rules) and other thats coming from  share2(3 rules).&lt;br /&gt;
If a share3 is asking for AG1's rules what rules will be applied on it ?&lt;/div&gt;</summary>
		<author><name>Nidhi Mittal Hada</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123400</id>
		<title>Manila/design/access groups</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123400"/>
				<updated>2016-04-04T11:54:36Z</updated>
		
		<summary type="html">&lt;p&gt;Nidhi Mittal Hada: /* Alternative Approach */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Applying Access Rules == &lt;br /&gt;
=== Current approach ===&lt;br /&gt;
Today we use &amp;quot;manila allow-access&amp;quot; and &amp;quot;manila deny-access&amp;quot; cli command, to allow and deny, &amp;quot;one&amp;quot; ip address/user/cert the access, to a particular share. &lt;br /&gt;
In situation, when we want a &amp;quot;share&amp;quot; to be accessible by  &lt;br /&gt;
* a subnet OR &lt;br /&gt;
* a set of IP addresses together OR &lt;br /&gt;
* a set users together&lt;br /&gt;
we have to execute, allow-access for each combination of (IP address, share) '''one by one'''!!&lt;br /&gt;
That is, If we want to allow, a same set of 'n' ip addresses, for each of 'n' shares, then it requires '''&amp;quot;n iterations for each of n shares&amp;quot;''', &lt;br /&gt;
that's n^2 operations from user side. &lt;br /&gt;
''That's cumbersome hence access-groups were proposed''&lt;br /&gt;
&lt;br /&gt;
=== Requirement ===&lt;br /&gt;
Requirement is to have a mechanism, by which a set of 'ip addresses' can be considered as 'one entity' i.e. 'can be allowed the access to a share together.' &lt;br /&gt;
Henceforth, the 'same set of ip addresses', can be allowed access to any 'other share', in 'one single request' from user. &lt;br /&gt;
There comes the idea of '''&amp;quot;manila access-groups&amp;quot;.'''&lt;br /&gt;
&lt;br /&gt;
=== Manila Access Groups ===&lt;br /&gt;
A new object named 'access_group', can be created by user. Each 'access_group' contains, a bunch of homogeneous 'access_entries'. &lt;br /&gt;
Homogeneous here means, 'entries of same access_type &amp;amp; access_level(in case access_type is 'user'))'. Each 'access_entry' represents, &lt;br /&gt;
either one ip-address or one username. Bunch of access entries, associated to an &amp;quot;access-group&amp;quot;, can be &amp;quot;allowed or denied&amp;quot; access, &lt;br /&gt;
to a share in one go. &lt;br /&gt;
&lt;br /&gt;
'''Feature requirement is, to provide a mechanism, to allow the access to a share, for &amp;quot;a group of ip addresses/users&amp;quot;, in one go,'''&lt;br /&gt;
'''instead of allowing each ip-address/user one at a time.'''&lt;br /&gt;
&lt;br /&gt;
=== Challenges ===&lt;br /&gt;
* With new proposal, a set of access-rules can be applied together using &amp;quot;access-group&amp;quot;. Earlier &amp;quot;allow-access/deny-access&amp;quot; api worked on individual access rule. &lt;br /&gt;
So, that can interfere and allow/deny any access, without any knowledge of access-group api. This has to be understood and resolved.&lt;br /&gt;
&lt;br /&gt;
* A parallel api interface, serving same purpose, but in different granularity, causes redundancy in database and information.&lt;br /&gt;
&lt;br /&gt;
* Sending a bunch of rules together to backend, if any one rule throws an exception, status of whole access-group will be errored.&lt;br /&gt;
&lt;br /&gt;
* If backend driver doesn't implement 'update_access' newer version yet, then 'access-rules' will be sent to driver one by one only. &lt;br /&gt;
Though 'access-group' feature will allow user, to request access, to set of ip addresses, in one go, still backend will work on access-rules individually.&lt;br /&gt;
&lt;br /&gt;
Proposed Object Relationships:-&lt;br /&gt;
[[File: DB_relationships.png| center | 500px| Object Relationship Diagram]]&lt;br /&gt;
&lt;br /&gt;
== Important Actions == &lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Sr No !! Function !! Command&lt;br /&gt;
|-&lt;br /&gt;
| 1 || Create Access Group  || manila access-group-create [--access-level &amp;lt;access_level&amp;gt;] &amp;lt;name&amp;gt; &amp;lt;description&amp;gt; &amp;lt;access_type&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 2 || Add Access Group Entries in Access group || manila access-group-entry-create &amp;lt;access_to&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 3 || Allow Access Group to a share || manila access-group-allow &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 4 || Deny Access Group to a share || manila access-group-deny &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
=== Flow diagram ===&lt;br /&gt;
==== Allow Access Group ====&lt;br /&gt;
[[File : Allow_access_group_(2).png | center | 500px | Allow access group flow]]&lt;br /&gt;
&lt;br /&gt;
==== Deny Access Group ====&lt;br /&gt;
[[File : Deny_access_group.png | center | 500px| deny access group flow]]&lt;br /&gt;
&lt;br /&gt;
== How it works in different situations ==&lt;br /&gt;
'''Ques 1. Lets say a user requests allow-access-group for (share1, AG1)'''&lt;br /&gt;
'''What if the share is already mapped to another access_group/access_rule.'''&lt;br /&gt;
&lt;br /&gt;
Ans: Nothing, set of access_rules for AG1, will be applied on share, using 'add_rule' &lt;br /&gt;
field of 'update_access' helper function.&lt;br /&gt;
&lt;br /&gt;
'''Ques 2. lets say 'share1' has an already applied access rule i.e ( user ,admin, rw).'''&lt;br /&gt;
'''Now, 'AG1' contains (user, admin, ro). A request comes as 'allow_access_group(share1, AG1)'.'''            &lt;br /&gt;
'''share1 is asked to map with AG1, what should happen?'''            &lt;br /&gt;
&lt;br /&gt;
'''What if the already applied rules are redundant to AG1's access rules.'''&lt;br /&gt;
Note:- its a redundant rule, not contradictory, as rules with 'same access_type and access_to' are&lt;br /&gt;
considered redundant..&lt;br /&gt;
&lt;br /&gt;
Ans: Its same as case, if we apply two redundant rules, even without access-groups. We will get an exception, 'access rule for (user, admin) &lt;br /&gt;
already exists'  and we will proceed to examine, rest of the rules, in access_group. '''We need to deny this rule first &amp;quot;to change its level if required.'''&lt;br /&gt;
&lt;br /&gt;
'''Ques 3. What if AG1 is made up of n rules, only one is redundant ?'''&lt;br /&gt;
&lt;br /&gt;
Ans:If any one of the access_rule, from this access_group, is already applied on share(individually)...&lt;br /&gt;
lets say due to 'allow-access' api. Then excluding that access_rule, rest of the rules, present in 'access_group' will be applied on share.&lt;br /&gt;
&lt;br /&gt;
'''Ques 4. What if AG1 is made up of 'n' rules, an error reported from backend for one of the rules?'''&lt;br /&gt;
&lt;br /&gt;
Ans: If there is an error, reported from backend, then error will be registered in share_instances table.&lt;br /&gt;
'access_rules_status' will go in 'error' state and 'access_status_message' will contain the descriptive message.&lt;br /&gt;
&lt;br /&gt;
'''Ques 5. What if access group is already mapped to other shares and this is a new mapping.'''&lt;br /&gt;
&lt;br /&gt;
Ans: Simply, rules from the access-group will be applied on the requested share.&lt;br /&gt;
   &lt;br /&gt;
'''Ques 6. Two compatible access-groups mapping request got out of order before reaching backend driver.'''&lt;br /&gt;
&lt;br /&gt;
Lets say two api requests for two access_groups where two access groups's rules are compatible as below:            &lt;br /&gt;
Two api requests come in this order chronologically, req1 then req2,            &lt;br /&gt;
AG1 has (user, admin, rw), AG2 has (ip, 10.1.1.1, None)            &lt;br /&gt;
req1 = allow_access_group(share1, AG1), req2 = allow_access_group(share1, AG2)&lt;br /&gt;
Let’s say these request reach driver layer, out of order, driver receives req2 then req1. &lt;br /&gt;
What will happen in such case?&lt;br /&gt;
&lt;br /&gt;
Ans: req1 creates a access_group_mapping in db for (share1 -&amp;gt; AG1) and passes “only set of rules in AG1&amp;quot; to driver layer.            &lt;br /&gt;
req2  also creates a access_group_mapping in db for (share1 -&amp;gt; AG2) and passes that “only set of rules in AG2&amp;quot; to driver layer.            &lt;br /&gt;
Driver layer gets req2 first, it will apply access_rules of req2 first and then access_rules from req1 will be applied on backend.&lt;br /&gt;
&lt;br /&gt;
'''Ques 7. What happens if an exception is raised for one of the access-rules in access-group in api layer itself?&lt;br /&gt;
Do we proceed for next rule or we come out ?'''&lt;br /&gt;
&lt;br /&gt;
Ans: These are such exceptions which come like&lt;br /&gt;
1)if share status is not AVAILABLE &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
2)If share_access entry already exists for this share ? &amp;gt;&amp;gt; we raise exception but continue to consider next access_rule&lt;br /&gt;
3)if access_level value requested for is not a valid value &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
4)If share_instance is invalid one &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
5)if access_rules_status is not active &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
&lt;br /&gt;
in all such cases we raise exception before rpc request is sent to driver layer. access_status_message&amp;quot; field in &amp;quot;share_instances&amp;quot; table - &lt;br /&gt;
does not show error messages for above mentioned exceptions.&lt;br /&gt;
Note:- in last two cases(4,5), though we come out, but 'share_access_group_mapping' and 'many share_access_map' entries &lt;br /&gt;
would have been created!!!&lt;br /&gt;
&lt;br /&gt;
'''Ques 8. What is purpose of access_rules_status and access_status_message field in share_instances table?'''&lt;br /&gt;
&lt;br /&gt;
Ans: access_status_message field, registers the error message, from the driver layer. if we get an error message back from driver, it gets registered in &lt;br /&gt;
'access_status_message' in 'share_instances' table. 'access_status_message' field in 'share_instances' table - does not register error messages for &lt;br /&gt;
above mentioned exceptions in Ques7. &lt;br /&gt;
  &lt;br /&gt;
'''Ques 9. Lets say an access-group that contains 4 access_rules, that is applied on a share1.'''&lt;br /&gt;
'''now these 4 access_rules have got their entries created in share_access_map too.'''&lt;br /&gt;
'''What is someone deleted/denies the access rule individually ?'''&lt;br /&gt;
'''that is sequence is like'''&lt;br /&gt;
'''1) manila access-group-allow &amp;lt;share-id&amp;gt; &amp;lt;access-group-id&amp;gt;'''&lt;br /&gt;
'''2) manila access-deny &amp;lt;share&amp;gt; &amp;lt;id&amp;gt;'''&lt;br /&gt;
'''3) manila access-group-deny &amp;lt;share-id&amp;gt; &amp;lt;access-group-id&amp;gt;'''&lt;br /&gt;
'''Now some rules of this access-group are denied individually .. when we go to 'deny-access-group''''&lt;br /&gt;
'''what will happen?&lt;br /&gt;
&lt;br /&gt;
Ans: For each of 4 rules, if anyone is not present in the DB, we raise exception Not-Found and&lt;br /&gt;
continue to next access_entry.&lt;br /&gt;
&lt;br /&gt;
'''Ques 10. Lets say a share share1 is mapped to an access_group AG1. Now we delete one of access_rule''' &lt;br /&gt;
'''of AG1 or we add an entry to mapped access_group AG1. What will happen?'''&lt;br /&gt;
&lt;br /&gt;
Ans: any addition or deletion of access_entry to an access_group after being mapped, will trigger 'update_access'&lt;br /&gt;
on the backend.&lt;br /&gt;
&lt;br /&gt;
== Alternative Approach ==&lt;br /&gt;
This approach suggests to tag/group share_access_map records by using a new field access_group_tag.&lt;br /&gt;
Here we do not create a separate entity access_group and access_group_entries. &lt;br /&gt;
Instead by using a string type tag with share_access_map records, we group a few entries together.&lt;br /&gt;
&lt;br /&gt;
For first share that wants to allow a group of ip addresses/user the access.&lt;br /&gt;
cli call will be like...&lt;br /&gt;
  manila access-allow %some_share% ip 1.1.1.1,2.2.2.2, 3.3.3.3   --tag %tag_name_1%&lt;br /&gt;
&lt;br /&gt;
After that any share that wants similar access will do &lt;br /&gt;
either:&lt;br /&gt;
  manila access-inherit %some_new_share% --by-share %some_source_share%&lt;br /&gt;
Or &lt;br /&gt;
  manila access-inherit %some_new_share% --by-tag %tag%&lt;br /&gt;
&lt;br /&gt;
=== Comparison with 1st approach ===&lt;br /&gt;
* This approach is lighter and less amount of redundancy in database.&lt;br /&gt;
&lt;br /&gt;
* Access-group being dynamic entity in 2nd approach/a no separate entity, which has its 'existence scope' same as the share its associated with, &lt;br /&gt;
so no further means, to deal with 'access-groups', independently OR after share deletion.&lt;br /&gt;
 &lt;br /&gt;
* What if 'share2' inherits all access_rules from 'share1' and now share1 adds a rule by indiviudal allow-access api.&lt;br /&gt;
Now how will we tackle such situation?&lt;br /&gt;
a)Will we keep these new individual access_rule records without tag?&lt;br /&gt;
b)Will we give every record which is in share_access_map, a tag..so this individual rule will have new access_group_tag?&lt;br /&gt;
 &lt;br /&gt;
* If share is deleted the access-group associated will be considered deleted..  is it okay?&lt;br /&gt;
 &lt;br /&gt;
* If a share1 is allowed access to three ip addresses in AG1, now another share2 inherited all 3 rules with AG1 tag itself.&lt;br /&gt;
now, a deny access request comes, to delete one of the rule with share1.&lt;br /&gt;
Now, access-group with AG1 tag - has got two separate set of access-rules, one thats coming from share1(2 rules) and other thats coming from  share2(3 rules).&lt;br /&gt;
If a share3 is asking for AG1's rules what rules will be applied on it ?&lt;/div&gt;</summary>
		<author><name>Nidhi Mittal Hada</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123398</id>
		<title>Manila/design/access groups</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123398"/>
				<updated>2016-04-04T11:51:06Z</updated>
		
		<summary type="html">&lt;p&gt;Nidhi Mittal Hada: /* Alternative Approach */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Applying Access Rules == &lt;br /&gt;
=== Current approach ===&lt;br /&gt;
Today we use &amp;quot;manila allow-access&amp;quot; and &amp;quot;manila deny-access&amp;quot; cli command, to allow and deny, &amp;quot;one&amp;quot; ip address/user/cert the access, to a particular share. &lt;br /&gt;
In situation, when we want a &amp;quot;share&amp;quot; to be accessible by  &lt;br /&gt;
* a subnet OR &lt;br /&gt;
* a set of IP addresses together OR &lt;br /&gt;
* a set users together&lt;br /&gt;
we have to execute, allow-access for each combination of (IP address, share) '''one by one'''!!&lt;br /&gt;
That is, If we want to allow, a same set of 'n' ip addresses, for each of 'n' shares, then it requires '''&amp;quot;n iterations for each of n shares&amp;quot;''', &lt;br /&gt;
that's n^2 operations from user side. &lt;br /&gt;
''That's cumbersome hence access-groups were proposed''&lt;br /&gt;
&lt;br /&gt;
=== Requirement ===&lt;br /&gt;
Requirement is to have a mechanism, by which a set of 'ip addresses' can be considered as 'one entity' i.e. 'can be allowed the access to a share together.' &lt;br /&gt;
Henceforth, the 'same set of ip addresses', can be allowed access to any 'other share', in 'one single request' from user. &lt;br /&gt;
There comes the idea of '''&amp;quot;manila access-groups&amp;quot;.'''&lt;br /&gt;
&lt;br /&gt;
=== Manila Access Groups ===&lt;br /&gt;
A new object named 'access_group', can be created by user. Each 'access_group' contains, a bunch of homogeneous 'access_entries'. &lt;br /&gt;
Homogeneous here means, 'entries of same access_type &amp;amp; access_level(in case access_type is 'user'))'. Each 'access_entry' represents, &lt;br /&gt;
either one ip-address or one username. Bunch of access entries, associated to an &amp;quot;access-group&amp;quot;, can be &amp;quot;allowed or denied&amp;quot; access, &lt;br /&gt;
to a share in one go. &lt;br /&gt;
&lt;br /&gt;
'''Feature requirement is, to provide a mechanism, to allow the access to a share, for &amp;quot;a group of ip addresses/users&amp;quot;, in one go,'''&lt;br /&gt;
'''instead of allowing each ip-address/user one at a time.'''&lt;br /&gt;
&lt;br /&gt;
=== Challenges ===&lt;br /&gt;
* With new proposal, a set of access-rules can be applied together using &amp;quot;access-group&amp;quot;. Earlier &amp;quot;allow-access/deny-access&amp;quot; api worked on individual access rule. &lt;br /&gt;
So, that can interfere and allow/deny any access, without any knowledge of access-group api. This has to be understood and resolved.&lt;br /&gt;
&lt;br /&gt;
* A parallel api interface, serving same purpose, but in different granularity, causes redundancy in database and information.&lt;br /&gt;
&lt;br /&gt;
* Sending a bunch of rules together to backend, if any one rule throws an exception, status of whole access-group will be errored.&lt;br /&gt;
&lt;br /&gt;
* If backend driver doesn't implement 'update_access' newer version yet, then 'access-rules' will be sent to driver one by one only. &lt;br /&gt;
Though 'access-group' feature will allow user, to request access, to set of ip addresses, in one go, still backend will work on access-rules individually.&lt;br /&gt;
&lt;br /&gt;
Proposed Object Relationships:-&lt;br /&gt;
[[File: DB_relationships.png| center | 500px| Object Relationship Diagram]]&lt;br /&gt;
&lt;br /&gt;
== Important Actions == &lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Sr No !! Function !! Command&lt;br /&gt;
|-&lt;br /&gt;
| 1 || Create Access Group  || manila access-group-create [--access-level &amp;lt;access_level&amp;gt;] &amp;lt;name&amp;gt; &amp;lt;description&amp;gt; &amp;lt;access_type&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 2 || Add Access Group Entries in Access group || manila access-group-entry-create &amp;lt;access_to&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 3 || Allow Access Group to a share || manila access-group-allow &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 4 || Deny Access Group to a share || manila access-group-deny &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
=== Flow diagram ===&lt;br /&gt;
==== Allow Access Group ====&lt;br /&gt;
[[File : Allow_access_group_(2).png | center | 500px | Allow access group flow]]&lt;br /&gt;
&lt;br /&gt;
==== Deny Access Group ====&lt;br /&gt;
[[File : Deny_access_group.png | center | 500px| deny access group flow]]&lt;br /&gt;
&lt;br /&gt;
== How it works in different situations ==&lt;br /&gt;
'''Ques 1. Lets say a user requests allow-access-group for (share1, AG1)'''&lt;br /&gt;
'''What if the share is already mapped to another access_group/access_rule.'''&lt;br /&gt;
&lt;br /&gt;
Ans: Nothing, set of access_rules for AG1, will be applied on share, using 'add_rule' &lt;br /&gt;
field of 'update_access' helper function.&lt;br /&gt;
&lt;br /&gt;
'''Ques 2. lets say 'share1' has an already applied access rule i.e ( user ,admin, rw).'''&lt;br /&gt;
'''Now, 'AG1' contains (user, admin, ro). A request comes as 'allow_access_group(share1, AG1)'.'''            &lt;br /&gt;
'''share1 is asked to map with AG1, what should happen?'''            &lt;br /&gt;
&lt;br /&gt;
'''What if the already applied rules are redundant to AG1's access rules.'''&lt;br /&gt;
Note:- its a redundant rule, not contradictory, as rules with 'same access_type and access_to' are&lt;br /&gt;
considered redundant..&lt;br /&gt;
&lt;br /&gt;
Ans: Its same as case, if we apply two redundant rules, even without access-groups. We will get an exception, 'access rule for (user, admin) &lt;br /&gt;
already exists'  and we will proceed to examine, rest of the rules, in access_group. '''We need to deny this rule first &amp;quot;to change its level if required.'''&lt;br /&gt;
&lt;br /&gt;
'''Ques 3. What if AG1 is made up of n rules, only one is redundant ?'''&lt;br /&gt;
&lt;br /&gt;
Ans:If any one of the access_rule, from this access_group, is already applied on share(individually)...&lt;br /&gt;
lets say due to 'allow-access' api. Then excluding that access_rule, rest of the rules, present in 'access_group' will be applied on share.&lt;br /&gt;
&lt;br /&gt;
'''Ques 4. What if AG1 is made up of 'n' rules, an error reported from backend for one of the rules?'''&lt;br /&gt;
&lt;br /&gt;
Ans: If there is an error, reported from backend, then error will be registered in share_instances table.&lt;br /&gt;
'access_rules_status' will go in 'error' state and 'access_status_message' will contain the descriptive message.&lt;br /&gt;
&lt;br /&gt;
'''Ques 5. What if access group is already mapped to other shares and this is a new mapping.'''&lt;br /&gt;
&lt;br /&gt;
Ans: Simply, rules from the access-group will be applied on the requested share.&lt;br /&gt;
   &lt;br /&gt;
'''Ques 6. Two compatible access-groups mapping request got out of order before reaching backend driver.'''&lt;br /&gt;
&lt;br /&gt;
Lets say two api requests for two access_groups where two access groups's rules are compatible as below:            &lt;br /&gt;
Two api requests come in this order chronologically, req1 then req2,            &lt;br /&gt;
AG1 has (user, admin, rw), AG2 has (ip, 10.1.1.1, None)            &lt;br /&gt;
req1 = allow_access_group(share1, AG1), req2 = allow_access_group(share1, AG2)&lt;br /&gt;
Let’s say these request reach driver layer, out of order, driver receives req2 then req1. &lt;br /&gt;
What will happen in such case?&lt;br /&gt;
&lt;br /&gt;
Ans: req1 creates a access_group_mapping in db for (share1 -&amp;gt; AG1) and passes “only set of rules in AG1&amp;quot; to driver layer.            &lt;br /&gt;
req2  also creates a access_group_mapping in db for (share1 -&amp;gt; AG2) and passes that “only set of rules in AG2&amp;quot; to driver layer.            &lt;br /&gt;
Driver layer gets req2 first, it will apply access_rules of req2 first and then access_rules from req1 will be applied on backend.&lt;br /&gt;
&lt;br /&gt;
'''Ques 7. What happens if an exception is raised for one of the access-rules in access-group in api layer itself?&lt;br /&gt;
Do we proceed for next rule or we come out ?'''&lt;br /&gt;
&lt;br /&gt;
Ans: These are such exceptions which come like&lt;br /&gt;
1)if share status is not AVAILABLE &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
2)If share_access entry already exists for this share ? &amp;gt;&amp;gt; we raise exception but continue to consider next access_rule&lt;br /&gt;
3)if access_level value requested for is not a valid value &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
4)If share_instance is invalid one &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
5)if access_rules_status is not active &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
&lt;br /&gt;
in all such cases we raise exception before rpc request is sent to driver layer. access_status_message&amp;quot; field in &amp;quot;share_instances&amp;quot; table - &lt;br /&gt;
does not show error messages for above mentioned exceptions.&lt;br /&gt;
Note:- in last two cases(4,5), though we come out, but 'share_access_group_mapping' and 'many share_access_map' entries &lt;br /&gt;
would have been created!!!&lt;br /&gt;
&lt;br /&gt;
'''Ques 8. What is purpose of access_rules_status and access_status_message field in share_instances table?'''&lt;br /&gt;
&lt;br /&gt;
Ans: access_status_message field, registers the error message, from the driver layer. if we get an error message back from driver, it gets registered in &lt;br /&gt;
'access_status_message' in 'share_instances' table. 'access_status_message' field in 'share_instances' table - does not register error messages for &lt;br /&gt;
above mentioned exceptions in Ques7. &lt;br /&gt;
  &lt;br /&gt;
'''Ques 9. Lets say an access-group that contains 4 access_rules, that is applied on a share1.'''&lt;br /&gt;
'''now these 4 access_rules have got their entries created in share_access_map too.'''&lt;br /&gt;
'''What is someone deleted/denies the access rule individually ?'''&lt;br /&gt;
'''that is sequence is like'''&lt;br /&gt;
'''1) manila access-group-allow &amp;lt;share-id&amp;gt; &amp;lt;access-group-id&amp;gt;'''&lt;br /&gt;
'''2) manila access-deny &amp;lt;share&amp;gt; &amp;lt;id&amp;gt;'''&lt;br /&gt;
'''3) manila access-group-deny &amp;lt;share-id&amp;gt; &amp;lt;access-group-id&amp;gt;'''&lt;br /&gt;
'''Now some rules of this access-group are denied individually .. when we go to 'deny-access-group''''&lt;br /&gt;
'''what will happen?&lt;br /&gt;
&lt;br /&gt;
Ans: For each of 4 rules, if anyone is not present in the DB, we raise exception Not-Found and&lt;br /&gt;
continue to next access_entry.&lt;br /&gt;
&lt;br /&gt;
'''Ques 10. Lets say a share share1 is mapped to an access_group AG1. Now we delete one of access_rule''' &lt;br /&gt;
'''of AG1 or we add an entry to mapped access_group AG1. What will happen?'''&lt;br /&gt;
&lt;br /&gt;
Ans: any addition or deletion of access_entry to an access_group after being mapped, will trigger 'update_access'&lt;br /&gt;
on the backend.&lt;br /&gt;
&lt;br /&gt;
== Alternative Approach ==&lt;br /&gt;
This approach suggests to tag/group share_access_map records by using a new field access_group_tag.&lt;br /&gt;
Here we do not create a separate entity access_group and access_group_entries. &lt;br /&gt;
Instead by using a string type tag with share_access_map records, we group a few entries together.&lt;br /&gt;
&lt;br /&gt;
For first share that wants to allow a group of ip addresses/user the access.&lt;br /&gt;
cli call will be like...&lt;br /&gt;
  manila access-allow %some_share% ip 1.1.1.1,2.2.2.2, 3.3.3.3   --tag %tag_name_1%&lt;br /&gt;
&lt;br /&gt;
After that any share that wants similar access will do &lt;br /&gt;
  manila access-inherit %some_new_share% --by-share %some_source_share%&lt;br /&gt;
  manila access-inherit %some_new_share% --by-tag %tag%&lt;br /&gt;
&lt;br /&gt;
=== Comparison with 1st approach ===&lt;br /&gt;
* This approach is lighter and less amount of redundancy in database.&lt;br /&gt;
&lt;br /&gt;
* Access-group being dynamic entity in 2nd approach/a no separate entity, which has its 'existence scope' same as the share its associated with, &lt;br /&gt;
so no further means, to deal with 'access-groups', independently OR after share deletion.&lt;br /&gt;
 &lt;br /&gt;
* What if 'share2' inherits all access_rules from 'share1' and now share1 adds a rule by indiviudal allow-access api.&lt;br /&gt;
Now how will we tackle such situation?&lt;br /&gt;
a)Will we keep these new individual access_rule records without tag?&lt;br /&gt;
b)Will we give every record which is in share_access_map, a tag..so this individual rule will have new access_group_tag?&lt;br /&gt;
 &lt;br /&gt;
* If share is deleted the access-group associated will be considered deleted..  is it okay?&lt;br /&gt;
 &lt;br /&gt;
* If a share1 is allowed access to three ip addresses in AG1, now another share2 inherited all 3 rules with AG1 tag itself.&lt;br /&gt;
now, a deny access request comes, to delete one of the rule with share1.&lt;br /&gt;
Now, access-group with AG1 tag - has got two separate set of access-rules, one thats coming from share1(2 rules) and other thats coming from  share2(3 rules).&lt;br /&gt;
If a share3 is asking for AG1's rules what rules will be applied on it ?&lt;/div&gt;</summary>
		<author><name>Nidhi Mittal Hada</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123397</id>
		<title>Manila/design/access groups</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123397"/>
				<updated>2016-04-04T11:44:31Z</updated>
		
		<summary type="html">&lt;p&gt;Nidhi Mittal Hada: /* Comparison with 1st approach */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Applying Access Rules == &lt;br /&gt;
=== Current approach ===&lt;br /&gt;
Today we use &amp;quot;manila allow-access&amp;quot; and &amp;quot;manila deny-access&amp;quot; cli command, to allow and deny, &amp;quot;one&amp;quot; ip address/user/cert the access, to a particular share. &lt;br /&gt;
In situation, when we want a &amp;quot;share&amp;quot; to be accessible by  &lt;br /&gt;
* a subnet OR &lt;br /&gt;
* a set of IP addresses together OR &lt;br /&gt;
* a set users together&lt;br /&gt;
we have to execute, allow-access for each combination of (IP address, share) '''one by one'''!!&lt;br /&gt;
That is, If we want to allow, a same set of 'n' ip addresses, for each of 'n' shares, then it requires '''&amp;quot;n iterations for each of n shares&amp;quot;''', &lt;br /&gt;
that's n^2 operations from user side. &lt;br /&gt;
''That's cumbersome hence access-groups were proposed''&lt;br /&gt;
&lt;br /&gt;
=== Requirement ===&lt;br /&gt;
Requirement is to have a mechanism, by which a set of 'ip addresses' can be considered as 'one entity' i.e. 'can be allowed the access to a share together.' &lt;br /&gt;
Henceforth, the 'same set of ip addresses', can be allowed access to any 'other share', in 'one single request' from user. &lt;br /&gt;
There comes the idea of '''&amp;quot;manila access-groups&amp;quot;.'''&lt;br /&gt;
&lt;br /&gt;
=== Manila Access Groups ===&lt;br /&gt;
A new object named 'access_group', can be created by user. Each 'access_group' contains, a bunch of homogeneous 'access_entries'. &lt;br /&gt;
Homogeneous here means, 'entries of same access_type &amp;amp; access_level(in case access_type is 'user'))'. Each 'access_entry' represents, &lt;br /&gt;
either one ip-address or one username. Bunch of access entries, associated to an &amp;quot;access-group&amp;quot;, can be &amp;quot;allowed or denied&amp;quot; access, &lt;br /&gt;
to a share in one go. &lt;br /&gt;
&lt;br /&gt;
'''Feature requirement is, to provide a mechanism, to allow the access to a share, for &amp;quot;a group of ip addresses/users&amp;quot;, in one go,'''&lt;br /&gt;
'''instead of allowing each ip-address/user one at a time.'''&lt;br /&gt;
&lt;br /&gt;
=== Challenges ===&lt;br /&gt;
* With new proposal, a set of access-rules can be applied together using &amp;quot;access-group&amp;quot;. Earlier &amp;quot;allow-access/deny-access&amp;quot; api worked on individual access rule. &lt;br /&gt;
So, that can interfere and allow/deny any access, without any knowledge of access-group api. This has to be understood and resolved.&lt;br /&gt;
&lt;br /&gt;
* A parallel api interface, serving same purpose, but in different granularity, causes redundancy in database and information.&lt;br /&gt;
&lt;br /&gt;
* Sending a bunch of rules together to backend, if any one rule throws an exception, status of whole access-group will be errored.&lt;br /&gt;
&lt;br /&gt;
* If backend driver doesn't implement 'update_access' newer version yet, then 'access-rules' will be sent to driver one by one only. &lt;br /&gt;
Though 'access-group' feature will allow user, to request access, to set of ip addresses, in one go, still backend will work on access-rules individually.&lt;br /&gt;
&lt;br /&gt;
Proposed Object Relationships:-&lt;br /&gt;
[[File: DB_relationships.png| center | 500px| Object Relationship Diagram]]&lt;br /&gt;
&lt;br /&gt;
== Important Actions == &lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Sr No !! Function !! Command&lt;br /&gt;
|-&lt;br /&gt;
| 1 || Create Access Group  || manila access-group-create [--access-level &amp;lt;access_level&amp;gt;] &amp;lt;name&amp;gt; &amp;lt;description&amp;gt; &amp;lt;access_type&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 2 || Add Access Group Entries in Access group || manila access-group-entry-create &amp;lt;access_to&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 3 || Allow Access Group to a share || manila access-group-allow &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 4 || Deny Access Group to a share || manila access-group-deny &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
=== Flow diagram ===&lt;br /&gt;
==== Allow Access Group ====&lt;br /&gt;
[[File : Allow_access_group_(2).png | center | 500px | Allow access group flow]]&lt;br /&gt;
&lt;br /&gt;
==== Deny Access Group ====&lt;br /&gt;
[[File : Deny_access_group.png | center | 500px| deny access group flow]]&lt;br /&gt;
&lt;br /&gt;
== How it works in different situations ==&lt;br /&gt;
'''Ques 1. Lets say a user requests allow-access-group for (share1, AG1)'''&lt;br /&gt;
'''What if the share is already mapped to another access_group/access_rule.'''&lt;br /&gt;
&lt;br /&gt;
Ans: Nothing, set of access_rules for AG1, will be applied on share, using 'add_rule' &lt;br /&gt;
field of 'update_access' helper function.&lt;br /&gt;
&lt;br /&gt;
'''Ques 2. lets say 'share1' has an already applied access rule i.e ( user ,admin, rw).'''&lt;br /&gt;
'''Now, 'AG1' contains (user, admin, ro). A request comes as 'allow_access_group(share1, AG1)'.'''            &lt;br /&gt;
'''share1 is asked to map with AG1, what should happen?'''            &lt;br /&gt;
&lt;br /&gt;
'''What if the already applied rules are redundant to AG1's access rules.'''&lt;br /&gt;
Note:- its a redundant rule, not contradictory, as rules with 'same access_type and access_to' are&lt;br /&gt;
considered redundant..&lt;br /&gt;
&lt;br /&gt;
Ans: Its same as case, if we apply two redundant rules, even without access-groups. We will get an exception, 'access rule for (user, admin) &lt;br /&gt;
already exists'  and we will proceed to examine, rest of the rules, in access_group. '''We need to deny this rule first &amp;quot;to change its level if required.'''&lt;br /&gt;
&lt;br /&gt;
'''Ques 3. What if AG1 is made up of n rules, only one is redundant ?'''&lt;br /&gt;
&lt;br /&gt;
Ans:If any one of the access_rule, from this access_group, is already applied on share(individually)...&lt;br /&gt;
lets say due to 'allow-access' api. Then excluding that access_rule, rest of the rules, present in 'access_group' will be applied on share.&lt;br /&gt;
&lt;br /&gt;
'''Ques 4. What if AG1 is made up of 'n' rules, an error reported from backend for one of the rules?'''&lt;br /&gt;
&lt;br /&gt;
Ans: If there is an error, reported from backend, then error will be registered in share_instances table.&lt;br /&gt;
'access_rules_status' will go in 'error' state and 'access_status_message' will contain the descriptive message.&lt;br /&gt;
&lt;br /&gt;
'''Ques 5. What if access group is already mapped to other shares and this is a new mapping.'''&lt;br /&gt;
&lt;br /&gt;
Ans: Simply, rules from the access-group will be applied on the requested share.&lt;br /&gt;
   &lt;br /&gt;
'''Ques 6. Two compatible access-groups mapping request got out of order before reaching backend driver.'''&lt;br /&gt;
&lt;br /&gt;
Lets say two api requests for two access_groups where two access groups's rules are compatible as below:            &lt;br /&gt;
Two api requests come in this order chronologically, req1 then req2,            &lt;br /&gt;
AG1 has (user, admin, rw), AG2 has (ip, 10.1.1.1, None)            &lt;br /&gt;
req1 = allow_access_group(share1, AG1), req2 = allow_access_group(share1, AG2)&lt;br /&gt;
Let’s say these request reach driver layer, out of order, driver receives req2 then req1. &lt;br /&gt;
What will happen in such case?&lt;br /&gt;
&lt;br /&gt;
Ans: req1 creates a access_group_mapping in db for (share1 -&amp;gt; AG1) and passes “only set of rules in AG1&amp;quot; to driver layer.            &lt;br /&gt;
req2  also creates a access_group_mapping in db for (share1 -&amp;gt; AG2) and passes that “only set of rules in AG2&amp;quot; to driver layer.            &lt;br /&gt;
Driver layer gets req2 first, it will apply access_rules of req2 first and then access_rules from req1 will be applied on backend.&lt;br /&gt;
&lt;br /&gt;
'''Ques 7. What happens if an exception is raised for one of the access-rules in access-group in api layer itself?&lt;br /&gt;
Do we proceed for next rule or we come out ?'''&lt;br /&gt;
&lt;br /&gt;
Ans: These are such exceptions which come like&lt;br /&gt;
1)if share status is not AVAILABLE &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
2)If share_access entry already exists for this share ? &amp;gt;&amp;gt; we raise exception but continue to consider next access_rule&lt;br /&gt;
3)if access_level value requested for is not a valid value &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
4)If share_instance is invalid one &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
5)if access_rules_status is not active &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
&lt;br /&gt;
in all such cases we raise exception before rpc request is sent to driver layer. access_status_message&amp;quot; field in &amp;quot;share_instances&amp;quot; table - &lt;br /&gt;
does not show error messages for above mentioned exceptions.&lt;br /&gt;
Note:- in last two cases(4,5), though we come out, but 'share_access_group_mapping' and 'many share_access_map' entries &lt;br /&gt;
would have been created!!!&lt;br /&gt;
&lt;br /&gt;
'''Ques 8. What is purpose of access_rules_status and access_status_message field in share_instances table?'''&lt;br /&gt;
&lt;br /&gt;
Ans: access_status_message field, registers the error message, from the driver layer. if we get an error message back from driver, it gets registered in &lt;br /&gt;
'access_status_message' in 'share_instances' table. 'access_status_message' field in 'share_instances' table - does not register error messages for &lt;br /&gt;
above mentioned exceptions in Ques7. &lt;br /&gt;
  &lt;br /&gt;
'''Ques 9. Lets say an access-group that contains 4 access_rules, that is applied on a share1.'''&lt;br /&gt;
'''now these 4 access_rules have got their entries created in share_access_map too.'''&lt;br /&gt;
'''What is someone deleted/denies the access rule individually ?'''&lt;br /&gt;
'''that is sequence is like'''&lt;br /&gt;
'''1) manila access-group-allow &amp;lt;share-id&amp;gt; &amp;lt;access-group-id&amp;gt;'''&lt;br /&gt;
'''2) manila access-deny &amp;lt;share&amp;gt; &amp;lt;id&amp;gt;'''&lt;br /&gt;
'''3) manila access-group-deny &amp;lt;share-id&amp;gt; &amp;lt;access-group-id&amp;gt;'''&lt;br /&gt;
'''Now some rules of this access-group are denied individually .. when we go to 'deny-access-group''''&lt;br /&gt;
'''what will happen?&lt;br /&gt;
&lt;br /&gt;
Ans: For each of 4 rules, if anyone is not present in the DB, we raise exception Not-Found and&lt;br /&gt;
continue to next access_entry.&lt;br /&gt;
&lt;br /&gt;
'''Ques 10. Lets say a share share1 is mapped to an access_group AG1. Now we delete one of access_rule''' &lt;br /&gt;
'''of AG1 or we add an entry to mapped access_group AG1. What will happen?'''&lt;br /&gt;
&lt;br /&gt;
Ans: any addition or deletion of access_entry to an access_group after being mapped, will trigger 'update_access'&lt;br /&gt;
on the backend.&lt;br /&gt;
&lt;br /&gt;
== Alternative Approach ==&lt;br /&gt;
This approach suggests to tag/group share_access_map records by using a new field access_group_tag.&lt;br /&gt;
Here we do not create a separate entity access_group and access_group_entries. Instead by using a string type tag with share_access_map records,&lt;br /&gt;
we group a few entries together.&lt;br /&gt;
&lt;br /&gt;
For first share that wants to allow a group of ip addresses/user the access.&lt;br /&gt;
cli call will be like...&lt;br /&gt;
manila access-allow %some_share% ip 1.1.1.1,2.2.2.2, 3.3.3.3   --tag %tag_name_1%&lt;br /&gt;
&lt;br /&gt;
After that any share that wants similar access will do &lt;br /&gt;
manila access-inherit %some_new_share% --by-share %some_source_share%&lt;br /&gt;
manila access-inherit %some_new_share% --by-tag %tag%&lt;br /&gt;
&lt;br /&gt;
=== Comparison with 1st approach ===&lt;br /&gt;
* This approach is lighter and less amount of redundancy in database.&lt;br /&gt;
&lt;br /&gt;
* Access-group being dynamic entity in 2nd approach/a no separate entity, which has its 'existence scope' same as the share its associated with, &lt;br /&gt;
so no further means, to deal with 'access-groups', independently OR after share deletion.&lt;br /&gt;
 &lt;br /&gt;
* What if 'share2' inherits all access_rules from 'share1' and now share1 adds a rule by indiviudal allow-access api.&lt;br /&gt;
Now how will we tackle such situation?&lt;br /&gt;
a)Will we keep these new individual access_rule records without tag?&lt;br /&gt;
b)Will we give every record which is in share_access_map, a tag..so this individual rule will have new access_group_tag?&lt;br /&gt;
 &lt;br /&gt;
* If share is deleted the access-group associated will be considered deleted..  is it okay?&lt;br /&gt;
 &lt;br /&gt;
* If a share1 is allowed access to three ip addresses in AG1, now another share2 inherited all 3 rules with AG1 tag itself.&lt;br /&gt;
now, a deny access request comes, to delete one of the rule with share1.&lt;br /&gt;
Now, access-group with AG1 tag - has got two separate set of access-rules, one thats coming from share1(2 rules) and other thats coming from  share2(3 rules).&lt;br /&gt;
If a share3 is asking for AG1's rules what rules will be applied on it ?&lt;/div&gt;</summary>
		<author><name>Nidhi Mittal Hada</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123396</id>
		<title>Manila/design/access groups</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123396"/>
				<updated>2016-04-04T11:38:11Z</updated>
		
		<summary type="html">&lt;p&gt;Nidhi Mittal Hada: &lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Applying Access Rules == &lt;br /&gt;
=== Current approach ===&lt;br /&gt;
Today we use &amp;quot;manila allow-access&amp;quot; and &amp;quot;manila deny-access&amp;quot; cli command, to allow and deny, &amp;quot;one&amp;quot; ip address/user/cert the access, to a particular share. &lt;br /&gt;
In situation, when we want a &amp;quot;share&amp;quot; to be accessible by  &lt;br /&gt;
* a subnet OR &lt;br /&gt;
* a set of IP addresses together OR &lt;br /&gt;
* a set users together&lt;br /&gt;
we have to execute, allow-access for each combination of (IP address, share) '''one by one'''!!&lt;br /&gt;
That is, If we want to allow, a same set of 'n' ip addresses, for each of 'n' shares, then it requires '''&amp;quot;n iterations for each of n shares&amp;quot;''', &lt;br /&gt;
that's n^2 operations from user side. &lt;br /&gt;
''That's cumbersome hence access-groups were proposed''&lt;br /&gt;
&lt;br /&gt;
=== Requirement ===&lt;br /&gt;
Requirement is to have a mechanism, by which a set of 'ip addresses' can be considered as 'one entity' i.e. 'can be allowed the access to a share together.' &lt;br /&gt;
Henceforth, the 'same set of ip addresses', can be allowed access to any 'other share', in 'one single request' from user. &lt;br /&gt;
There comes the idea of '''&amp;quot;manila access-groups&amp;quot;.'''&lt;br /&gt;
&lt;br /&gt;
=== Manila Access Groups ===&lt;br /&gt;
A new object named 'access_group', can be created by user. Each 'access_group' contains, a bunch of homogeneous 'access_entries'. &lt;br /&gt;
Homogeneous here means, 'entries of same access_type &amp;amp; access_level(in case access_type is 'user'))'. Each 'access_entry' represents, &lt;br /&gt;
either one ip-address or one username. Bunch of access entries, associated to an &amp;quot;access-group&amp;quot;, can be &amp;quot;allowed or denied&amp;quot; access, &lt;br /&gt;
to a share in one go. &lt;br /&gt;
&lt;br /&gt;
'''Feature requirement is, to provide a mechanism, to allow the access to a share, for &amp;quot;a group of ip addresses/users&amp;quot;, in one go,'''&lt;br /&gt;
'''instead of allowing each ip-address/user one at a time.'''&lt;br /&gt;
&lt;br /&gt;
=== Challenges ===&lt;br /&gt;
* With new proposal, a set of access-rules can be applied together using &amp;quot;access-group&amp;quot;. Earlier &amp;quot;allow-access/deny-access&amp;quot; api worked on individual access rule. &lt;br /&gt;
So, that can interfere and allow/deny any access, without any knowledge of access-group api. This has to be understood and resolved.&lt;br /&gt;
&lt;br /&gt;
* A parallel api interface, serving same purpose, but in different granularity, causes redundancy in database and information.&lt;br /&gt;
&lt;br /&gt;
* Sending a bunch of rules together to backend, if any one rule throws an exception, status of whole access-group will be errored.&lt;br /&gt;
&lt;br /&gt;
* If backend driver doesn't implement 'update_access' newer version yet, then 'access-rules' will be sent to driver one by one only. &lt;br /&gt;
Though 'access-group' feature will allow user, to request access, to set of ip addresses, in one go, still backend will work on access-rules individually.&lt;br /&gt;
&lt;br /&gt;
Proposed Object Relationships:-&lt;br /&gt;
[[File: DB_relationships.png| center | 500px| Object Relationship Diagram]]&lt;br /&gt;
&lt;br /&gt;
== Important Actions == &lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Sr No !! Function !! Command&lt;br /&gt;
|-&lt;br /&gt;
| 1 || Create Access Group  || manila access-group-create [--access-level &amp;lt;access_level&amp;gt;] &amp;lt;name&amp;gt; &amp;lt;description&amp;gt; &amp;lt;access_type&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 2 || Add Access Group Entries in Access group || manila access-group-entry-create &amp;lt;access_to&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 3 || Allow Access Group to a share || manila access-group-allow &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 4 || Deny Access Group to a share || manila access-group-deny &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
=== Flow diagram ===&lt;br /&gt;
==== Allow Access Group ====&lt;br /&gt;
[[File : Allow_access_group_(2).png | center | 500px | Allow access group flow]]&lt;br /&gt;
&lt;br /&gt;
==== Deny Access Group ====&lt;br /&gt;
[[File : Deny_access_group.png | center | 500px| deny access group flow]]&lt;br /&gt;
&lt;br /&gt;
== How it works in different situations ==&lt;br /&gt;
'''Ques 1. Lets say a user requests allow-access-group for (share1, AG1)'''&lt;br /&gt;
'''What if the share is already mapped to another access_group/access_rule.'''&lt;br /&gt;
&lt;br /&gt;
Ans: Nothing, set of access_rules for AG1, will be applied on share, using 'add_rule' &lt;br /&gt;
field of 'update_access' helper function.&lt;br /&gt;
&lt;br /&gt;
'''Ques 2. lets say 'share1' has an already applied access rule i.e ( user ,admin, rw).'''&lt;br /&gt;
'''Now, 'AG1' contains (user, admin, ro). A request comes as 'allow_access_group(share1, AG1)'.'''            &lt;br /&gt;
'''share1 is asked to map with AG1, what should happen?'''            &lt;br /&gt;
&lt;br /&gt;
'''What if the already applied rules are redundant to AG1's access rules.'''&lt;br /&gt;
Note:- its a redundant rule, not contradictory, as rules with 'same access_type and access_to' are&lt;br /&gt;
considered redundant..&lt;br /&gt;
&lt;br /&gt;
Ans: Its same as case, if we apply two redundant rules, even without access-groups. We will get an exception, 'access rule for (user, admin) &lt;br /&gt;
already exists'  and we will proceed to examine, rest of the rules, in access_group. '''We need to deny this rule first &amp;quot;to change its level if required.'''&lt;br /&gt;
&lt;br /&gt;
'''Ques 3. What if AG1 is made up of n rules, only one is redundant ?'''&lt;br /&gt;
&lt;br /&gt;
Ans:If any one of the access_rule, from this access_group, is already applied on share(individually)...&lt;br /&gt;
lets say due to 'allow-access' api. Then excluding that access_rule, rest of the rules, present in 'access_group' will be applied on share.&lt;br /&gt;
&lt;br /&gt;
'''Ques 4. What if AG1 is made up of 'n' rules, an error reported from backend for one of the rules?'''&lt;br /&gt;
&lt;br /&gt;
Ans: If there is an error, reported from backend, then error will be registered in share_instances table.&lt;br /&gt;
'access_rules_status' will go in 'error' state and 'access_status_message' will contain the descriptive message.&lt;br /&gt;
&lt;br /&gt;
'''Ques 5. What if access group is already mapped to other shares and this is a new mapping.'''&lt;br /&gt;
&lt;br /&gt;
Ans: Simply, rules from the access-group will be applied on the requested share.&lt;br /&gt;
   &lt;br /&gt;
'''Ques 6. Two compatible access-groups mapping request got out of order before reaching backend driver.'''&lt;br /&gt;
&lt;br /&gt;
Lets say two api requests for two access_groups where two access groups's rules are compatible as below:            &lt;br /&gt;
Two api requests come in this order chronologically, req1 then req2,            &lt;br /&gt;
AG1 has (user, admin, rw), AG2 has (ip, 10.1.1.1, None)            &lt;br /&gt;
req1 = allow_access_group(share1, AG1), req2 = allow_access_group(share1, AG2)&lt;br /&gt;
Let’s say these request reach driver layer, out of order, driver receives req2 then req1. &lt;br /&gt;
What will happen in such case?&lt;br /&gt;
&lt;br /&gt;
Ans: req1 creates a access_group_mapping in db for (share1 -&amp;gt; AG1) and passes “only set of rules in AG1&amp;quot; to driver layer.            &lt;br /&gt;
req2  also creates a access_group_mapping in db for (share1 -&amp;gt; AG2) and passes that “only set of rules in AG2&amp;quot; to driver layer.            &lt;br /&gt;
Driver layer gets req2 first, it will apply access_rules of req2 first and then access_rules from req1 will be applied on backend.&lt;br /&gt;
&lt;br /&gt;
'''Ques 7. What happens if an exception is raised for one of the access-rules in access-group in api layer itself?&lt;br /&gt;
Do we proceed for next rule or we come out ?'''&lt;br /&gt;
&lt;br /&gt;
Ans: These are such exceptions which come like&lt;br /&gt;
1)if share status is not AVAILABLE &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
2)If share_access entry already exists for this share ? &amp;gt;&amp;gt; we raise exception but continue to consider next access_rule&lt;br /&gt;
3)if access_level value requested for is not a valid value &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
4)If share_instance is invalid one &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
5)if access_rules_status is not active &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
&lt;br /&gt;
in all such cases we raise exception before rpc request is sent to driver layer. access_status_message&amp;quot; field in &amp;quot;share_instances&amp;quot; table - &lt;br /&gt;
does not show error messages for above mentioned exceptions.&lt;br /&gt;
Note:- in last two cases(4,5), though we come out, but 'share_access_group_mapping' and 'many share_access_map' entries &lt;br /&gt;
would have been created!!!&lt;br /&gt;
&lt;br /&gt;
'''Ques 8. What is purpose of access_rules_status and access_status_message field in share_instances table?'''&lt;br /&gt;
&lt;br /&gt;
Ans: access_status_message field, registers the error message, from the driver layer. if we get an error message back from driver, it gets registered in &lt;br /&gt;
'access_status_message' in 'share_instances' table. 'access_status_message' field in 'share_instances' table - does not register error messages for &lt;br /&gt;
above mentioned exceptions in Ques7. &lt;br /&gt;
  &lt;br /&gt;
'''Ques 9. Lets say an access-group that contains 4 access_rules, that is applied on a share1.'''&lt;br /&gt;
'''now these 4 access_rules have got their entries created in share_access_map too.'''&lt;br /&gt;
'''What is someone deleted/denies the access rule individually ?'''&lt;br /&gt;
'''that is sequence is like'''&lt;br /&gt;
'''1) manila access-group-allow &amp;lt;share-id&amp;gt; &amp;lt;access-group-id&amp;gt;'''&lt;br /&gt;
'''2) manila access-deny &amp;lt;share&amp;gt; &amp;lt;id&amp;gt;'''&lt;br /&gt;
'''3) manila access-group-deny &amp;lt;share-id&amp;gt; &amp;lt;access-group-id&amp;gt;'''&lt;br /&gt;
'''Now some rules of this access-group are denied individually .. when we go to 'deny-access-group''''&lt;br /&gt;
'''what will happen?&lt;br /&gt;
&lt;br /&gt;
Ans: For each of 4 rules, if anyone is not present in the DB, we raise exception Not-Found and&lt;br /&gt;
continue to next access_entry.&lt;br /&gt;
&lt;br /&gt;
'''Ques 10. Lets say a share share1 is mapped to an access_group AG1. Now we delete one of access_rule''' &lt;br /&gt;
'''of AG1 or we add an entry to mapped access_group AG1. What will happen?'''&lt;br /&gt;
&lt;br /&gt;
Ans: any addition or deletion of access_entry to an access_group after being mapped, will trigger 'update_access'&lt;br /&gt;
on the backend.&lt;br /&gt;
&lt;br /&gt;
== Alternative Approach ==&lt;br /&gt;
This approach suggests to tag/group share_access_map records by using a new field access_group_tag.&lt;br /&gt;
Here we do not create a separate entity access_group and access_group_entries. Instead by using a string type tag with share_access_map records,&lt;br /&gt;
we group a few entries together.&lt;br /&gt;
&lt;br /&gt;
For first share that wants to allow a group of ip addresses/user the access.&lt;br /&gt;
cli call will be like...&lt;br /&gt;
manila access-allow %some_share% ip 1.1.1.1,2.2.2.2, 3.3.3.3   --tag %tag_name_1%&lt;br /&gt;
&lt;br /&gt;
After that any share that wants similar access will do &lt;br /&gt;
manila access-inherit %some_new_share% --by-share %some_source_share%&lt;br /&gt;
manila access-inherit %some_new_share% --by-tag %tag%&lt;br /&gt;
&lt;br /&gt;
=== Comparison with 1st approach ===&lt;br /&gt;
1)This approach is lighter and less amount of redundancy in database.&lt;br /&gt;
2)Access-group being dynamic entity in 2nd approach/a no separate entity, which has its 'existence scope' same as the share its associated with, &lt;br /&gt;
so no further means, to deal with 'access-groups', independently OR after share deletion.&lt;br /&gt;
3)What if 'share2' inherits all access_rules from 'share1' and now share1 adds a rule by indiviudal allow-access api.&lt;br /&gt;
Now how will we tackle such situation?&lt;br /&gt;
* a)Will we keep these new individual access_rule records without tag?&lt;br /&gt;
* b)Will we give every record which is in share_access_map, a tag..so this individual rule will have new access_group_tag?&lt;br /&gt;
* c)If share is deleted the access-group associated will be considered deleted..  is it okay?&lt;br /&gt;
* d)If a share1 is allowed access to three ip addresses in AG1, now another share2 inherited all 3 rules with AG1 tag itself.&lt;br /&gt;
now, a deny access request comes, to delete one of the rule with share1.&lt;br /&gt;
Now, access-group with AG1 tag - has got two separate set of access-rules, one thats coming from share1(2 rules) and other thats coming from  share2(3 rules).&lt;br /&gt;
If a share3 is asking for AG1's rules what rules will be applied on it ?&lt;/div&gt;</summary>
		<author><name>Nidhi Mittal Hada</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123350</id>
		<title>Manila/design/access groups</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123350"/>
				<updated>2016-04-01T11:33:57Z</updated>
		
		<summary type="html">&lt;p&gt;Nidhi Mittal Hada: &lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Applying Access Rules == &lt;br /&gt;
=== Current approach ===&lt;br /&gt;
Today we use &amp;quot;manila allow-access&amp;quot; and &amp;quot;manila deny-access&amp;quot; cli command, to allow and deny, &amp;quot;one&amp;quot; ip address/user/cert the access, to a particular share. &lt;br /&gt;
In situation, when we want a &amp;quot;share&amp;quot; to be accessible by  &lt;br /&gt;
* a subnet OR &lt;br /&gt;
* a set of IP addresses together OR &lt;br /&gt;
* a set users together&lt;br /&gt;
we have to execute, allow-access for each combination of (IP address, share) '''one by one'''!!&lt;br /&gt;
That is, If we want to allow, a same set of 'n' ip addresses, for each of 'n' shares, then it requires '''&amp;quot;n iterations for each of n shares&amp;quot;''', &lt;br /&gt;
that's n^2 operations from user side. &lt;br /&gt;
''That's cumbersome hence access-groups were proposed''&lt;br /&gt;
&lt;br /&gt;
=== Requirement ===&lt;br /&gt;
Requirement is to have a mechanism, by which a set of 'ip addresses' can be considered as 'one entity' i.e. 'can be allowed the access to a share together.' &lt;br /&gt;
Henceforth, the 'same set of ip addresses', can be allowed access to any 'other share', in 'one single request' from user. &lt;br /&gt;
There comes the idea of '''&amp;quot;manila access-groups&amp;quot;.'''&lt;br /&gt;
&lt;br /&gt;
=== Manila Access Groups ===&lt;br /&gt;
A new object named 'access_group', can be created by user. Each 'access_group' contains, a bunch of homogeneous 'access_entries'. &lt;br /&gt;
Homogeneous here means, 'entries of same access_type &amp;amp; access_level(in case access_type is 'user'))'. Each 'access_entry' represents, &lt;br /&gt;
either one ip-address or one username. Bunch of access entries, associated to an &amp;quot;access-group&amp;quot;, can be &amp;quot;allowed or denied&amp;quot; access, &lt;br /&gt;
to a share in one go. &lt;br /&gt;
&lt;br /&gt;
'''Feature requirement is, to provide a mechanism, to allow the access to a share, for &amp;quot;a group of ip addresses/users&amp;quot;, in one go,'''&lt;br /&gt;
'''instead of allowing each ip-address/user one at a time.'''&lt;br /&gt;
&lt;br /&gt;
=== Challenges ===&lt;br /&gt;
* With new proposal, a set of access-rules can be applied together using &amp;quot;access-group&amp;quot;. Earlier &amp;quot;allow-access/deny-access&amp;quot; api worked on individual access rule. &lt;br /&gt;
So, that can interfere and allow/deny any access, without any knowledge of access-group api. This has to be understood and resolved.&lt;br /&gt;
&lt;br /&gt;
* A parallel api interface, serving same purpose, but in different granularity, causes redundancy in database and information.&lt;br /&gt;
&lt;br /&gt;
* Sending a bunch of rules together to backend, if any one rule throws an exception, status of whole access-group will be errored.&lt;br /&gt;
&lt;br /&gt;
* If backend driver doesn't implement 'update_access' newer version yet, then 'access-rules' will be sent to driver one by one only. &lt;br /&gt;
Though 'access-group' feature will allow user, to request access, to set of ip addresses, in one go, still backend will work on access-rules individually.&lt;br /&gt;
&lt;br /&gt;
Proposed Object Relationships:-&lt;br /&gt;
[[File: DB_relationships.png| center | 500px| Object Relationship Diagram]]&lt;br /&gt;
&lt;br /&gt;
== Important Actions == &lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Sr No !! Function !! Command&lt;br /&gt;
|-&lt;br /&gt;
| 1 || Create Access Group  || manila access-group-create [--access-level &amp;lt;access_level&amp;gt;] &amp;lt;name&amp;gt; &amp;lt;description&amp;gt; &amp;lt;access_type&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 2 || Add Access Group Entries in Access group || manila access-group-entry-create &amp;lt;access_to&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 3 || Allow Access Group to a share || manila access-group-allow &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 4 || Deny Access Group to a share || manila access-group-deny &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
=== Flow diagram ===&lt;br /&gt;
==== Allow Access Group ====&lt;br /&gt;
[[File : Allow_access_group_(2).png | center | 500px | Allow access group flow]]&lt;br /&gt;
&lt;br /&gt;
==== Deny Access Group ====&lt;br /&gt;
[[File : Deny_access_group.png | center | 500px| deny access group flow]]&lt;br /&gt;
&lt;br /&gt;
== How it works in different situations ==&lt;br /&gt;
'''Ques 1. Lets say a user requests allow-access-group for (share1, AG1)'''&lt;br /&gt;
'''What if the share is already mapped to another access_group/access_rule.'''&lt;br /&gt;
&lt;br /&gt;
Ans: Nothing, set of access_rules for AG1, will be applied on share, using 'add_rule' &lt;br /&gt;
field of 'update_access' helper function.&lt;br /&gt;
&lt;br /&gt;
'''Ques 2. lets say 'share1' has an already applied access rule i.e ( user ,admin, rw).'''&lt;br /&gt;
'''Now, 'AG1' contains (user, admin, ro). A request comes as 'allow_access_group(share1, AG1)'.'''            &lt;br /&gt;
'''share1 is asked to map with AG1, what should happen?'''            &lt;br /&gt;
&lt;br /&gt;
'''What if the already applied rules are redundant to AG1's access rules.'''&lt;br /&gt;
Note:- its a redundant rule, not contradictory, as rules with 'same access_type and access_to' are&lt;br /&gt;
considered redundant..&lt;br /&gt;
&lt;br /&gt;
Ans: Its same as case, if we apply two redundant rules, even without access-groups. We will get an exception, 'access rule for (user, admin) &lt;br /&gt;
already exists'  and we will proceed to examine, rest of the rules, in access_group. '''We need to deny this rule first &amp;quot;to change its level if required.'''&lt;br /&gt;
&lt;br /&gt;
'''Ques 3. What if AG1 is made up of n rules, only one is redundant ?'''&lt;br /&gt;
&lt;br /&gt;
Ans:If any one of the access_rule, from this access_group, is already applied on share(individually)...&lt;br /&gt;
lets say due to 'allow-access' api. Then excluding that access_rule, rest of the rules, present in 'access_group' will be applied on share.&lt;br /&gt;
&lt;br /&gt;
'''Ques 4. What if AG1 is made up of 'n' rules, an error reported from backend for one of the rules?'''&lt;br /&gt;
&lt;br /&gt;
Ans: If there is an error, reported from backend, then error will be registered in share_instances table.&lt;br /&gt;
'access_rules_status' will go in 'error' state and 'access_status_message' will contain the descriptive message.&lt;br /&gt;
&lt;br /&gt;
'''Ques 5. What if access group is already mapped to other shares and this is a new mapping.'''&lt;br /&gt;
&lt;br /&gt;
Ans: Simply, rules from the access-group will be applied on the requested share.&lt;br /&gt;
   &lt;br /&gt;
'''Ques 6. Two compatible access-groups mapping request got out of order before reaching backend driver.'''&lt;br /&gt;
&lt;br /&gt;
Lets say two api requests for two access_groups where two access groups's rules are compatible as below:            &lt;br /&gt;
Two api requests come in this order chronologically, req1 then req2,            &lt;br /&gt;
AG1 has (user, admin, rw), AG2 has (ip, 10.1.1.1, None)            &lt;br /&gt;
req1 = allow_access_group(share1, AG1), req2 = allow_access_group(share1, AG2)&lt;br /&gt;
Let’s say these request reach driver layer, out of order, driver receives req2 then req1. &lt;br /&gt;
What will happen in such case?&lt;br /&gt;
&lt;br /&gt;
Ans: req1 creates a access_group_mapping in db for (share1 -&amp;gt; AG1) and passes “only set of rules in AG1&amp;quot; to driver layer.            &lt;br /&gt;
req2  also creates a access_group_mapping in db for (share1 -&amp;gt; AG2) and passes that “only set of rules in AG2&amp;quot; to driver layer.            &lt;br /&gt;
Driver layer gets req2 first, it will apply access_rules of req2 first and then access_rules from req1 will be applied on backend.&lt;br /&gt;
&lt;br /&gt;
'''Ques 7. What happens if an exception is raised for one of the access-rules in access-group in api layer itself?&lt;br /&gt;
Do we proceed for next rule or we come out ?'''&lt;br /&gt;
&lt;br /&gt;
Ans: These are such exceptions which come like&lt;br /&gt;
1)if share status is not AVAILABLE &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
2)If share_access entry already exists for this share ? &amp;gt;&amp;gt; we raise exception but continue to consider next access_rule&lt;br /&gt;
3)if access_level value requested for is not a valid value &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
4)If share_instance is invalid one &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
5)if access_rules_status is not active &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
&lt;br /&gt;
in all such cases we raise exception before rpc request is sent to driver layer. access_status_message&amp;quot; field in &amp;quot;share_instances&amp;quot; table - &lt;br /&gt;
does not show error messages for above mentioned exceptions.&lt;br /&gt;
Note:- in last two cases(4,5), though we come out, but 'share_access_group_mapping' and 'many share_access_map' entries &lt;br /&gt;
would have been created!!!&lt;br /&gt;
&lt;br /&gt;
'''Ques 8. What is purpose of access_rules_status and access_status_message field in share_instances table?'''&lt;br /&gt;
&lt;br /&gt;
Ans: access_status_message field, registers the error message, from the driver layer. if we get an error message back from driver, it gets registered in &lt;br /&gt;
'access_status_message' in 'share_instances' table. 'access_status_message' field in 'share_instances' table - does not register error messages for &lt;br /&gt;
above mentioned exceptions in Ques7. &lt;br /&gt;
  &lt;br /&gt;
'''Ques 9. Lets say an access-group that contains 4 access_rules, that is applied on a share1.'''&lt;br /&gt;
'''now these 4 access_rules have got their entries created in share_access_map too.'''&lt;br /&gt;
'''What is someone deleted/denies the access rule individually ?'''&lt;br /&gt;
'''that is sequence is like'''&lt;br /&gt;
'''1) manila access-group-allow &amp;lt;share-id&amp;gt; &amp;lt;access-group-id&amp;gt;'''&lt;br /&gt;
'''2) manila access-deny &amp;lt;share&amp;gt; &amp;lt;id&amp;gt;'''&lt;br /&gt;
'''3) manila access-group-deny &amp;lt;share-id&amp;gt; &amp;lt;access-group-id&amp;gt;'''&lt;br /&gt;
'''Now some rules of this access-group are denied individually .. when we go to 'deny-access-group''''&lt;br /&gt;
'''what will happen?&lt;br /&gt;
&lt;br /&gt;
Ans: For each of 4 rules, if anyone is not present in the DB, we raise exception Not-Found and&lt;br /&gt;
continue to next access_entry.&lt;br /&gt;
&lt;br /&gt;
'''Ques 10. Lets say a share share1 is mapped to an access_group AG1. Now we delete one of access_rule''' &lt;br /&gt;
'''of AG1 or we add an entry to mapped access_group AG1. What will happen?'''&lt;br /&gt;
&lt;br /&gt;
Ans: any addition or deletion of access_entry to an access_group after being mapped, will trigger 'update_access'&lt;br /&gt;
on the backend.&lt;/div&gt;</summary>
		<author><name>Nidhi Mittal Hada</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123349</id>
		<title>Manila/design/access groups</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123349"/>
				<updated>2016-04-01T10:29:35Z</updated>
		
		<summary type="html">&lt;p&gt;Nidhi Mittal Hada: /* How it works in different situations */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Applying Access Rules == &lt;br /&gt;
=== Current approach ===&lt;br /&gt;
Today we use &amp;quot;manila allow-access&amp;quot; and &amp;quot;manila deny-access&amp;quot; cli command, to allow and deny &amp;quot;one&amp;quot; ip address/user/cert, the access, to a particular share. &lt;br /&gt;
In situation, when we want a &amp;quot;share&amp;quot; to be accessible by  &lt;br /&gt;
* a subnet OR &lt;br /&gt;
* a set of IP addresses together OR &lt;br /&gt;
* a set users together&lt;br /&gt;
we have to execute allow-access for each combination of (IP address, share) '''one by one'''!!&lt;br /&gt;
That is, If we want to allow a same set of 'n' ip addresses, for each of 'n' shares, then it requires '''&amp;quot;n iterations for each of n shares&amp;quot;''', &lt;br /&gt;
that's n^2 operations from user side. &lt;br /&gt;
''That's cumbersome hence access-groups were proposed''&lt;br /&gt;
&lt;br /&gt;
=== Requirement ===&lt;br /&gt;
Requirement is to have a mechanism, by which a set of &amp;quot;ip addresses&amp;quot; can be considered as &amp;quot;one entity&amp;quot; i.e. ''can be allowed the access to a share together.'' &lt;br /&gt;
Henceforth, the &amp;quot;same set of ip addresses&amp;quot; can be allowed access to any &amp;quot;other share&amp;quot; in one single request from user. &lt;br /&gt;
There comes the idea of '''&amp;quot;manila access-groups&amp;quot;.'''&lt;br /&gt;
&lt;br /&gt;
=== Manila Access Groups ===&lt;br /&gt;
A new object named &amp;quot;access_group&amp;quot; can be created by user. Each &amp;quot;access_group&amp;quot; contains a bunch of homogeneous &amp;quot;access_entries&amp;quot;. &lt;br /&gt;
Homogeneous here means ''entries of same access_type &amp;amp; access_level(in case access_type is &amp;quot;user&amp;quot;)&amp;quot;). Each &amp;quot;access_entry&amp;quot; represents, &lt;br /&gt;
either one &amp;quot;ip-address&amp;quot; or one &amp;quot;user-name&amp;quot;. Bunch of access entries associated to an &amp;quot;access-group&amp;quot;, can be &amp;quot;allowed or denied&amp;quot; access, &lt;br /&gt;
to a share in one go. &lt;br /&gt;
&lt;br /&gt;
''Feature requirement is, to provide a mechanism, to allow the access to a share for &amp;quot;a group of ip addresses/users&amp;quot;, in one go, &lt;br /&gt;
instead of allowing each ip-address/user one at a time.''&lt;br /&gt;
&lt;br /&gt;
=== Challenges ===&lt;br /&gt;
* With new proposal, a set of access-rules can be applied together using &amp;quot;access-group&amp;quot;. Earlier &amp;quot;allow-access/deny-access&amp;quot; api works on individual access rules. &lt;br /&gt;
So it can interfere and allow/deny any access without any knowledge of access-group api. That has to be understood and resolved.&lt;br /&gt;
* A parallel api interface, serving same purpose, but in different granularity, causes redundancy in database and information.&lt;br /&gt;
* Sending a bunch of rules together to backend, if any one rule throws an exception, status of whole access-group will be errored.&lt;br /&gt;
* If backend driver doesn't implement 'update_access' newer version yet, then 'access-rules' will be sent to driver one by one only. &lt;br /&gt;
Though 'access-group' feature will allow user, to request access, to set of ip addresses, in one go, still backend will work on access-rules individually.&lt;br /&gt;
&lt;br /&gt;
Proposed Object Relationships:-&lt;br /&gt;
[[File: DB_relationships.png| center | 500px| Object Relationship Diagram]]&lt;br /&gt;
&lt;br /&gt;
== Important Actions == &lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Sr No !! Function !! Command&lt;br /&gt;
|-&lt;br /&gt;
| 1 || Create Access Group  || manila access-group-create [--access-level &amp;lt;access_level&amp;gt;] &amp;lt;name&amp;gt; &amp;lt;description&amp;gt; &amp;lt;access_type&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 2 || Add Access Group Entries in Access group || manila access-group-entry-create &amp;lt;access_to&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 3 || Allow Access Group to a share || manila access-group-allow &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 4 || Deny Access Group to a share || manila access-group-deny &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
=== Flow diagram ===&lt;br /&gt;
==== Allow Access Group ====&lt;br /&gt;
[[File : Allow_access_group_(2).png | center | 500px | Allow access group flow]]&lt;br /&gt;
&lt;br /&gt;
==== Deny Access Group ====&lt;br /&gt;
[[File : Deny_access_group.png | center | 500px| deny access group flow]]&lt;br /&gt;
&lt;br /&gt;
===== How it works in different situations =====&lt;br /&gt;
'''Ques 1. Lets say a user requests allow-access-group for (share1, AG1)'''&lt;br /&gt;
'''What if the share is already mapped to another access_group/access_rule.'''&lt;br /&gt;
&lt;br /&gt;
Ans: Nothing, set of access_rules for AG1, will be applied on share, using 'add_rule' &lt;br /&gt;
field of 'update_access' helper function.&lt;br /&gt;
&lt;br /&gt;
'''Ques 2. lets say 'share1' has an already applied access rule i.e ( user ,admin, rw).'''&lt;br /&gt;
'''Now, 'AG1' contains (user, admin, ro). A request comes as 'allow_access_group(share1, AG1)'.'''            &lt;br /&gt;
'''share1 is asked to map with AG1, what should happen?'''            &lt;br /&gt;
&lt;br /&gt;
'''What if the already applied rules are redundant to AG1's access rules.'''&lt;br /&gt;
Note:- its a redundant rule, not contradictory, as rules with 'same access_type and access_to' are&lt;br /&gt;
considered redundant..&lt;br /&gt;
&lt;br /&gt;
Ans: Its same as case, if we apply two redundant rules, even without access-groups. We will get an exception, 'access rule for (user, admin) &lt;br /&gt;
already exists'  and we will proceed to examine, rest of the rules, in access_group. '''We need to deny this rule first &amp;quot;to change its level if required.'''&lt;br /&gt;
&lt;br /&gt;
'''Ques 3. What if AG1 is made up of n rules, only one is redundant ?'''&lt;br /&gt;
&lt;br /&gt;
Ans:If any one of the access_rule, from this access_group, is already applied on share(individually)...&lt;br /&gt;
lets say due to 'allow-access' api. Then excluding that access_rule, rest of the rules, present in 'access_group' will be applied on share.&lt;br /&gt;
&lt;br /&gt;
'''Ques 4. What if AG1 is made up of 'n' rules, an error reported from backend for one of the rules?'''&lt;br /&gt;
&lt;br /&gt;
Ans: If there is an error, reported from backend, then error will be registered in share_instances table.&lt;br /&gt;
'access_rules_status' will go in 'error' state and 'access_status_message' will contain the descriptive message.&lt;br /&gt;
&lt;br /&gt;
'''Ques 5. What if access group is already mapped to other shares and this is a new mapping.'''&lt;br /&gt;
&lt;br /&gt;
Ans: Simply, rules from the access-group will be applied on the requested share.&lt;br /&gt;
   &lt;br /&gt;
'''Ques 6. Two compatible access-groups mapping request got out of order before reaching backend driver.'''&lt;br /&gt;
&lt;br /&gt;
Lets say two api requests for two access_groups where two access groups's rules are compatible as below:            &lt;br /&gt;
Two api requests come in this order chronologically, req1 then req2,            &lt;br /&gt;
AG1 has (user, admin, rw), AG2 has (ip, 10.1.1.1, None)            &lt;br /&gt;
req1 = allow_access_group(share1, AG1), req2 = allow_access_group(share1, AG2)&lt;br /&gt;
Let’s say these request reach driver layer, out of order, driver receives req2 then req1. &lt;br /&gt;
What will happen in such case?&lt;br /&gt;
&lt;br /&gt;
Ans: req1 creates a access_group_mapping in db for (share1 -&amp;gt; AG1) and passes “only set of rules in AG1&amp;quot; to driver layer.            &lt;br /&gt;
req2  also creates a access_group_mapping in db for (share1 -&amp;gt; AG2) and passes that “only set of rules in AG2&amp;quot; to driver layer.            &lt;br /&gt;
Driver layer gets req2 first, it will apply access_rules of req2 first and then access_rules from req1 will be applied on backend.&lt;br /&gt;
&lt;br /&gt;
'''Ques 7. What happens if an exception is raised for one of the access-rules in access-group in api layer itself?&lt;br /&gt;
Do we proceed for next rule or we come out ?'''&lt;br /&gt;
&lt;br /&gt;
Ans: These are such exceptions which come like&lt;br /&gt;
1)if share status is not AVAILABLE &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
2)If share_access entry already exists for this share ? &amp;gt;&amp;gt; we raise exception but continue to consider next access_rule&lt;br /&gt;
3)if access_level value requested for is not a valid value &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
4)If share_instance is invalid one &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
5)if access_rules_status is not active &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
&lt;br /&gt;
in all such cases we raise exception before rpc request is sent to driver layer. access_status_message&amp;quot; field in &amp;quot;share_instances&amp;quot; table - &lt;br /&gt;
does not show error messages for above mentioned exceptions.&lt;br /&gt;
Note:- in last two cases(4,5), though we come out, but 'share_access_group_mapping' and 'many share_access_map' entries &lt;br /&gt;
would have been created!!!&lt;br /&gt;
&lt;br /&gt;
'''Ques 8. What is purpose of access_rules_status and access_status_message field in share_instances table?'''&lt;br /&gt;
&lt;br /&gt;
Ans: access_status_message field, registers the error message, from the driver layer. if we get an error message back from driver, it gets registered in &lt;br /&gt;
'access_status_message' in 'share_instances' table. 'access_status_message' field in 'share_instances' table - does not register error messages for &lt;br /&gt;
above mentioned exceptions in Ques7. &lt;br /&gt;
  &lt;br /&gt;
'''Ques 9. Lets say an access-group that contains 4 access_rules, that is applied on a share1.'''&lt;br /&gt;
'''now these 4 access_rules have got their entries created in share_access_map too.'''&lt;br /&gt;
'''What is someone deleted/denies the access rule individually ?'''&lt;br /&gt;
'''that is sequence is like'''&lt;br /&gt;
'''1) manila access-group-allow &amp;lt;share-id&amp;gt; &amp;lt;access-group-id&amp;gt;'''&lt;br /&gt;
'''2) manila access-deny &amp;lt;share&amp;gt; &amp;lt;id&amp;gt;'''&lt;br /&gt;
'''3) manila access-group-deny &amp;lt;share-id&amp;gt; &amp;lt;access-group-id&amp;gt;'''&lt;br /&gt;
'''Now some rules of this access-group are denied individually .. when we go to 'deny-access-group''''&lt;br /&gt;
'''what will happen?&lt;br /&gt;
&lt;br /&gt;
Ans: For each of 4 rules, if anyone is not present in the DB, we raise exception Not-Found and&lt;br /&gt;
continue to next access_entry.&lt;br /&gt;
&lt;br /&gt;
'''Ques 10. Lets say a share share1 is mapped to an access_group AG1. Now we delete one of access_rule''' &lt;br /&gt;
'''of AG1 or we add an entry to mapped access_group AG1. What will happen?'''&lt;br /&gt;
&lt;br /&gt;
Ans: any addition or deletion of access_entry to an access_group after being mapped, will trigger 'update_access'&lt;br /&gt;
on the backend.&lt;/div&gt;</summary>
		<author><name>Nidhi Mittal Hada</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123348</id>
		<title>Manila/design/access groups</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123348"/>
				<updated>2016-04-01T10:24:47Z</updated>
		
		<summary type="html">&lt;p&gt;Nidhi Mittal Hada: /* How it works in different situations */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Applying Access Rules == &lt;br /&gt;
=== Current approach ===&lt;br /&gt;
Today we use &amp;quot;manila allow-access&amp;quot; and &amp;quot;manila deny-access&amp;quot; cli command, to allow and deny &amp;quot;one&amp;quot; ip address/user/cert, the access, to a particular share. &lt;br /&gt;
In situation, when we want a &amp;quot;share&amp;quot; to be accessible by  &lt;br /&gt;
* a subnet OR &lt;br /&gt;
* a set of IP addresses together OR &lt;br /&gt;
* a set users together&lt;br /&gt;
we have to execute allow-access for each combination of (IP address, share) '''one by one'''!!&lt;br /&gt;
That is, If we want to allow a same set of 'n' ip addresses, for each of 'n' shares, then it requires '''&amp;quot;n iterations for each of n shares&amp;quot;''', &lt;br /&gt;
that's n^2 operations from user side. &lt;br /&gt;
''That's cumbersome hence access-groups were proposed''&lt;br /&gt;
&lt;br /&gt;
=== Requirement ===&lt;br /&gt;
Requirement is to have a mechanism, by which a set of &amp;quot;ip addresses&amp;quot; can be considered as &amp;quot;one entity&amp;quot; i.e. ''can be allowed the access to a share together.'' &lt;br /&gt;
Henceforth, the &amp;quot;same set of ip addresses&amp;quot; can be allowed access to any &amp;quot;other share&amp;quot; in one single request from user. &lt;br /&gt;
There comes the idea of '''&amp;quot;manila access-groups&amp;quot;.'''&lt;br /&gt;
&lt;br /&gt;
=== Manila Access Groups ===&lt;br /&gt;
A new object named &amp;quot;access_group&amp;quot; can be created by user. Each &amp;quot;access_group&amp;quot; contains a bunch of homogeneous &amp;quot;access_entries&amp;quot;. &lt;br /&gt;
Homogeneous here means ''entries of same access_type &amp;amp; access_level(in case access_type is &amp;quot;user&amp;quot;)&amp;quot;). Each &amp;quot;access_entry&amp;quot; represents, &lt;br /&gt;
either one &amp;quot;ip-address&amp;quot; or one &amp;quot;user-name&amp;quot;. Bunch of access entries associated to an &amp;quot;access-group&amp;quot;, can be &amp;quot;allowed or denied&amp;quot; access, &lt;br /&gt;
to a share in one go. &lt;br /&gt;
&lt;br /&gt;
''Feature requirement is, to provide a mechanism, to allow the access to a share for &amp;quot;a group of ip addresses/users&amp;quot;, in one go, &lt;br /&gt;
instead of allowing each ip-address/user one at a time.''&lt;br /&gt;
&lt;br /&gt;
=== Challenges ===&lt;br /&gt;
* With new proposal, a set of access-rules can be applied together using &amp;quot;access-group&amp;quot;. Earlier &amp;quot;allow-access/deny-access&amp;quot; api works on individual access rules. &lt;br /&gt;
So it can interfere and allow/deny any access without any knowledge of access-group api. That has to be understood and resolved.&lt;br /&gt;
* A parallel api interface, serving same purpose, but in different granularity, causes redundancy in database and information.&lt;br /&gt;
* Sending a bunch of rules together to backend, if any one rule throws an exception, status of whole access-group will be errored.&lt;br /&gt;
* If backend driver doesn't implement 'update_access' newer version yet, then 'access-rules' will be sent to driver one by one only. &lt;br /&gt;
Though 'access-group' feature will allow user, to request access, to set of ip addresses, in one go, still backend will work on access-rules individually.&lt;br /&gt;
&lt;br /&gt;
Proposed Object Relationships:-&lt;br /&gt;
[[File: DB_relationships.png| center | 500px| Object Relationship Diagram]]&lt;br /&gt;
&lt;br /&gt;
== Important Actions == &lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Sr No !! Function !! Command&lt;br /&gt;
|-&lt;br /&gt;
| 1 || Create Access Group  || manila access-group-create [--access-level &amp;lt;access_level&amp;gt;] &amp;lt;name&amp;gt; &amp;lt;description&amp;gt; &amp;lt;access_type&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 2 || Add Access Group Entries in Access group || manila access-group-entry-create &amp;lt;access_to&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 3 || Allow Access Group to a share || manila access-group-allow &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 4 || Deny Access Group to a share || manila access-group-deny &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
=== Flow diagram ===&lt;br /&gt;
==== Allow Access Group ====&lt;br /&gt;
[[File : Allow_access_group_(2).png | center | 500px | Allow access group flow]]&lt;br /&gt;
&lt;br /&gt;
==== Deny Access Group ====&lt;br /&gt;
[[File : Deny_access_group.png | center | 500px| deny access group flow]]&lt;br /&gt;
&lt;br /&gt;
===== How it works in different situations =====&lt;br /&gt;
'''Ques 1. Lets say , a user requests allow-access-group for (share1, AG1)'''&lt;br /&gt;
'''What if the share is already mapped to another access_group/access_rule.'''&lt;br /&gt;
&lt;br /&gt;
Ans: Nothing, set of access_rules for AG1, will be applied on share using 'add_rule' &lt;br /&gt;
field of 'update_access' helper function.&lt;br /&gt;
&lt;br /&gt;
'''Ques 2. lets say, 'share1' has an already applied access rule i.e ( user ,admin, rw).'''&lt;br /&gt;
'''Now, 'AG1' contains (user, admin, ro). A request comes as 'allow_access_group(share1, AG1)'.'''            &lt;br /&gt;
'''Share1 is asked to map with AG1, what should happen?'''            &lt;br /&gt;
&lt;br /&gt;
'''What if the already applied rules are redundant to AG1's access rules.'''&lt;br /&gt;
Note:- its a redundant rule, not contradictory, as rules with 'same access_type and access_to' are&lt;br /&gt;
considered redundant..&lt;br /&gt;
&lt;br /&gt;
Ans: Its same as case, if we apply two redundant rules, even without access-groups. We will get an exception, 'access rule for (user, admin) &lt;br /&gt;
is already applied'  and we will proceed to examine rest of the rules in access_group. '''We need to deny this rule first &amp;quot;to change its level if required.'''&lt;br /&gt;
&lt;br /&gt;
'''Ques 3. What if AG1 is made up of n rules, only one is redundant ?'''&lt;br /&gt;
&lt;br /&gt;
Ans:If any one of the access_rule from this access_group, is already applied on share(individually), lets say due to allow-access api,&lt;br /&gt;
then excluding that access_rule, rest of the rules present in access_group will be applied on share.&lt;br /&gt;
&lt;br /&gt;
'''Ques 4. What if AG1 is made up of n rules, an error reported from backend for one of the rules?'''&lt;br /&gt;
&lt;br /&gt;
Ans: If there is an error reported from backend, then error will be registered in share_instances table.&lt;br /&gt;
&amp;quot;access_rules_status&amp;quot; will go in &amp;quot;error&amp;quot; state and &amp;quot;access_status_message&amp;quot; will contain the descriptive message.&lt;br /&gt;
&lt;br /&gt;
'''Ques 5. What if access group is already mapped to other shares and this is a new mapping.'''&lt;br /&gt;
&lt;br /&gt;
Ans: Simply, rules from the access-group will be applied on the requested share.&lt;br /&gt;
   &lt;br /&gt;
'''Ques 6. Two compatible access-groups mapping request got out of order before reaching backend driver.'''&lt;br /&gt;
&lt;br /&gt;
Lets say two api requests for two access_groups where two access groups's rules are compatible as below:            &lt;br /&gt;
Two api requests come in this order chronologically, req1 then req2,            &lt;br /&gt;
AG1 has (user, admin, rw), AG2 has (ip, 10.1.1.1, None)            &lt;br /&gt;
req1 = allow_access_group(share1, AG1), req2 = allow_access_group(share1, AG2)&lt;br /&gt;
Let’s say these request reach driver layer, out of order, driver receives req2 then req1. &lt;br /&gt;
What will happen in such case?&lt;br /&gt;
&lt;br /&gt;
Ans: req1 creates a access_group_mapping in db for (share1 -&amp;gt; AG1) and passes “only set of rules in AG1&amp;quot; to driver layer.            &lt;br /&gt;
req2  also creates a access_group_mapping in db for (share1 -&amp;gt; AG2) and passes that “only set of rules in AG2&amp;quot; to driver layer.            &lt;br /&gt;
Driver layer gets req2 first, it will apply access_rules of req2 first and then access_rules from req1 will be applied on backend.&lt;br /&gt;
&lt;br /&gt;
'''Ques 7. What happens if an exception is raised for one of the access-rules in access-group in api layer itself?&lt;br /&gt;
Do we proceed for next rule or we come out ?'''&lt;br /&gt;
&lt;br /&gt;
Ans: These are such exceptions which come like&lt;br /&gt;
1)if share status is not AVAILABLE &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
2)If share_access entry already exists for this share ? &amp;gt;&amp;gt; we raise exception but continue to consider next access_rule&lt;br /&gt;
3)if access_level value requested for is not a valid value &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
4)If share_instance is invalid one &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
5)if access_rules_status is not active &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
&lt;br /&gt;
in all such cases we raise exception before rpc request is sent to driver layer. access_status_message&amp;quot; field in &amp;quot;share_instances&amp;quot; table - &lt;br /&gt;
does not show error messages for above mentioned exceptions.&lt;br /&gt;
Note:- in last two cases(4,5), though we come out, but 'share_access_group_mapping' and 'many share_access_map' entries &lt;br /&gt;
would have been created!!!&lt;br /&gt;
&lt;br /&gt;
'''Ques 8. What is purpose of access_rules_status and access_status_message field in share_instances table?'''&lt;br /&gt;
&lt;br /&gt;
Ans: access_status_message field, registers the error message, from the driver layer. if we get an error message back from driver, it gets registered in &lt;br /&gt;
'access_status_message' in 'share_instances' table. 'access_status_message' field in 'share_instances' table - does not register error messages for &lt;br /&gt;
above mentioned exceptions in Ques7. &lt;br /&gt;
  &lt;br /&gt;
'''Ques 9. Lets say an access-group that contains 4 access_rules, that is applied on a share1.'''&lt;br /&gt;
'''now these 4 access_rules have got their entries created in share_access_map too.'''&lt;br /&gt;
'''What is someone deleted/denies the access rule individually ?'''&lt;br /&gt;
'''that is sequence is like'''&lt;br /&gt;
'''1) manila access-group-allow &amp;lt;share-id&amp;gt; &amp;lt;access-group-id&amp;gt;'''&lt;br /&gt;
'''2) manila access-deny &amp;lt;share&amp;gt; &amp;lt;id&amp;gt;'''&lt;br /&gt;
'''3) manila access-group-deny &amp;lt;share-id&amp;gt; &amp;lt;access-group-id&amp;gt;'''&lt;br /&gt;
'''Now some rules of this access-group are denied individually .. when we go to 'deny-access-group''''&lt;br /&gt;
'''what will happen?&lt;br /&gt;
&lt;br /&gt;
Ans: For each of 4 rules, if anyone is not present in the DB, we raise exception Not-Found and&lt;br /&gt;
continue to next access_entry.&lt;br /&gt;
&lt;br /&gt;
'''Ques 10. Lets say a share share1 is mapped to an access_group AG1. Now we delete one of access_rule''' &lt;br /&gt;
'''of AG1 or we add an entry to mapped access_group AG1. What will happen?'''&lt;br /&gt;
&lt;br /&gt;
Ans: any addition or deletion of access_entry to an access_group after being mapped, will trigger 'update_access'&lt;br /&gt;
on the backend.&lt;/div&gt;</summary>
		<author><name>Nidhi Mittal Hada</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123347</id>
		<title>Manila/design/access groups</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123347"/>
				<updated>2016-04-01T10:23:15Z</updated>
		
		<summary type="html">&lt;p&gt;Nidhi Mittal Hada: /* How it works in different situations */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Applying Access Rules == &lt;br /&gt;
=== Current approach ===&lt;br /&gt;
Today we use &amp;quot;manila allow-access&amp;quot; and &amp;quot;manila deny-access&amp;quot; cli command, to allow and deny &amp;quot;one&amp;quot; ip address/user/cert, the access, to a particular share. &lt;br /&gt;
In situation, when we want a &amp;quot;share&amp;quot; to be accessible by  &lt;br /&gt;
* a subnet OR &lt;br /&gt;
* a set of IP addresses together OR &lt;br /&gt;
* a set users together&lt;br /&gt;
we have to execute allow-access for each combination of (IP address, share) '''one by one'''!!&lt;br /&gt;
That is, If we want to allow a same set of 'n' ip addresses, for each of 'n' shares, then it requires '''&amp;quot;n iterations for each of n shares&amp;quot;''', &lt;br /&gt;
that's n^2 operations from user side. &lt;br /&gt;
''That's cumbersome hence access-groups were proposed''&lt;br /&gt;
&lt;br /&gt;
=== Requirement ===&lt;br /&gt;
Requirement is to have a mechanism, by which a set of &amp;quot;ip addresses&amp;quot; can be considered as &amp;quot;one entity&amp;quot; i.e. ''can be allowed the access to a share together.'' &lt;br /&gt;
Henceforth, the &amp;quot;same set of ip addresses&amp;quot; can be allowed access to any &amp;quot;other share&amp;quot; in one single request from user. &lt;br /&gt;
There comes the idea of '''&amp;quot;manila access-groups&amp;quot;.'''&lt;br /&gt;
&lt;br /&gt;
=== Manila Access Groups ===&lt;br /&gt;
A new object named &amp;quot;access_group&amp;quot; can be created by user. Each &amp;quot;access_group&amp;quot; contains a bunch of homogeneous &amp;quot;access_entries&amp;quot;. &lt;br /&gt;
Homogeneous here means ''entries of same access_type &amp;amp; access_level(in case access_type is &amp;quot;user&amp;quot;)&amp;quot;). Each &amp;quot;access_entry&amp;quot; represents, &lt;br /&gt;
either one &amp;quot;ip-address&amp;quot; or one &amp;quot;user-name&amp;quot;. Bunch of access entries associated to an &amp;quot;access-group&amp;quot;, can be &amp;quot;allowed or denied&amp;quot; access, &lt;br /&gt;
to a share in one go. &lt;br /&gt;
&lt;br /&gt;
''Feature requirement is, to provide a mechanism, to allow the access to a share for &amp;quot;a group of ip addresses/users&amp;quot;, in one go, &lt;br /&gt;
instead of allowing each ip-address/user one at a time.''&lt;br /&gt;
&lt;br /&gt;
=== Challenges ===&lt;br /&gt;
* With new proposal, a set of access-rules can be applied together using &amp;quot;access-group&amp;quot;. Earlier &amp;quot;allow-access/deny-access&amp;quot; api works on individual access rules. &lt;br /&gt;
So it can interfere and allow/deny any access without any knowledge of access-group api. That has to be understood and resolved.&lt;br /&gt;
* A parallel api interface, serving same purpose, but in different granularity, causes redundancy in database and information.&lt;br /&gt;
* Sending a bunch of rules together to backend, if any one rule throws an exception, status of whole access-group will be errored.&lt;br /&gt;
* If backend driver doesn't implement 'update_access' newer version yet, then 'access-rules' will be sent to driver one by one only. &lt;br /&gt;
Though 'access-group' feature will allow user, to request access, to set of ip addresses, in one go, still backend will work on access-rules individually.&lt;br /&gt;
&lt;br /&gt;
Proposed Object Relationships:-&lt;br /&gt;
[[File: DB_relationships.png| center | 500px| Object Relationship Diagram]]&lt;br /&gt;
&lt;br /&gt;
== Important Actions == &lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Sr No !! Function !! Command&lt;br /&gt;
|-&lt;br /&gt;
| 1 || Create Access Group  || manila access-group-create [--access-level &amp;lt;access_level&amp;gt;] &amp;lt;name&amp;gt; &amp;lt;description&amp;gt; &amp;lt;access_type&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 2 || Add Access Group Entries in Access group || manila access-group-entry-create &amp;lt;access_to&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 3 || Allow Access Group to a share || manila access-group-allow &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 4 || Deny Access Group to a share || manila access-group-deny &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
=== Flow diagram ===&lt;br /&gt;
==== Allow Access Group ====&lt;br /&gt;
[[File : Allow_access_group_(2).png | center | 500px | Allow access group flow]]&lt;br /&gt;
&lt;br /&gt;
==== Deny Access Group ====&lt;br /&gt;
[[File : Deny_access_group.png | center | 500px| deny access group flow]]&lt;br /&gt;
&lt;br /&gt;
===== How it works in different situations =====&lt;br /&gt;
'''Ques 1. Lets say , a user requests allow-access-group for (share1, AG1)'''&lt;br /&gt;
'''What if the share is already mapped to another access_group/access_rule.'''&lt;br /&gt;
&lt;br /&gt;
Ans: Nothing, set of access_rules for AG1, will be applied on share using 'add_rule' &lt;br /&gt;
field of 'update_access' helper function.&lt;br /&gt;
&lt;br /&gt;
'''Ques 2. lets say, 'share1' has an already applied access rule i.e ( user ,admin, rw).'''&lt;br /&gt;
'''Now, 'AG1' contains (user, admin, ro). A request comes as 'allow_access_group(share1, AG1)'.'''            &lt;br /&gt;
'''Share1 is asked to map with AG1, what should happen?'''            &lt;br /&gt;
&lt;br /&gt;
'''What if the already applied rules are redundant to AG1's access rules.'''&lt;br /&gt;
Note:- its a redundant rule, not contradictory, as rules with 'same access_type and access_to' are&lt;br /&gt;
considered redundant..&lt;br /&gt;
&lt;br /&gt;
Ans: Its same as case, if we apply two redundant rules, even without access-groups. We will get an exception, 'access rule for (user, admin) &lt;br /&gt;
is already applied'  and we will proceed to examine rest of the rules in access_group. '''We need to deny this rule first &amp;quot;to change its level if required.'''&lt;br /&gt;
&lt;br /&gt;
'''Ques 3. What if AG1 is made up of n rules, only one is redundant ?'''&lt;br /&gt;
&lt;br /&gt;
Ans:If any one of the access_rule from this access_group, is already applied on share(individually), lets say due to allow-access api,&lt;br /&gt;
then excluding that access_rule, rest of the rules present in access_group will be applied on share.&lt;br /&gt;
&lt;br /&gt;
'''Ques 4. What if AG1 is made up of n rules, an error reported from backend for one of the rules?'''&lt;br /&gt;
&lt;br /&gt;
Ans: If there is an error reported from backend, then error will be registered in share_instances table.&lt;br /&gt;
&amp;quot;access_rules_status&amp;quot; will go in &amp;quot;error&amp;quot; state and &amp;quot;access_status_message&amp;quot; will contain the descriptive message.&lt;br /&gt;
&lt;br /&gt;
'''Ques 5. What if access group is already mapped to other shares and this is a new mapping.'''&lt;br /&gt;
&lt;br /&gt;
Ans: Simply, rules from the access-group will be applied on the requested share.&lt;br /&gt;
   &lt;br /&gt;
'''Ques 6. Two compatible access-groups mapping request got out of order before reaching backend driver.'''&lt;br /&gt;
&lt;br /&gt;
Lets say two api requests for two access_groups where two access groups's rules are compatible as below:            &lt;br /&gt;
Two api requests come in this order chronologically, req1 then req2,            &lt;br /&gt;
AG1 has (user, admin, rw), AG2 has (ip, 10.1.1.1, None)            &lt;br /&gt;
req1 = allow_access_group(share1, AG1), req2 = allow_access_group(share1, AG2)&lt;br /&gt;
Let’s say these request reach driver layer, out of order, driver receives req2 then req1. &lt;br /&gt;
What will happen in such case?&lt;br /&gt;
&lt;br /&gt;
Ans: req1 creates a access_group_mapping in db for (share1 -&amp;gt; AG1) and passes “only set of rules in AG1&amp;quot; to driver layer.            &lt;br /&gt;
req2  also creates a access_group_mapping in db for (share1 -&amp;gt; AG2) and passes that “only set of rules in AG2&amp;quot; to driver layer.            &lt;br /&gt;
Driver layer gets req2 first, it will apply access_rules of req2 first and then access_rules from req1 will be applied on backend.&lt;br /&gt;
&lt;br /&gt;
'''Ques 7. What happens if an exception is raised for one of the access-rules in access-group in api layer itself?&lt;br /&gt;
Do we proceed for next rule or we come out ?'''&lt;br /&gt;
&lt;br /&gt;
Ans: These are such exceptions which come like&lt;br /&gt;
1)if share status is not AVAILABLE &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
2)If share_access entry already exists for this share ? &amp;gt;&amp;gt; we raise exception but continue to consider next access_rule&lt;br /&gt;
3)if access_level value requested for is not a valid value &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
4)If share_instance is invalid one &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
5)if access_rules_status is not active &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
&lt;br /&gt;
in all such cases we raise exception before rpc request is sent to driver layer. access_status_message&amp;quot; field in &amp;quot;share_instances&amp;quot; table - &lt;br /&gt;
does not show error messages for above mentioned exceptions.&lt;br /&gt;
Note:- in last two cases(4,5), though we come out, but 'share_access_group_mapping' and 'many share_access_map' entries &lt;br /&gt;
would have been created!!!&lt;br /&gt;
&lt;br /&gt;
'''Ques 8. What is purpose of access_rules_status and access_status_message field in share_instances table?'''&lt;br /&gt;
&lt;br /&gt;
Ans: access_status_message field, registers the error message, from the driver layer. if we get an error message back from driver, it gets registered in &lt;br /&gt;
'access_status_message' in 'share_instances' table. 'access_status_message' field in 'share_instances' table - does not register error messages for &lt;br /&gt;
above mentioned exceptions in Ques7. &lt;br /&gt;
  &lt;br /&gt;
'''Ques 9. Lets say an access-group that contains 4 access_rules, that is applied on a share1.'''&lt;br /&gt;
'''now these 4 access_rules have got their entries created in share_access_map too.'''&lt;br /&gt;
'''What is someone deleted/denies the access rule individually ?'''&lt;br /&gt;
that is sequence is like&lt;br /&gt;
1) manila access-group-allow &amp;lt;share-id&amp;gt; &amp;lt;access-group-id&amp;gt;&lt;br /&gt;
2) manila access-deny &amp;lt;share&amp;gt; &amp;lt;id&amp;gt;&lt;br /&gt;
3) manila access-group-deny &amp;lt;share-id&amp;gt; &amp;lt;access-group-id&amp;gt;&lt;br /&gt;
Now some rules of this access-group are denied individually .. when we go to 'deny-access-group'&lt;br /&gt;
what will happen?&lt;br /&gt;
&lt;br /&gt;
Ans: For each of 4 rules, if anyone is not present in the DB, we raise exception Not-Found and&lt;br /&gt;
continue to next access_entry.&lt;br /&gt;
&lt;br /&gt;
'''Ques 10. Lets say a share share1 is mapped to an access_group AG1. Now we delete one of access_rule''' &lt;br /&gt;
'''of AG1 or we add an entry to mapped access_group AG1. What will happen?'''&lt;br /&gt;
&lt;br /&gt;
Ans: any addition or deletion of access_entry to an access_group after being mapped, will trigger update_access&lt;br /&gt;
on the backend.&lt;/div&gt;</summary>
		<author><name>Nidhi Mittal Hada</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123346</id>
		<title>Manila/design/access groups</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123346"/>
				<updated>2016-04-01T10:02:49Z</updated>
		
		<summary type="html">&lt;p&gt;Nidhi Mittal Hada: /* Challenges */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Applying Access Rules == &lt;br /&gt;
=== Current approach ===&lt;br /&gt;
Today we use &amp;quot;manila allow-access&amp;quot; and &amp;quot;manila deny-access&amp;quot; cli command, to allow and deny &amp;quot;one&amp;quot; ip address/user/cert, the access, to a particular share. &lt;br /&gt;
In situation, when we want a &amp;quot;share&amp;quot; to be accessible by  &lt;br /&gt;
* a subnet OR &lt;br /&gt;
* a set of IP addresses together OR &lt;br /&gt;
* a set users together&lt;br /&gt;
we have to execute allow-access for each combination of (IP address, share) '''one by one'''!!&lt;br /&gt;
That is, If we want to allow a same set of 'n' ip addresses, for each of 'n' shares, then it requires '''&amp;quot;n iterations for each of n shares&amp;quot;''', &lt;br /&gt;
that's n^2 operations from user side. &lt;br /&gt;
''That's cumbersome hence access-groups were proposed''&lt;br /&gt;
&lt;br /&gt;
=== Requirement ===&lt;br /&gt;
Requirement is to have a mechanism, by which a set of &amp;quot;ip addresses&amp;quot; can be considered as &amp;quot;one entity&amp;quot; i.e. ''can be allowed the access to a share together.'' &lt;br /&gt;
Henceforth, the &amp;quot;same set of ip addresses&amp;quot; can be allowed access to any &amp;quot;other share&amp;quot; in one single request from user. &lt;br /&gt;
There comes the idea of '''&amp;quot;manila access-groups&amp;quot;.'''&lt;br /&gt;
&lt;br /&gt;
=== Manila Access Groups ===&lt;br /&gt;
A new object named &amp;quot;access_group&amp;quot; can be created by user. Each &amp;quot;access_group&amp;quot; contains a bunch of homogeneous &amp;quot;access_entries&amp;quot;. &lt;br /&gt;
Homogeneous here means ''entries of same access_type &amp;amp; access_level(in case access_type is &amp;quot;user&amp;quot;)&amp;quot;). Each &amp;quot;access_entry&amp;quot; represents, &lt;br /&gt;
either one &amp;quot;ip-address&amp;quot; or one &amp;quot;user-name&amp;quot;. Bunch of access entries associated to an &amp;quot;access-group&amp;quot;, can be &amp;quot;allowed or denied&amp;quot; access, &lt;br /&gt;
to a share in one go. &lt;br /&gt;
&lt;br /&gt;
''Feature requirement is, to provide a mechanism, to allow the access to a share for &amp;quot;a group of ip addresses/users&amp;quot;, in one go, &lt;br /&gt;
instead of allowing each ip-address/user one at a time.''&lt;br /&gt;
&lt;br /&gt;
=== Challenges ===&lt;br /&gt;
* With new proposal, a set of access-rules can be applied together using &amp;quot;access-group&amp;quot;. Earlier &amp;quot;allow-access/deny-access&amp;quot; api works on individual access rules. &lt;br /&gt;
So it can interfere and allow/deny any access without any knowledge of access-group api. That has to be understood and resolved.&lt;br /&gt;
* A parallel api interface, serving same purpose, but in different granularity, causes redundancy in database and information.&lt;br /&gt;
* Sending a bunch of rules together to backend, if any one rule throws an exception, status of whole access-group will be errored.&lt;br /&gt;
* If backend driver doesn't implement 'update_access' newer version yet, then 'access-rules' will be sent to driver one by one only. &lt;br /&gt;
Though 'access-group' feature will allow user, to request access, to set of ip addresses, in one go, still backend will work on access-rules individually.&lt;br /&gt;
&lt;br /&gt;
Proposed Object Relationships:-&lt;br /&gt;
[[File: DB_relationships.png| center | 500px| Object Relationship Diagram]]&lt;br /&gt;
&lt;br /&gt;
== Important Actions == &lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Sr No !! Function !! Command&lt;br /&gt;
|-&lt;br /&gt;
| 1 || Create Access Group  || manila access-group-create [--access-level &amp;lt;access_level&amp;gt;] &amp;lt;name&amp;gt; &amp;lt;description&amp;gt; &amp;lt;access_type&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 2 || Add Access Group Entries in Access group || manila access-group-entry-create &amp;lt;access_to&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 3 || Allow Access Group to a share || manila access-group-allow &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 4 || Deny Access Group to a share || manila access-group-deny &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
=== Flow diagram ===&lt;br /&gt;
==== Allow Access Group ====&lt;br /&gt;
[[File : Allow_access_group_(2).png | center | 500px | Allow access group flow]]&lt;br /&gt;
&lt;br /&gt;
==== Deny Access Group ====&lt;br /&gt;
[[File : Deny_access_group.png | center | 500px| deny access group flow]]&lt;br /&gt;
&lt;br /&gt;
===== How it works in different situations =====&lt;br /&gt;
'''Ques 1. Lets say , a user requests allow-access-group for (share1, AG1)'''&lt;br /&gt;
'''What if the share is already mapped to another access_group/access_rule(individual).'''&lt;br /&gt;
&lt;br /&gt;
Ans: Nothing, set of access_rules for AG1, will be applied on share using add_rule field of &lt;br /&gt;
update_access().&lt;br /&gt;
&lt;br /&gt;
'''Ques 2. What if the already applied rules are redundant to AG1 ?'''&lt;br /&gt;
'''lets say share1 has a access rule already applied to it as Share1 -&amp;gt;( user ,admin, rw).'''&lt;br /&gt;
Now AG1 contains an (user, admin, ro). API request comes as allow_access_group(share1, AG1).            &lt;br /&gt;
Share1 is asked to map with AG1, what should happen?            &lt;br /&gt;
Note:- its a redundant rule, not contradictory, as rules with same access_type and access_to are&lt;br /&gt;
considered redundant.&lt;br /&gt;
&lt;br /&gt;
Ans: Its same as case if we apply two redundant rules even without access-groups- we will get an exception access rule for (user, admin) &lt;br /&gt;
is already applied (this particular rule will be considered as applied already) and we will proceed to examine rest of the rules in access_group. &lt;br /&gt;
'''We need to deny this rule first &amp;quot;to change its level if required.'''&lt;br /&gt;
&lt;br /&gt;
'''Ques 3. What if AG1 is made up of n rules, only one is redundant ?'''&lt;br /&gt;
&lt;br /&gt;
Ans:If any one of the access_rule from this access_group, is already applied on share(individually), lets say due to allow-access api,&lt;br /&gt;
then excluding that access_rule, rest of the rules present in access_group will be applied on share.&lt;br /&gt;
&lt;br /&gt;
'''Ques 4. What if AG1 is made up of n rules, an error reported from backend for one of the rules?'''&lt;br /&gt;
&lt;br /&gt;
Ans: If there is an error reported from backend, then error will be registered in share_instances table.&lt;br /&gt;
&amp;quot;access_rules_status&amp;quot; will go in &amp;quot;error&amp;quot; state and &amp;quot;access_status_message&amp;quot; will contain the descriptive message.&lt;br /&gt;
&lt;br /&gt;
'''Ques 5. What if access group is already mapped to other shares and this is a new mapping.'''&lt;br /&gt;
&lt;br /&gt;
Ans: Simply, rules from the access-group will be applied on the requested share.&lt;br /&gt;
   &lt;br /&gt;
'''Ques 6. Two compatible access-groups mapping request got out of order before reaching backend driver.'''&lt;br /&gt;
&lt;br /&gt;
Lets say two api requests for two access_groups where two access groups's rules are compatible as below:            &lt;br /&gt;
Two api requests come in this order chronologically, req1 then req2,            &lt;br /&gt;
AG1 has (user, admin, rw), AG2 has (ip, 10.1.1.1, None)            &lt;br /&gt;
req1 = allow_access_group(share1, AG1), req2 = allow_access_group(share1, AG2)&lt;br /&gt;
Let’s say these request reach driver layer, out of order, driver receives req2 then req1. &lt;br /&gt;
What will happen in such case?&lt;br /&gt;
&lt;br /&gt;
Ans: req1 creates a access_mapping in db for (share1 -&amp;gt; AG1) and passes “only set of rules in AG1&amp;quot; to driver layer.            &lt;br /&gt;
req2  also creates a access_mapping in db for (share1 -&amp;gt; AG2) and passes that “only set of rules in AG2&amp;quot; to driver layer.            &lt;br /&gt;
Driver layer gets req2 first, it will apply access_rules of req2 first and then access_rules from req1 will be applied on backend.&lt;br /&gt;
&lt;br /&gt;
'''Ques 7. What happens if an exception is raised for one of the access-rules in access-group in api layer itself?&lt;br /&gt;
Do we proceed for next rule or we come out ?'''&lt;br /&gt;
&lt;br /&gt;
Ans: These are such exceptions which come like&lt;br /&gt;
1)if share status is not AVAILABLE &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
2)If share_access entry already exists for this share ? &amp;gt;&amp;gt; we raise exception but continue to consider next access_rule&lt;br /&gt;
3)if access_level value requested for is not a valid value &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
4)If share_instance is invalid one &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
5)if access_rules_status is not active &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
&lt;br /&gt;
in all such cases we raise exception before rpc request is sent to driver layer. access_status_message&amp;quot; field in &amp;quot;share_instances&amp;quot; table - &lt;br /&gt;
does not show error messages for above mentioned exceptions.&lt;br /&gt;
Note:- in last two cases, share_access_group_mapping and many share_access_map entries would have been created!!!&lt;br /&gt;
&lt;br /&gt;
'''Ques 8. What is purpose of access_rules_status and access_status_message field in share_instances table?'''&lt;br /&gt;
&lt;br /&gt;
Ans: access_status_message field registers the error message from the driver layer. if we get an error message back from driver, it gets registered &lt;br /&gt;
access_status_message in share_instances table. access_status_message field in share_instances table - does not register error messages for &lt;br /&gt;
above mentioned exceptions in Ques7 &lt;br /&gt;
  &lt;br /&gt;
'''Ques 9. Lets say an access-group that contains 4 access_rules, that is applied on a share1.'''&lt;br /&gt;
'''now these 4 access_rules have got their entries created in share_access_map too.'''&lt;br /&gt;
'''What is someone deleted/denies the access rule individually ?'''&lt;br /&gt;
that is sequence is like&lt;br /&gt;
1) manila access-group-allow &amp;lt;share-id&amp;gt; &amp;lt;access-group-id&amp;gt;&lt;br /&gt;
2) manila access-deny &amp;lt;share&amp;gt; &amp;lt;id&amp;gt;&lt;br /&gt;
Now some rules of this access-group are denied individually .. when we go to deny-access-group&lt;br /&gt;
what will happen?&lt;br /&gt;
&lt;br /&gt;
Ans: For each of 4 rules, if anyone is not present in the access_map, we raise exception Not-Found and&lt;br /&gt;
continue to next access_entry.&lt;/div&gt;</summary>
		<author><name>Nidhi Mittal Hada</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123345</id>
		<title>Manila/design/access groups</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123345"/>
				<updated>2016-04-01T10:00:38Z</updated>
		
		<summary type="html">&lt;p&gt;Nidhi Mittal Hada: /* How it works in different situations */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Applying Access Rules == &lt;br /&gt;
=== Current approach ===&lt;br /&gt;
Today we use &amp;quot;manila allow-access&amp;quot; and &amp;quot;manila deny-access&amp;quot; cli command, to allow and deny &amp;quot;one&amp;quot; ip address/user/cert, the access, to a particular share. &lt;br /&gt;
In situation, when we want a &amp;quot;share&amp;quot; to be accessible by  &lt;br /&gt;
* a subnet OR &lt;br /&gt;
* a set of IP addresses together OR &lt;br /&gt;
* a set users together&lt;br /&gt;
we have to execute allow-access for each combination of (IP address, share) '''one by one'''!!&lt;br /&gt;
That is, If we want to allow a same set of 'n' ip addresses, for each of 'n' shares, then it requires '''&amp;quot;n iterations for each of n shares&amp;quot;''', &lt;br /&gt;
that's n^2 operations from user side. &lt;br /&gt;
''That's cumbersome hence access-groups were proposed''&lt;br /&gt;
&lt;br /&gt;
=== Requirement ===&lt;br /&gt;
Requirement is to have a mechanism, by which a set of &amp;quot;ip addresses&amp;quot; can be considered as &amp;quot;one entity&amp;quot; i.e. ''can be allowed the access to a share together.'' &lt;br /&gt;
Henceforth, the &amp;quot;same set of ip addresses&amp;quot; can be allowed access to any &amp;quot;other share&amp;quot; in one single request from user. &lt;br /&gt;
There comes the idea of '''&amp;quot;manila access-groups&amp;quot;.'''&lt;br /&gt;
&lt;br /&gt;
=== Manila Access Groups ===&lt;br /&gt;
A new object named &amp;quot;access_group&amp;quot; can be created by user. Each &amp;quot;access_group&amp;quot; contains a bunch of homogeneous &amp;quot;access_entries&amp;quot;. &lt;br /&gt;
Homogeneous here means ''entries of same access_type &amp;amp; access_level(in case access_type is &amp;quot;user&amp;quot;)&amp;quot;). Each &amp;quot;access_entry&amp;quot; represents, &lt;br /&gt;
either one &amp;quot;ip-address&amp;quot; or one &amp;quot;user-name&amp;quot;. Bunch of access entries associated to an &amp;quot;access-group&amp;quot;, can be &amp;quot;allowed or denied&amp;quot; access, &lt;br /&gt;
to a share in one go. &lt;br /&gt;
&lt;br /&gt;
''Feature requirement is, to provide a mechanism, to allow the access to a share for &amp;quot;a group of ip addresses/users&amp;quot;, in one go, &lt;br /&gt;
instead of allowing each ip-address/user one at a time.''&lt;br /&gt;
&lt;br /&gt;
=== Challenges ===&lt;br /&gt;
* With new proposal, a set of access-rules can be applied together using &amp;quot;access-group&amp;quot;. Earlier &amp;quot;allow-access/deny-access&amp;quot; api works on individual access rules. &lt;br /&gt;
So it can interfere and allow/deny any access without any knowledge of access-group api. That has to be understood and resolved.&lt;br /&gt;
* A parallel api interface, serving same purpose, but in different granularity, causes redundancy in database and information.&lt;br /&gt;
* Sending a bunch of rules together to backend, if any one rule throws an exception, status of whole access-group will be errored.&lt;br /&gt;
* If backend driver doesn't implement update_access functionality, then rules will be sent to driver one by one only. Though access-group will allow user to &lt;br /&gt;
request access to bunch of ip addresses in one go, still backend will work on access-rules individually.&lt;br /&gt;
&lt;br /&gt;
Proposed Object Relationships:-&lt;br /&gt;
[[File: DB_relationships.png| center | 500px| Object Relationship Diagram]]&lt;br /&gt;
&lt;br /&gt;
== Important Actions == &lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Sr No !! Function !! Command&lt;br /&gt;
|-&lt;br /&gt;
| 1 || Create Access Group  || manila access-group-create [--access-level &amp;lt;access_level&amp;gt;] &amp;lt;name&amp;gt; &amp;lt;description&amp;gt; &amp;lt;access_type&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 2 || Add Access Group Entries in Access group || manila access-group-entry-create &amp;lt;access_to&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 3 || Allow Access Group to a share || manila access-group-allow &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 4 || Deny Access Group to a share || manila access-group-deny &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
=== Flow diagram ===&lt;br /&gt;
==== Allow Access Group ====&lt;br /&gt;
[[File : Allow_access_group_(2).png | center | 500px | Allow access group flow]]&lt;br /&gt;
&lt;br /&gt;
==== Deny Access Group ====&lt;br /&gt;
[[File : Deny_access_group.png | center | 500px| deny access group flow]]&lt;br /&gt;
&lt;br /&gt;
===== How it works in different situations =====&lt;br /&gt;
'''Ques 1. Lets say , a user requests allow-access-group for (share1, AG1)'''&lt;br /&gt;
'''What if the share is already mapped to another access_group/access_rule(individual).'''&lt;br /&gt;
&lt;br /&gt;
Ans: Nothing, set of access_rules for AG1, will be applied on share using add_rule field of &lt;br /&gt;
update_access().&lt;br /&gt;
&lt;br /&gt;
'''Ques 2. What if the already applied rules are redundant to AG1 ?'''&lt;br /&gt;
'''lets say share1 has a access rule already applied to it as Share1 -&amp;gt;( user ,admin, rw).'''&lt;br /&gt;
Now AG1 contains an (user, admin, ro). API request comes as allow_access_group(share1, AG1).            &lt;br /&gt;
Share1 is asked to map with AG1, what should happen?            &lt;br /&gt;
Note:- its a redundant rule, not contradictory, as rules with same access_type and access_to are&lt;br /&gt;
considered redundant.&lt;br /&gt;
&lt;br /&gt;
Ans: Its same as case if we apply two redundant rules even without access-groups- we will get an exception access rule for (user, admin) &lt;br /&gt;
is already applied (this particular rule will be considered as applied already) and we will proceed to examine rest of the rules in access_group. &lt;br /&gt;
'''We need to deny this rule first &amp;quot;to change its level if required.'''&lt;br /&gt;
&lt;br /&gt;
'''Ques 3. What if AG1 is made up of n rules, only one is redundant ?'''&lt;br /&gt;
&lt;br /&gt;
Ans:If any one of the access_rule from this access_group, is already applied on share(individually), lets say due to allow-access api,&lt;br /&gt;
then excluding that access_rule, rest of the rules present in access_group will be applied on share.&lt;br /&gt;
&lt;br /&gt;
'''Ques 4. What if AG1 is made up of n rules, an error reported from backend for one of the rules?'''&lt;br /&gt;
&lt;br /&gt;
Ans: If there is an error reported from backend, then error will be registered in share_instances table.&lt;br /&gt;
&amp;quot;access_rules_status&amp;quot; will go in &amp;quot;error&amp;quot; state and &amp;quot;access_status_message&amp;quot; will contain the descriptive message.&lt;br /&gt;
&lt;br /&gt;
'''Ques 5. What if access group is already mapped to other shares and this is a new mapping.'''&lt;br /&gt;
&lt;br /&gt;
Ans: Simply, rules from the access-group will be applied on the requested share.&lt;br /&gt;
   &lt;br /&gt;
'''Ques 6. Two compatible access-groups mapping request got out of order before reaching backend driver.'''&lt;br /&gt;
&lt;br /&gt;
Lets say two api requests for two access_groups where two access groups's rules are compatible as below:            &lt;br /&gt;
Two api requests come in this order chronologically, req1 then req2,            &lt;br /&gt;
AG1 has (user, admin, rw), AG2 has (ip, 10.1.1.1, None)            &lt;br /&gt;
req1 = allow_access_group(share1, AG1), req2 = allow_access_group(share1, AG2)&lt;br /&gt;
Let’s say these request reach driver layer, out of order, driver receives req2 then req1. &lt;br /&gt;
What will happen in such case?&lt;br /&gt;
&lt;br /&gt;
Ans: req1 creates a access_mapping in db for (share1 -&amp;gt; AG1) and passes “only set of rules in AG1&amp;quot; to driver layer.            &lt;br /&gt;
req2  also creates a access_mapping in db for (share1 -&amp;gt; AG2) and passes that “only set of rules in AG2&amp;quot; to driver layer.            &lt;br /&gt;
Driver layer gets req2 first, it will apply access_rules of req2 first and then access_rules from req1 will be applied on backend.&lt;br /&gt;
&lt;br /&gt;
'''Ques 7. What happens if an exception is raised for one of the access-rules in access-group in api layer itself?&lt;br /&gt;
Do we proceed for next rule or we come out ?'''&lt;br /&gt;
&lt;br /&gt;
Ans: These are such exceptions which come like&lt;br /&gt;
1)if share status is not AVAILABLE &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
2)If share_access entry already exists for this share ? &amp;gt;&amp;gt; we raise exception but continue to consider next access_rule&lt;br /&gt;
3)if access_level value requested for is not a valid value &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
4)If share_instance is invalid one &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
5)if access_rules_status is not active &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
&lt;br /&gt;
in all such cases we raise exception before rpc request is sent to driver layer. access_status_message&amp;quot; field in &amp;quot;share_instances&amp;quot; table - &lt;br /&gt;
does not show error messages for above mentioned exceptions.&lt;br /&gt;
Note:- in last two cases, share_access_group_mapping and many share_access_map entries would have been created!!!&lt;br /&gt;
&lt;br /&gt;
'''Ques 8. What is purpose of access_rules_status and access_status_message field in share_instances table?'''&lt;br /&gt;
&lt;br /&gt;
Ans: access_status_message field registers the error message from the driver layer. if we get an error message back from driver, it gets registered &lt;br /&gt;
access_status_message in share_instances table. access_status_message field in share_instances table - does not register error messages for &lt;br /&gt;
above mentioned exceptions in Ques7 &lt;br /&gt;
  &lt;br /&gt;
'''Ques 9. Lets say an access-group that contains 4 access_rules, that is applied on a share1.'''&lt;br /&gt;
'''now these 4 access_rules have got their entries created in share_access_map too.'''&lt;br /&gt;
'''What is someone deleted/denies the access rule individually ?'''&lt;br /&gt;
that is sequence is like&lt;br /&gt;
1) manila access-group-allow &amp;lt;share-id&amp;gt; &amp;lt;access-group-id&amp;gt;&lt;br /&gt;
2) manila access-deny &amp;lt;share&amp;gt; &amp;lt;id&amp;gt;&lt;br /&gt;
Now some rules of this access-group are denied individually .. when we go to deny-access-group&lt;br /&gt;
what will happen?&lt;br /&gt;
&lt;br /&gt;
Ans: For each of 4 rules, if anyone is not present in the access_map, we raise exception Not-Found and&lt;br /&gt;
continue to next access_entry.&lt;/div&gt;</summary>
		<author><name>Nidhi Mittal Hada</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123344</id>
		<title>Manila/design/access groups</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123344"/>
				<updated>2016-04-01T09:57:46Z</updated>
		
		<summary type="html">&lt;p&gt;Nidhi Mittal Hada: /* How it works in different situations */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Applying Access Rules == &lt;br /&gt;
=== Current approach ===&lt;br /&gt;
Today we use &amp;quot;manila allow-access&amp;quot; and &amp;quot;manila deny-access&amp;quot; cli command, to allow and deny &amp;quot;one&amp;quot; ip address/user/cert, the access, to a particular share. &lt;br /&gt;
In situation, when we want a &amp;quot;share&amp;quot; to be accessible by  &lt;br /&gt;
* a subnet OR &lt;br /&gt;
* a set of IP addresses together OR &lt;br /&gt;
* a set users together&lt;br /&gt;
we have to execute allow-access for each combination of (IP address, share) '''one by one'''!!&lt;br /&gt;
That is, If we want to allow a same set of 'n' ip addresses, for each of 'n' shares, then it requires '''&amp;quot;n iterations for each of n shares&amp;quot;''', &lt;br /&gt;
that's n^2 operations from user side. &lt;br /&gt;
''That's cumbersome hence access-groups were proposed''&lt;br /&gt;
&lt;br /&gt;
=== Requirement ===&lt;br /&gt;
Requirement is to have a mechanism, by which a set of &amp;quot;ip addresses&amp;quot; can be considered as &amp;quot;one entity&amp;quot; i.e. ''can be allowed the access to a share together.'' &lt;br /&gt;
Henceforth, the &amp;quot;same set of ip addresses&amp;quot; can be allowed access to any &amp;quot;other share&amp;quot; in one single request from user. &lt;br /&gt;
There comes the idea of '''&amp;quot;manila access-groups&amp;quot;.'''&lt;br /&gt;
&lt;br /&gt;
=== Manila Access Groups ===&lt;br /&gt;
A new object named &amp;quot;access_group&amp;quot; can be created by user. Each &amp;quot;access_group&amp;quot; contains a bunch of homogeneous &amp;quot;access_entries&amp;quot;. &lt;br /&gt;
Homogeneous here means ''entries of same access_type &amp;amp; access_level(in case access_type is &amp;quot;user&amp;quot;)&amp;quot;). Each &amp;quot;access_entry&amp;quot; represents, &lt;br /&gt;
either one &amp;quot;ip-address&amp;quot; or one &amp;quot;user-name&amp;quot;. Bunch of access entries associated to an &amp;quot;access-group&amp;quot;, can be &amp;quot;allowed or denied&amp;quot; access, &lt;br /&gt;
to a share in one go. &lt;br /&gt;
&lt;br /&gt;
''Feature requirement is, to provide a mechanism, to allow the access to a share for &amp;quot;a group of ip addresses/users&amp;quot;, in one go, &lt;br /&gt;
instead of allowing each ip-address/user one at a time.''&lt;br /&gt;
&lt;br /&gt;
=== Challenges ===&lt;br /&gt;
* With new proposal, a set of access-rules can be applied together using &amp;quot;access-group&amp;quot;. Earlier &amp;quot;allow-access/deny-access&amp;quot; api works on individual access rules. &lt;br /&gt;
So it can interfere and allow/deny any access without any knowledge of access-group api. That has to be understood and resolved.&lt;br /&gt;
* A parallel api interface, serving same purpose, but in different granularity, causes redundancy in database and information.&lt;br /&gt;
* Sending a bunch of rules together to backend, if any one rule throws an exception, status of whole access-group will be errored.&lt;br /&gt;
* If backend driver doesn't implement update_access functionality, then rules will be sent to driver one by one only. Though access-group will allow user to &lt;br /&gt;
request access to bunch of ip addresses in one go, still backend will work on access-rules individually.&lt;br /&gt;
&lt;br /&gt;
Proposed Object Relationships:-&lt;br /&gt;
[[File: DB_relationships.png| center | 500px| Object Relationship Diagram]]&lt;br /&gt;
&lt;br /&gt;
== Important Actions == &lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Sr No !! Function !! Command&lt;br /&gt;
|-&lt;br /&gt;
| 1 || Create Access Group  || manila access-group-create [--access-level &amp;lt;access_level&amp;gt;] &amp;lt;name&amp;gt; &amp;lt;description&amp;gt; &amp;lt;access_type&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 2 || Add Access Group Entries in Access group || manila access-group-entry-create &amp;lt;access_to&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 3 || Allow Access Group to a share || manila access-group-allow &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 4 || Deny Access Group to a share || manila access-group-deny &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
=== Flow diagram ===&lt;br /&gt;
==== Allow Access Group ====&lt;br /&gt;
[[File : Allow_access_group_(2).png | center | 500px | Allow access group flow]]&lt;br /&gt;
&lt;br /&gt;
==== Deny Access Group ====&lt;br /&gt;
[[File : Deny_access_group.png | center | 500px| deny access group flow]]&lt;br /&gt;
&lt;br /&gt;
===== How it works in different situations =====&lt;br /&gt;
'''Ques 1. Lets say , a user requests allow-access-group for (share1, AG1)'''&lt;br /&gt;
'''What if the share is already mapped to another access_group/access_rule(individual).'''&lt;br /&gt;
&lt;br /&gt;
Ans: Nothing, set of access_rules for AG1, will be applied on share using add_rule field of &lt;br /&gt;
update_access().&lt;br /&gt;
&lt;br /&gt;
'''Ques 2. What if the already applied rules are redundant to AG1 ?'''&lt;br /&gt;
'''lets say share1 has a access rule already applied to it as Share1 -&amp;gt;( user ,admin, rw).'''&lt;br /&gt;
Now AG1 contains an (user, admin, ro). API request comes as allow_access_group(share1, AG1).            &lt;br /&gt;
Share1 is asked to map with AG1, what should happen?            &lt;br /&gt;
Note:- its a redundant rule, not contradictory, as rules with same access_type and access_to are&lt;br /&gt;
considered redundant.&lt;br /&gt;
&lt;br /&gt;
Ans: Its same as case if we apply two redundant rules even without access-groups- we will get an exception access rule for (user, admin) &lt;br /&gt;
is already applied (this particular rule will be considered as applied already) and we will proceed to examine rest of the rules in access_group. &lt;br /&gt;
'''We need to deny this rule first &amp;quot;to change its level if required.'''&lt;br /&gt;
&lt;br /&gt;
'''Ques 3. What if AG1 is made up of n rules, only one is redundant ?'''&lt;br /&gt;
&lt;br /&gt;
Ans:If any one of the access_rule from this access_group, is already applied on share(individually), lets say due to allow-access api,&lt;br /&gt;
then excluding that access_rule, rest of the rules present in access_group will be applied on share.&lt;br /&gt;
&lt;br /&gt;
'''Ques 4. What if AG1 is made up of n rules, an error reported from backend for one of the rules?'''&lt;br /&gt;
&lt;br /&gt;
Ans: If there is an error reported from backend, then error will be registered in share_instances table.&lt;br /&gt;
&amp;quot;access_rules_status&amp;quot; will go in &amp;quot;error&amp;quot; state and &amp;quot;access_status_message&amp;quot; will contain the descriptive message.&lt;br /&gt;
&lt;br /&gt;
'''Ques 5. What if access group is already mapped to other shares and this is a new mapping.'''&lt;br /&gt;
&lt;br /&gt;
Ans: Simply, rules from the access-group will be applied on the requested share.&lt;br /&gt;
   &lt;br /&gt;
'''Ques 6. Two compatible access-groups mapping request got out of order before reaching backend driver.'''&lt;br /&gt;
&lt;br /&gt;
Lets say two api requests for two access_groups where two access groups's rules are compatible as below:            &lt;br /&gt;
Two api requests come in this order chronologically, req1 then req2,            &lt;br /&gt;
AG1 has (user, admin, rw), AG2 has (ip, 10.1.1.1, None)            &lt;br /&gt;
req1 = allow_access_group(share1, AG1), req2 = allow_access_group(share1, AG2)&lt;br /&gt;
Let’s say these request reach driver layer, out of order, driver receives req2 then req1. &lt;br /&gt;
What will happen in such case?&lt;br /&gt;
&lt;br /&gt;
Ans: req1 creates a access_mapping in db for (share1 -&amp;gt; AG1) and passes “only set of rules in AG1&amp;quot; to driver layer.            &lt;br /&gt;
req2  also creates a access_mapping in db for (share1 -&amp;gt; AG2) and passes that “only set of rules in AG2&amp;quot; to driver layer.            &lt;br /&gt;
Driver layer gets req2 first, it will apply access_rules of req2 first and then access_rules from req1 will be applied on backend.&lt;br /&gt;
&lt;br /&gt;
'''Ques 7. What happens if an exception is raised for one of the access-rules in access-group in api layer itself?&lt;br /&gt;
Do we proceed for next rule or we come out ?'''&lt;br /&gt;
Ans: These are such exceptions which come like&lt;br /&gt;
 1)if share status is not AVAILABLE &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
 2)If share_access entry already exists for this share ? &amp;gt;&amp;gt; we raise exception but continue to consider next access_rule&lt;br /&gt;
 3)if access_level value requested for is not a valid value &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
&lt;br /&gt;
 '''4)If share_instance is invalid one &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
 5)if access_rules_status is not active &amp;gt;&amp;gt; we raise exception and come out'''&lt;br /&gt;
in all such cases we raise exception before rpc request is sent to driver layer. access_status_message&amp;quot; field in &amp;quot;share_instances&amp;quot; table - &lt;br /&gt;
does not show error messages for above mentioned exceptions.&lt;br /&gt;
Note:- in last two cases, share_access_group_mapping and many share_access_map entries would have been created!!!&lt;br /&gt;
&lt;br /&gt;
'''Ques 8. What is purpose of access_rules_status and access_status_message field in share_instances table?'''&lt;br /&gt;
&lt;br /&gt;
Ans: access_status_message field registers the error message from the driver layer. if we get an error message back from driver, it gets registered &lt;br /&gt;
         access_status_message in share_instances table.&lt;br /&gt;
        access_status_message field in share_instances table - does not register error messages for above mentioned exceptions in Ques7 &lt;br /&gt;
  &lt;br /&gt;
'''Ques 9. Lets say an access-group that contains 4 access_rules, that is applied on a share1.'''&lt;br /&gt;
 '''now these 4 access_rules have got their entries created in share_access_map too.'''&lt;br /&gt;
 '''What is someone deleted/denies the access rule individually ?'''&lt;br /&gt;
 that is sequence is like&lt;br /&gt;
 1) manila access-group-allow &amp;lt;share-id&amp;gt; &amp;lt;access-group-id&amp;gt;&lt;br /&gt;
 2) manila access-deny &amp;lt;share&amp;gt; &amp;lt;id&amp;gt;&lt;br /&gt;
 Now some rules of this access-group are denied individually .. when we go to deny-access-group&lt;br /&gt;
what will happen?&lt;br /&gt;
&lt;br /&gt;
Ans: For each of 4 rules, if anyone is not present in the access_map, we raise exception Not-Found and&lt;br /&gt;
continue to next access_entry.&lt;/div&gt;</summary>
		<author><name>Nidhi Mittal Hada</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123343</id>
		<title>Manila/design/access groups</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123343"/>
				<updated>2016-04-01T09:49:39Z</updated>
		
		<summary type="html">&lt;p&gt;Nidhi Mittal Hada: /* How it works in different situations */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Applying Access Rules == &lt;br /&gt;
=== Current approach ===&lt;br /&gt;
Today we use &amp;quot;manila allow-access&amp;quot; and &amp;quot;manila deny-access&amp;quot; cli command, to allow and deny &amp;quot;one&amp;quot; ip address/user/cert, the access, to a particular share. &lt;br /&gt;
In situation, when we want a &amp;quot;share&amp;quot; to be accessible by  &lt;br /&gt;
* a subnet OR &lt;br /&gt;
* a set of IP addresses together OR &lt;br /&gt;
* a set users together&lt;br /&gt;
we have to execute allow-access for each combination of (IP address, share) '''one by one'''!!&lt;br /&gt;
That is, If we want to allow a same set of 'n' ip addresses, for each of 'n' shares, then it requires '''&amp;quot;n iterations for each of n shares&amp;quot;''', &lt;br /&gt;
that's n^2 operations from user side. &lt;br /&gt;
''That's cumbersome hence access-groups were proposed''&lt;br /&gt;
&lt;br /&gt;
=== Requirement ===&lt;br /&gt;
Requirement is to have a mechanism, by which a set of &amp;quot;ip addresses&amp;quot; can be considered as &amp;quot;one entity&amp;quot; i.e. ''can be allowed the access to a share together.'' &lt;br /&gt;
Henceforth, the &amp;quot;same set of ip addresses&amp;quot; can be allowed access to any &amp;quot;other share&amp;quot; in one single request from user. &lt;br /&gt;
There comes the idea of '''&amp;quot;manila access-groups&amp;quot;.'''&lt;br /&gt;
&lt;br /&gt;
=== Manila Access Groups ===&lt;br /&gt;
A new object named &amp;quot;access_group&amp;quot; can be created by user. Each &amp;quot;access_group&amp;quot; contains a bunch of homogeneous &amp;quot;access_entries&amp;quot;. &lt;br /&gt;
Homogeneous here means ''entries of same access_type &amp;amp; access_level(in case access_type is &amp;quot;user&amp;quot;)&amp;quot;). Each &amp;quot;access_entry&amp;quot; represents, &lt;br /&gt;
either one &amp;quot;ip-address&amp;quot; or one &amp;quot;user-name&amp;quot;. Bunch of access entries associated to an &amp;quot;access-group&amp;quot;, can be &amp;quot;allowed or denied&amp;quot; access, &lt;br /&gt;
to a share in one go. &lt;br /&gt;
&lt;br /&gt;
''Feature requirement is, to provide a mechanism, to allow the access to a share for &amp;quot;a group of ip addresses/users&amp;quot;, in one go, &lt;br /&gt;
instead of allowing each ip-address/user one at a time.''&lt;br /&gt;
&lt;br /&gt;
=== Challenges ===&lt;br /&gt;
* With new proposal, a set of access-rules can be applied together using &amp;quot;access-group&amp;quot;. Earlier &amp;quot;allow-access/deny-access&amp;quot; api works on individual access rules. &lt;br /&gt;
So it can interfere and allow/deny any access without any knowledge of access-group api. That has to be understood and resolved.&lt;br /&gt;
* A parallel api interface, serving same purpose, but in different granularity, causes redundancy in database and information.&lt;br /&gt;
* Sending a bunch of rules together to backend, if any one rule throws an exception, status of whole access-group will be errored.&lt;br /&gt;
* If backend driver doesn't implement update_access functionality, then rules will be sent to driver one by one only. Though access-group will allow user to &lt;br /&gt;
request access to bunch of ip addresses in one go, still backend will work on access-rules individually.&lt;br /&gt;
&lt;br /&gt;
Proposed Object Relationships:-&lt;br /&gt;
[[File: DB_relationships.png| center | 500px| Object Relationship Diagram]]&lt;br /&gt;
&lt;br /&gt;
== Important Actions == &lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Sr No !! Function !! Command&lt;br /&gt;
|-&lt;br /&gt;
| 1 || Create Access Group  || manila access-group-create [--access-level &amp;lt;access_level&amp;gt;] &amp;lt;name&amp;gt; &amp;lt;description&amp;gt; &amp;lt;access_type&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 2 || Add Access Group Entries in Access group || manila access-group-entry-create &amp;lt;access_to&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 3 || Allow Access Group to a share || manila access-group-allow &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 4 || Deny Access Group to a share || manila access-group-deny &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
=== Flow diagram ===&lt;br /&gt;
==== Allow Access Group ====&lt;br /&gt;
[[File : Allow_access_group_(2).png | center | 500px | Allow access group flow]]&lt;br /&gt;
&lt;br /&gt;
==== Deny Access Group ====&lt;br /&gt;
[[File : Deny_access_group.png | center | 500px| deny access group flow]]&lt;br /&gt;
&lt;br /&gt;
===== How it works in different situations =====&lt;br /&gt;
'''Ques 1.: Lets say , a user requests allow-access-group for (share1, AG1)'''&lt;br /&gt;
'''What if the share is already mapped to another access_group/access_rule(individual).'''&lt;br /&gt;
&lt;br /&gt;
Ans: Nothing, set of access_rules for AG1, will be applied on share using add_rule field of &lt;br /&gt;
update_access().&lt;br /&gt;
&lt;br /&gt;
'''Ques: What if the already applied rules are redundant to AG1 ?'''&lt;br /&gt;
'''lets say share1 has a access rule already applied to it as Share1 -&amp;gt;( user ,admin, rw).'''&lt;br /&gt;
Now AG1 contains an (user, admin, ro). API request comes as allow_access_group(share1, AG1).            &lt;br /&gt;
Share1 is asked to map with AG1, what should happen?            &lt;br /&gt;
Note:- its a redundant rule, not contradictory, as rules with same access_type and access_to are&lt;br /&gt;
considered redundant.&lt;br /&gt;
&lt;br /&gt;
Ans: Its same as case if we apply two redundant rules even without access-groups- we will get an exception access rule for (user, admin) &lt;br /&gt;
is already applied (this particular rule will be considered as applied already) and we will proceed to examine rest of the rules in access_group. &lt;br /&gt;
'''We need to deny this rule first &amp;quot;to change its level if required.'''&lt;br /&gt;
&lt;br /&gt;
'''Ques: What if AG1 is made up of n rules, only one is redundant ?'''&lt;br /&gt;
&lt;br /&gt;
Ans:If any one of the access_rule from this access_group, is already applied on share(individually), lets say due to allow-access api,&lt;br /&gt;
then excluding that access_rule, rest of the rules present in access_group will be applied on share.&lt;br /&gt;
&lt;br /&gt;
'''Ques: What if AG1 is made up of n rules, an error reported from backend for one of the rules?'''&lt;br /&gt;
&lt;br /&gt;
Ans: If there is an error reported from backend, then error will be registered in share_instances table.&lt;br /&gt;
&amp;quot;access_rules_status&amp;quot; will go in &amp;quot;error&amp;quot; state and &amp;quot;access_status_message&amp;quot; will contain the descriptive message.&lt;br /&gt;
&lt;br /&gt;
'''Ques: What if access group is already mapped to other shares and this is a new mapping.'''&lt;br /&gt;
&lt;br /&gt;
Ans: Simply, rules from the access-group will be applied on the requested share.&lt;br /&gt;
   &lt;br /&gt;
'''Ques: Two compatible access-groups mapping request got out of order before reaching backend driver.'''&lt;br /&gt;
&lt;br /&gt;
Lets say two api requests for two access_groups where two access groups's rules are compatible as below:            &lt;br /&gt;
Two api requests come in this order chronologically, req1 then req2,            &lt;br /&gt;
AG1 has (user, admin, rw), AG2 has (ip, 10.1.1.1, None)            &lt;br /&gt;
req1 = allow_access_group(share1, AG1), req2 = allow_access_group(share1, AG2)&lt;br /&gt;
Let’s say these request reach driver layer, out of order, driver receives req2 then req1. &lt;br /&gt;
What will happen in such case?&lt;br /&gt;
&lt;br /&gt;
Ans: req1 creates a access_mapping in db for (share1 -&amp;gt; AG1) and passes “only set of rules in AG1&amp;quot; to driver layer.            &lt;br /&gt;
req2  also creates a access_mapping in db for (share1 -&amp;gt; AG2) and passes that “only set of rules in AG2&amp;quot; to driver layer.            &lt;br /&gt;
Driver layer gets req2 first, it will apply access_rules of req2 first and then access_rules from req1 will be applied on backend.&lt;br /&gt;
&lt;br /&gt;
'''Ques: What happens if an exception is raised for one of the access-rules in access-group in api layer itself?&lt;br /&gt;
Do we proceed for next rule or we come out ?'''&lt;br /&gt;
Ans: These are such exceptions which come like&lt;br /&gt;
 1)if share status is not AVAILABLE &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
 2)If share_access entry already exists for this share ? &amp;gt;&amp;gt; we raise exception but continue to consider next access_rule&lt;br /&gt;
 3)if access_level value requested for is not a valid value &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
&lt;br /&gt;
 '''4)If share_instance is invalid one &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
 5)if access_rules_status is not active &amp;gt;&amp;gt; we raise exception and come out'''&lt;br /&gt;
in all such cases we raise exception before rpc request is sent to driver layer.&lt;br /&gt;
in last two cases, share_access_group_mapping and many share_access_map entries would have been created!!!&lt;br /&gt;
&lt;br /&gt;
'''Ques: What is purpose of access_rules_status and access_status_message field in share_instances table?'''&lt;br /&gt;
&amp;quot; access_status_message&amp;quot; field registers the error message from the driver layer.&lt;br /&gt;
&amp;quot; access_status_message&amp;quot; field in &amp;quot;share_instances&amp;quot; table - it does not show error messages &lt;br /&gt;
for above mentioned exceptions. if we get an error message back from driver, it gets registered in share_instances table.&lt;br /&gt;
  &lt;br /&gt;
'''Ques: Lets say an access-group that contains 4 access_rules, that is applied on a share1.&lt;br /&gt;
 now these 4 access_rules have got their entries created in share_access_map too.&lt;br /&gt;
 What is someone deleted/denies the access rule individually ?''' &lt;br /&gt;
 that is sequence is like&lt;br /&gt;
 1) manila access-group-allow &amp;lt;share-id&amp;gt; &amp;lt;access-group-id&amp;gt;&lt;br /&gt;
 2) manila access-deny &amp;lt;share&amp;gt; &amp;lt;id&amp;gt;&lt;br /&gt;
 Now some rules of this access-group are denied individually .. when we go to deny-access-group&lt;br /&gt;
what will happen?&lt;br /&gt;
&lt;br /&gt;
Ans: For each of 4 rules, if anyone is not present in the access_map, we raise exception Not-Found and&lt;br /&gt;
continue to next access_entry.&lt;/div&gt;</summary>
		<author><name>Nidhi Mittal Hada</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123342</id>
		<title>Manila/design/access groups</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123342"/>
				<updated>2016-04-01T09:47:53Z</updated>
		
		<summary type="html">&lt;p&gt;Nidhi Mittal Hada: &lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Applying Access Rules == &lt;br /&gt;
=== Current approach ===&lt;br /&gt;
Today we use &amp;quot;manila allow-access&amp;quot; and &amp;quot;manila deny-access&amp;quot; cli command, to allow and deny &amp;quot;one&amp;quot; ip address/user/cert, the access, to a particular share. &lt;br /&gt;
In situation, when we want a &amp;quot;share&amp;quot; to be accessible by  &lt;br /&gt;
* a subnet OR &lt;br /&gt;
* a set of IP addresses together OR &lt;br /&gt;
* a set users together&lt;br /&gt;
we have to execute allow-access for each combination of (IP address, share) '''one by one'''!!&lt;br /&gt;
That is, If we want to allow a same set of 'n' ip addresses, for each of 'n' shares, then it requires '''&amp;quot;n iterations for each of n shares&amp;quot;''', &lt;br /&gt;
that's n^2 operations from user side. &lt;br /&gt;
''That's cumbersome hence access-groups were proposed''&lt;br /&gt;
&lt;br /&gt;
=== Requirement ===&lt;br /&gt;
Requirement is to have a mechanism, by which a set of &amp;quot;ip addresses&amp;quot; can be considered as &amp;quot;one entity&amp;quot; i.e. ''can be allowed the access to a share together.'' &lt;br /&gt;
Henceforth, the &amp;quot;same set of ip addresses&amp;quot; can be allowed access to any &amp;quot;other share&amp;quot; in one single request from user. &lt;br /&gt;
There comes the idea of '''&amp;quot;manila access-groups&amp;quot;.'''&lt;br /&gt;
&lt;br /&gt;
=== Manila Access Groups ===&lt;br /&gt;
A new object named &amp;quot;access_group&amp;quot; can be created by user. Each &amp;quot;access_group&amp;quot; contains a bunch of homogeneous &amp;quot;access_entries&amp;quot;. &lt;br /&gt;
Homogeneous here means ''entries of same access_type &amp;amp; access_level(in case access_type is &amp;quot;user&amp;quot;)&amp;quot;). Each &amp;quot;access_entry&amp;quot; represents, &lt;br /&gt;
either one &amp;quot;ip-address&amp;quot; or one &amp;quot;user-name&amp;quot;. Bunch of access entries associated to an &amp;quot;access-group&amp;quot;, can be &amp;quot;allowed or denied&amp;quot; access, &lt;br /&gt;
to a share in one go. &lt;br /&gt;
&lt;br /&gt;
''Feature requirement is, to provide a mechanism, to allow the access to a share for &amp;quot;a group of ip addresses/users&amp;quot;, in one go, &lt;br /&gt;
instead of allowing each ip-address/user one at a time.''&lt;br /&gt;
&lt;br /&gt;
=== Challenges ===&lt;br /&gt;
* With new proposal, a set of access-rules can be applied together using &amp;quot;access-group&amp;quot;. Earlier &amp;quot;allow-access/deny-access&amp;quot; api works on individual access rules. &lt;br /&gt;
So it can interfere and allow/deny any access without any knowledge of access-group api. That has to be understood and resolved.&lt;br /&gt;
* A parallel api interface, serving same purpose, but in different granularity, causes redundancy in database and information.&lt;br /&gt;
* Sending a bunch of rules together to backend, if any one rule throws an exception, status of whole access-group will be errored.&lt;br /&gt;
* If backend driver doesn't implement update_access functionality, then rules will be sent to driver one by one only. Though access-group will allow user to &lt;br /&gt;
request access to bunch of ip addresses in one go, still backend will work on access-rules individually.&lt;br /&gt;
&lt;br /&gt;
Proposed Object Relationships:-&lt;br /&gt;
[[File: DB_relationships.png| center | 500px| Object Relationship Diagram]]&lt;br /&gt;
&lt;br /&gt;
== Important Actions == &lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Sr No !! Function !! Command&lt;br /&gt;
|-&lt;br /&gt;
| 1 || Create Access Group  || manila access-group-create [--access-level &amp;lt;access_level&amp;gt;] &amp;lt;name&amp;gt; &amp;lt;description&amp;gt; &amp;lt;access_type&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 2 || Add Access Group Entries in Access group || manila access-group-entry-create &amp;lt;access_to&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 3 || Allow Access Group to a share || manila access-group-allow &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 4 || Deny Access Group to a share || manila access-group-deny &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
=== Flow diagram ===&lt;br /&gt;
==== Allow Access Group ====&lt;br /&gt;
[[File : Allow_access_group_(2).png | center | 500px | Allow access group flow]]&lt;br /&gt;
&lt;br /&gt;
==== Deny Access Group ====&lt;br /&gt;
[[File : Deny_access_group.png | center | 500px| deny access group flow]]&lt;br /&gt;
&lt;br /&gt;
===== How it works in different situations =====&lt;br /&gt;
'''Ques: Lets say , a user requests allow-access-group for (share1, AG1)&lt;br /&gt;
What if the share is already mapped to another access_group/access_rule(individual).'''&lt;br /&gt;
&lt;br /&gt;
Ans: Nothing, set of access_rules for AG1, will be applied on share using add_rule field of &lt;br /&gt;
update_access().&lt;br /&gt;
&lt;br /&gt;
'''Ques: What if the already applied rules are redundant to AG1 ?&lt;br /&gt;
lets say share1 has a access rule already applied to it as Share1 -&amp;gt;( user ,admin, rw).''' &lt;br /&gt;
Now AG1 contains an (user, admin, ro). API request comes as allow_access_group(share1, AG1).            &lt;br /&gt;
Share1 is asked to map with AG1, what should happen?            &lt;br /&gt;
Note:- its a redundant rule, not contradictory, as rules with same access_type and access_to are&lt;br /&gt;
considered redundant.&lt;br /&gt;
&lt;br /&gt;
Ans: Its same as case if we apply two redundant rules even without access-groups- we will get an exception access rule for (user, admin) &lt;br /&gt;
is already applied (this particular rule will be considered as applied already) and we will proceed to examine rest of the rules in access_group. &lt;br /&gt;
'''We need to deny this rule first &amp;quot;to change its level if required.'''&lt;br /&gt;
&lt;br /&gt;
'''Ques: What if AG1 is made up of n rules, only one is redundant ?'''&lt;br /&gt;
&lt;br /&gt;
Ans:If any one of the access_rule from this access_group, is already applied on share(individually), lets say due to allow-access api,&lt;br /&gt;
then excluding that access_rule, rest of the rules present in access_group will be applied on share.&lt;br /&gt;
&lt;br /&gt;
'''Ques: What if AG1 is made up of n rules, an error reported from backend for one of the rules?'''&lt;br /&gt;
&lt;br /&gt;
Ans: If there is an error reported from backend, then error will be registered in share_instances table.&lt;br /&gt;
&amp;quot;access_rules_status&amp;quot; will go in &amp;quot;error&amp;quot; state and &amp;quot;access_status_message&amp;quot; will contain the descriptive message.&lt;br /&gt;
&lt;br /&gt;
'''Ques: What if access group is already mapped to other shares and this is a new mapping.'''&lt;br /&gt;
&lt;br /&gt;
Ans: Simply, rules from the access-group will be applied on the requested share.&lt;br /&gt;
   &lt;br /&gt;
'''Ques: Two compatible access-groups mapping request got out of order before reaching backend driver.'''&lt;br /&gt;
&lt;br /&gt;
Lets say two api requests for two access_groups where two access groups's rules are compatible as below:            &lt;br /&gt;
Two api requests come in this order chronologically, req1 then req2,            &lt;br /&gt;
AG1 has (user, admin, rw), AG2 has (ip, 10.1.1.1, None)            &lt;br /&gt;
req1 = allow_access_group(share1, AG1), req2 = allow_access_group(share1, AG2)&lt;br /&gt;
Let’s say these request reach driver layer, out of order, driver receives req2 then req1. &lt;br /&gt;
What will happen in such case?&lt;br /&gt;
&lt;br /&gt;
Ans: req1 creates a access_mapping in db for (share1 -&amp;gt; AG1) and passes “only set of rules in AG1&amp;quot; to driver layer.            &lt;br /&gt;
req2  also creates a access_mapping in db for (share1 -&amp;gt; AG2) and passes that “only set of rules in AG2&amp;quot; to driver layer.            &lt;br /&gt;
Driver layer gets req2 first, it will apply access_rules of req2 first and then access_rules from req1 will be applied on backend.&lt;br /&gt;
&lt;br /&gt;
'''Ques: What happens if an exception is raised for one of the access-rules in access-group in api layer itself?&lt;br /&gt;
Do we proceed for next rule or we come out ?'''&lt;br /&gt;
Ans: These are such exceptions which come like&lt;br /&gt;
 1)if share status is not AVAILABLE &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
 2)If share_access entry already exists for this share ? &amp;gt;&amp;gt; we raise exception but continue to consider next access_rule&lt;br /&gt;
 3)if access_level value requested for is not a valid value &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
&lt;br /&gt;
 '''4)If share_instance is invalid one &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
 5)if access_rules_status is not active &amp;gt;&amp;gt; we raise exception and come out'''&lt;br /&gt;
in all such cases we raise exception before rpc request is sent to driver layer.&lt;br /&gt;
in last two cases, share_access_group_mapping and many share_access_map entries would have been created!!!&lt;br /&gt;
&lt;br /&gt;
'''Ques: What is purpose of access_rules_status and access_status_message field in share_instances table?'''&lt;br /&gt;
&amp;quot; access_status_message&amp;quot; field registers the error message from the driver layer.&lt;br /&gt;
&amp;quot; access_status_message&amp;quot; field in &amp;quot;share_instances&amp;quot; table - it does not show error messages &lt;br /&gt;
for above mentioned exceptions. if we get an error message back from driver, it gets registered in share_instances table.&lt;br /&gt;
  &lt;br /&gt;
'''Ques: Lets say an access-group that contains 4 access_rules, that is applied on a share1.&lt;br /&gt;
 now these 4 access_rules have got their entries created in share_access_map too.&lt;br /&gt;
 What is someone deleted/denies the access rule individually ?''' &lt;br /&gt;
 that is sequence is like&lt;br /&gt;
 1) manila access-group-allow &amp;lt;share-id&amp;gt; &amp;lt;access-group-id&amp;gt;&lt;br /&gt;
 2) manila access-deny &amp;lt;share&amp;gt; &amp;lt;id&amp;gt;&lt;br /&gt;
 Now some rules of this access-group are denied individually .. when we go to deny-access-group&lt;br /&gt;
what will happen?&lt;br /&gt;
&lt;br /&gt;
Ans: For each of 4 rules, if anyone is not present in the access_map, we raise exception Not-Found and&lt;br /&gt;
continue to next access_entry.&lt;/div&gt;</summary>
		<author><name>Nidhi Mittal Hada</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123340</id>
		<title>Manila/design/access groups</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123340"/>
				<updated>2016-04-01T06:05:50Z</updated>
		
		<summary type="html">&lt;p&gt;Nidhi Mittal Hada: &lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Applying Access Rules == &lt;br /&gt;
=== Current approach ===&lt;br /&gt;
Today we use &amp;quot;manila allow-access&amp;quot; and &amp;quot;manila deny-access&amp;quot; cli command, to allow and deny &amp;quot;one&amp;quot; ip address/user/cert, the access, to a particular share. &lt;br /&gt;
In situation, when we want a &amp;quot;share&amp;quot; to be accessible by  &lt;br /&gt;
* a subnet OR &lt;br /&gt;
* a set of IP addresses together OR &lt;br /&gt;
* a set users together&lt;br /&gt;
we have to execute allow-access for each combination of (IP address, share) '''one by one'''!!&lt;br /&gt;
That is, If we want to allow a same set of 'n' ip addresses, for each of 'n' shares, then it requires '''&amp;quot;n iterations for each of n shares&amp;quot;''', &lt;br /&gt;
that's n^2 operations from user side. &lt;br /&gt;
''That's cumbersome hence access-groups were proposed''&lt;br /&gt;
&lt;br /&gt;
=== Requirement ===&lt;br /&gt;
Requirement is to have a mechanism, by which a set of &amp;quot;ip addresses&amp;quot; can be considered as &amp;quot;one entity&amp;quot; i.e. ''can be allowed the access to a share together.'' &lt;br /&gt;
Henceforth, the &amp;quot;same set of ip addresses&amp;quot; can be allowed access to any &amp;quot;other share&amp;quot; in one single request from user. &lt;br /&gt;
There comes the idea of '''&amp;quot;manila access-groups&amp;quot;.'''&lt;br /&gt;
&lt;br /&gt;
=== Manila Access Groups ===&lt;br /&gt;
A new object named &amp;quot;access_group&amp;quot; can be created by user. Each &amp;quot;access_group&amp;quot; contains a bunch of homogeneous &amp;quot;access_entries&amp;quot;. &lt;br /&gt;
Homogeneous here means ''entries of same access_type &amp;amp; access_level(in case access_type is &amp;quot;user&amp;quot;)&amp;quot;). Each &amp;quot;access_entry&amp;quot; represents, &lt;br /&gt;
either one &amp;quot;ip-address&amp;quot; or one &amp;quot;user-name&amp;quot;. Bunch of access entries associated to an &amp;quot;access-group&amp;quot;, can be &amp;quot;allowed or denied&amp;quot; access, &lt;br /&gt;
to a share in one go. &lt;br /&gt;
&lt;br /&gt;
''Feature requirement is, to provide a mechanism, to allow the access to a share for &amp;quot;a group of ip addresses/users&amp;quot;, in one go, &lt;br /&gt;
instead of allowing each ip-address/user one at a time.''&lt;br /&gt;
&lt;br /&gt;
=== Challenges ===&lt;br /&gt;
* With new proposal, a set of access-rules can be applied together using &amp;quot;access-group&amp;quot;. Earlier &amp;quot;allow-access/deny-access&amp;quot; api works on individual access rules. &lt;br /&gt;
   So it can interfere and allow/deny any access without any knowledge of access-group api. That has to be understood and resolved.&lt;br /&gt;
* A parallel api interface, serving same purpose, but in different granularity, causes redundancy in database and information.&lt;br /&gt;
* Sending a bunch of rules together to backend, if any one rule throws an exception, status of whole access-group will be errored.&lt;br /&gt;
* If backend driver doesn't implement update_access functionality, then rules will be sent to driver one by one only. Though access-group will allow user to &lt;br /&gt;
  request access to bunch of ip addresses in one go, still backend will work on access-rules individually.&lt;br /&gt;
&lt;br /&gt;
Proposed Object Relationships:-&lt;br /&gt;
[[File: DB_relationships.png| center | 500px| Object Relationship Diagram]]&lt;br /&gt;
&lt;br /&gt;
== Important Actions == &lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Sr No !! Function !! Command&lt;br /&gt;
|-&lt;br /&gt;
| 1 || Create Access Group  || manila access-group-create [--access-level &amp;lt;access_level&amp;gt;] &amp;lt;name&amp;gt; &amp;lt;description&amp;gt; &amp;lt;access_type&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 2 || Add Access Group Entries in Access group || manila access-group-entry-create &amp;lt;access_to&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 3 || Allow Access Group to a share || manila access-group-allow &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 4 || Deny Access Group to a share || manila access-group-deny &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
=== Flow diagram ===&lt;br /&gt;
* ==== Allow Access Group ====&lt;br /&gt;
[[File : Allow_access_group_(2).png | center | 500px | Allow access group flow]]&lt;br /&gt;
&lt;br /&gt;
* ==== Deny Access Group ====&lt;br /&gt;
[[File : Deny_access_group.png | center | 500px| deny access group flow]]&lt;br /&gt;
&lt;br /&gt;
===== Design Decisions =====&lt;br /&gt;
'''#Ques: Lets say , a user requests '''allow-access-group for (share1, AG1)'''. &lt;br /&gt;
What if the &amp;quot;share&amp;quot; is already mapped to another access_group/access_rule(individual),'''&lt;br /&gt;
Ans: Nothing, set of access_rules for AG1, will be applied on share using add_rule field of &lt;br /&gt;
update_access().&lt;br /&gt;
&lt;br /&gt;
'''Ques: What if the already applied rules are redundant to AG1 ?''' &lt;br /&gt;
lets say share1 has a access rule already applied to it as Share1 -&amp;gt;( user ,admin, rw) (in share_access_map)            &lt;br /&gt;
Now an AG1 contains an (user, admin, ro). API request comes as allow_access_group(share1, AG1).            &lt;br /&gt;
Share1 is asked to map with AG1, what should happen?            &lt;br /&gt;
&lt;br /&gt;
Its same as case if we apply two redundant rules even without access-groups- we will get an exception access rule for (user, admin) &lt;br /&gt;
is already applied (this rule will be considered as applied already) and we will proceed to see rest of the rules in access_group. &lt;br /&gt;
''We need to deny this rule first &amp;quot;to change its level if reqd&amp;quot;.''            &lt;br /&gt;
&lt;br /&gt;
'''Ques: What if AG1 is made up of &amp;quot;n&amp;quot; rules, only one is redundant?'''&lt;br /&gt;
If any one of the access_rule from this access_group, is already applied on share(individually), lets say due to allow-access api..&lt;br /&gt;
then excluding that access_rule, ''rest of the rules present in access_group will be applied on share'' and share_access_group_mapping &lt;br /&gt;
will be created&lt;br /&gt;
&lt;br /&gt;
'''Ques: What if AG1 is made up of &amp;quot;n&amp;quot; rules, an error reported from backend for one of the rules?''&lt;br /&gt;
If there is an error reported from backend, then error will be registered in share_instances table.&lt;br /&gt;
&amp;quot;access_rules_status&amp;quot; will go in &amp;quot;error&amp;quot; state and &amp;quot;access_status_message&amp;quot; will contain the descriptive message.&lt;br /&gt;
&lt;br /&gt;
'''Ques: What if access group is already mapped to other shares and this is a new mapping.'''&lt;br /&gt;
Simply, rules from the access-group will be applied on the requested share.&lt;br /&gt;
   &lt;br /&gt;
'''Ques: Two compatible access-groups mapping request got out of order before reaching backend driver.'''&lt;br /&gt;
Lets say two api requests for two access_groups where two access groups's rules are compatible as below:            &lt;br /&gt;
Two api requests come in this order chronologically, req1 then req2,            &lt;br /&gt;
AG1 has (user, admin, rw), AG2 has (ip, 10.1.1.1, None)            &lt;br /&gt;
req1 = allow_access_group(share1, AG1), req2 = allow_access_group(share1, AG2)&lt;br /&gt;
Let’s say these request reach driver layer, out of order, driver receives req2 then req1. &lt;br /&gt;
What will happen in such case?&lt;br /&gt;
Ans: req1 creates a access_mapping in db for (share1 -&amp;gt; AG1) and passes “only set of rules in AG1&amp;quot; to driver layer.            &lt;br /&gt;
req2  also creates a access_mapping in db for (share1 -&amp;gt; AG2) and passes that “only set of rules in AG2&amp;quot; to driver layer.            &lt;br /&gt;
Driver layer gets req2 first, it will apply access_rules of req2 first and then access_rules from req1 will be applied on backend.&lt;br /&gt;
&lt;br /&gt;
'''Ques: What happens if an exception is raised for one of the access-rules in access-group in api layer itself?'''&lt;br /&gt;
Do we proceed for next rule or we come out ?&lt;br /&gt;
Ans: These are such exceptions which come like&lt;br /&gt;
 1)if share status is not AVAILABLE &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
 2)If share_access entry already exists for this share ? &amp;gt;&amp;gt; we raise exception but continue to consider next access_rule&lt;br /&gt;
 3)if access_level value requested for is not a valid value &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
&lt;br /&gt;
 '''4)If share_instance is invalid one &amp;gt;&amp;gt; we raise exception and come out&lt;br /&gt;
 5)if access_rules_status is not active &amp;gt;&amp;gt; we raise exception and come out'''&lt;br /&gt;
in all such cases we raise exception before rpc request is sent to driver layer.&lt;br /&gt;
in last two cases, share_access_group_mapping and many share_access_map entries would have been created!!!&lt;br /&gt;
&lt;br /&gt;
'''Ques: What is purpose of access_rules_status and access_status_message field in share_instances table?'''&lt;br /&gt;
&amp;quot; access_status_message&amp;quot; field registers the error message from the driver layer.&lt;br /&gt;
&amp;quot; access_status_message&amp;quot; field in &amp;quot;share_instances&amp;quot; table - it does not show error messages &lt;br /&gt;
for above mentioned exceptions. if we get an error message back from driver, it gets registered in share_instances table.&lt;br /&gt;
  &lt;br /&gt;
'''Ques: Lets say an access-group that contains 4 access_rules, that is applied on a share1.&lt;br /&gt;
 now these 4 access_rules have got their entries created in share_access_map too.&lt;br /&gt;
 What is someone deleted/denies the access rule individually ? &lt;br /&gt;
 that is sequence is like&lt;br /&gt;
&lt;br /&gt;
 1) manila access-group-allow &amp;lt;share-id&amp;gt; &amp;lt;access-group-id&amp;gt;&lt;br /&gt;
 2) manila access-deny &amp;lt;share&amp;gt; &amp;lt;id&amp;gt;&lt;br /&gt;
 Now some rules of this access-group are denied individually .. when we go to deny-access-group&lt;br /&gt;
what will happen?&lt;br /&gt;
&lt;br /&gt;
Ans: For each of 4 rules, if anyone is not present in the access_map, we raise exception Not-Found and&lt;br /&gt;
continue to next access_entry.&lt;/div&gt;</summary>
		<author><name>Nidhi Mittal Hada</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123339</id>
		<title>Manila/design/access groups</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123339"/>
				<updated>2016-04-01T05:26:24Z</updated>
		
		<summary type="html">&lt;p&gt;Nidhi Mittal Hada: &lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;Manila Access Group &lt;br /&gt;
== Applying Access Rules == &lt;br /&gt;
=== Current approach ===&lt;br /&gt;
Today we use &amp;quot;manila allow-access&amp;quot; and &amp;quot;manila deny-access&amp;quot; cli command, to allow and deny &amp;quot;one&amp;quot; ip address/user/cert, the access, to a particular share. &lt;br /&gt;
In situation, when we want a &amp;quot;share&amp;quot; to be accessible by  &lt;br /&gt;
* a subnet OR &lt;br /&gt;
* a set of IP addresses together OR &lt;br /&gt;
* a set users together&lt;br /&gt;
we have to execute allow-access for each combination of (IP address, share) '''one by one'''!!&lt;br /&gt;
That is, If we want to allow a same set of 'n' ip addresses, for each of 'n' shares, then it requires '''&amp;quot;n iterations for each of n shares&amp;quot;''', &lt;br /&gt;
that's n^2 operations from user side. &lt;br /&gt;
''That's cumbersome hence access-groups were proposed''&lt;br /&gt;
&lt;br /&gt;
=== Requirement ===&lt;br /&gt;
Requirement is to have a mechanism, by which a set of &amp;quot;ip addresses&amp;quot; can be considered as &amp;quot;one entity&amp;quot; i.e. ''can be allowed the access to a share together.'' &lt;br /&gt;
Henceforth, the &amp;quot;same set of ip addresses&amp;quot; can be allowed access to any &amp;quot;other share&amp;quot; in one single request from user. &lt;br /&gt;
There comes the idea of '''&amp;quot;manila access-groups&amp;quot;.'''&lt;br /&gt;
&lt;br /&gt;
=== Manila Access Groups ===&lt;br /&gt;
A new object named &amp;quot;access_groups&amp;quot; will be created by user. Each &amp;quot;access_group&amp;quot; represents a bunch of homogeneous &amp;quot;access_rules/access_entries&amp;quot;. &lt;br /&gt;
(homogeneous here means rules of same &amp;quot;access_type &amp;amp; access_level&amp;quot;). &lt;br /&gt;
Access Group contains a set of homogeneous access_entries. Each &amp;quot;access_entry&amp;quot; holds/represents, either one &amp;quot;ip-address&amp;quot; or one &amp;quot;user-name&amp;quot; at a time. &lt;br /&gt;
Bunch of access rules associated to an &amp;quot;access-group&amp;quot;, can be &amp;quot;either a set of ip addresses OR a set of users&amp;quot;, that requires to be &amp;quot;allowed or denied&amp;quot; in one go. &lt;br /&gt;
&lt;br /&gt;
''Feature requirement is, to provide a mechanism, to allow the access to a share for &amp;quot;a group of ip addresses/users&amp;quot;, in one go, &lt;br /&gt;
instead of allowing each ip-address/user one at a time.''&lt;br /&gt;
&lt;br /&gt;
=== Challenges ===&lt;br /&gt;
With new proposal, a set of rules can be applied in a bunch using &amp;quot;access-groups&amp;quot;. Earlier &amp;quot;allow-access/deny-access&amp;quot; api works on individual access rules. So it can interfere and allow/deny any access without any knowledge of access-group api. That has to be understood and resolved.&lt;br /&gt;
&lt;br /&gt;
A parallel api interface, serving same purpose, but in different granularity, causes redundancy in database and information.&lt;br /&gt;
&lt;br /&gt;
Proposed Object Relationships:-&lt;br /&gt;
[[File: DB_relationships.png| center | 500px| Object Relationship Diagram]]&lt;br /&gt;
&lt;br /&gt;
== Important Actions == &lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Sr No !! Function !! Command&lt;br /&gt;
|-&lt;br /&gt;
| 1 || Create Access Group  || manila access-group-create [--access-level &amp;lt;access_level&amp;gt;] &amp;lt;name&amp;gt; &amp;lt;description&amp;gt; &amp;lt;access_type&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 2 || Add Access Group Entries in Access group || manila access-group-entry-create &amp;lt;access_to&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 3 || Allow Access Group to a share || manila access-group-allow &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| 4 || Deny Access Group to a share || manila access-group-deny &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
=== Flow diagram ===&lt;br /&gt;
* ==== Allow Access Group ====&lt;br /&gt;
[[File : Allow_access_group_(2).png | center | 500px | Allow access group flow]]&lt;br /&gt;
&lt;br /&gt;
* ==== Deny Access Group ====&lt;br /&gt;
[[File : Deny_access_group.png | center | 500px| deny access group flow]]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
===== Design Decisions =====&lt;br /&gt;
'''#Ques: What if the share is already mapped to another access_group/access_rules(individual) already,'''&lt;br /&gt;
Ans: Set of access_rules for this access_group, will be applied on share.&lt;br /&gt;
&lt;br /&gt;
Case1: Redundant rules, &lt;br /&gt;
lets say share1 has a access rule already applied to it as            &lt;br /&gt;
Access entry for Share1 -&amp;gt;( user ,admin, rw) (in share_access_map)            &lt;br /&gt;
Now an AG1 with an (user, admin, ro) is created.            &lt;br /&gt;
API request comes as allow_access(share1, AG1).            &lt;br /&gt;
Share1 is asked to map with AG1, what should happen?            &lt;br /&gt;
Its same as case if we apply two redundant rules even without access-groups- we will get an exception access rule for (user, admin) &lt;br /&gt;
is already applied (this rule will be considered as applied already) and we will proceed to see rest of the rules in access_group. &lt;br /&gt;
We need to deny this rule first &amp;quot;to change its level if reqd&amp;quot;.            &lt;br /&gt;
&lt;br /&gt;
'''What if AG1 is made up of &amp;quot;n&amp;quot; rules, only one is redundant?'''''Italic text''&lt;br /&gt;
If any one of the access_rule from this access_group, is already applied on share(individually), lets say due to allow-access api..&lt;br /&gt;
then excluding that access_rule, rest of the rules present in access_group will be applied on share.&lt;br /&gt;
&lt;br /&gt;
'''What if there is an error reported from backend AG1 is made up of n rules, only one is redundant?'''''Italic text''&lt;br /&gt;
If there is an error reported from backend, then error will be registered in share_instance table.&lt;br /&gt;
&amp;quot;access_rules_status&amp;quot; will go in &amp;quot;error&amp;quot; state and &amp;quot;access_status_message&amp;quot; will contain the descriptive message.&lt;br /&gt;
&lt;br /&gt;
'''# What if access group is already mapped to other shares and this is a new mapping.'''&lt;br /&gt;
Simply, rules from the access-group will be applied on the requested share.&lt;br /&gt;
   &lt;br /&gt;
'''#Ques: Two compatible access-groups mapping request got out of order before reaching backend driver.'''            &lt;br /&gt;
e.g two api requests for two access_groups where two access rules are compatible,            &lt;br /&gt;
&lt;br /&gt;
Two access-groups are:&lt;br /&gt;
AG1 has (user, admin, rw), AG2 has (ip, 10.1.1.1, None)            &lt;br /&gt;
&lt;br /&gt;
Two api requests come in this order chronologically,            &lt;br /&gt;
allow_access(share1, AG1) – Req1            &lt;br /&gt;
allow_access(share1, AG2) – Req2            &lt;br /&gt;
&lt;br /&gt;
let’s say these request reach driver layer, out of order, that is backend driver receives, &lt;br /&gt;
first Req2 then Req1. What will happen in such case ?&lt;br /&gt;
&lt;br /&gt;
Ans: Req1 creates a access_mapping in db for (share1 -&amp;gt; AG1) and passes “only new set of rules in AG1&amp;quot; to driver layer.            &lt;br /&gt;
Req2  also creates a access_mapping in db for (share1 -&amp;gt; AG2) and passes that “only new set of rules in AG2&amp;quot; to driver layer.            &lt;br /&gt;
&lt;br /&gt;
Driver layer gets req2 first, it will apply access_rules of req2 first and then access_rules from req1 will be applied on backend.&lt;br /&gt;
&lt;br /&gt;
Ques: What happens if an exception is raised for one of the access-rules in access-group?&lt;br /&gt;
Do we proceed for next rule or we come out ?&lt;br /&gt;
Ans: These are such exceptions which come like&lt;br /&gt;
 1)if share status is not AVAILABLE &amp;gt;&amp;gt; we come out&lt;br /&gt;
 2)If share_access entry already exists for this share ? &amp;gt;&amp;gt; we raise exception but continue to consider next access_rule&lt;br /&gt;
 3)if access_level value requested for is not a valid value &amp;gt;&amp;gt; we come out&lt;br /&gt;
 4)If share_instance is invalid one &amp;gt;&amp;gt; we come out &lt;br /&gt;
 5)if access_rules_status is not active &amp;gt;&amp;gt; we come out &lt;br /&gt;
 in all such cases we raise exception which is coming before rpc request is sent to driver layer.&lt;br /&gt;
&lt;br /&gt;
&amp;quot; access_status_message&amp;quot; field in &amp;quot;share_instances&amp;quot; table - it does not express error messages for such exceptions.&lt;br /&gt;
&amp;quot; access_status_message&amp;quot; field registers the error message from the driver layer.&lt;br /&gt;
in case we gets an error message back from driver, which tells rules it could not apply and why ?&lt;br /&gt;
and registers message in share_instance table.&lt;br /&gt;
  &lt;br /&gt;
'''Ques: Lets say an access-group that contains 4 access_rules, that is applied on a share share1.&lt;br /&gt;
 now these 4 access_rules have got their entries created in share_access_map too.&lt;br /&gt;
 What is someone deleted/denies the access rule individually ? &lt;br /&gt;
 that is sequence is like&lt;br /&gt;
&lt;br /&gt;
 1) manila access-group-allow &amp;lt;share-id&amp;gt; &amp;lt;access-group-id&amp;gt;&lt;br /&gt;
 2) manila access-deny &amp;lt;share&amp;gt; &amp;lt;id&amp;gt;&lt;br /&gt;
 Now some rules of this access-group are denied individually .. when we go to deny-access-group&lt;br /&gt;
what will happen?&lt;br /&gt;
&lt;br /&gt;
Ans: For each of 4 rules, if anyone is not present in the access_map, we raise exception Not-Found and&lt;br /&gt;
continue to next access_entry.&lt;/div&gt;</summary>
		<author><name>Nidhi Mittal Hada</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=File:Allow_access_group_(2).png&amp;diff=123293</id>
		<title>File:Allow access group (2).png</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=File:Allow_access_group_(2).png&amp;diff=123293"/>
				<updated>2016-03-31T12:27:06Z</updated>
		
		<summary type="html">&lt;p&gt;Nidhi Mittal Hada: Nidhi Mittal Hada uploaded a new version of File:Allow access group (2).png&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;&lt;/div&gt;</summary>
		<author><name>Nidhi Mittal Hada</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123292</id>
		<title>Manila/design/access groups</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123292"/>
				<updated>2016-03-31T12:20:44Z</updated>
		
		<summary type="html">&lt;p&gt;Nidhi Mittal Hada: &lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;                                                                                                                       = Manila Access Groups =&lt;br /&gt;
== Applying Access Rules == &lt;br /&gt;
=== Current approach ===&lt;br /&gt;
Today we use &amp;quot;manila allow-access&amp;quot; and &amp;quot;manila deny-access&amp;quot; cli to allow and deny ip address/user, the access, to a particular share. In situation, when we want a share to be accessible by  &lt;br /&gt;
* a subnet OR &lt;br /&gt;
* a set of ip addresses together OR &lt;br /&gt;
* a set users together&lt;br /&gt;
we have to execute allow-access for each (ip address, share) one by one!!&lt;br /&gt;
That is, If we want to allow a same set of 'n' ip addresses, for each of 'n' shares, then it requires n iterations for each of n shares, &lt;br /&gt;
that's n^2 operations from user side. &lt;br /&gt;
''That's cumbersome hence access-groups were proposed.''&lt;br /&gt;
&lt;br /&gt;
=== Requirement ===&lt;br /&gt;
Requirement is to have a mechanism, so that a set of &amp;quot;ip addresses&amp;quot; can be considered as one entity i.e. can be allowed the access to a share together. &lt;br /&gt;
Henceforth, the &amp;quot;same set&amp;quot; can be allowed access to any &amp;quot;other share&amp;quot; in one single request from user. There comes the idea of '''&amp;quot;manila access-groups&amp;quot;.'''&lt;br /&gt;
&lt;br /&gt;
=== Manila Access Groups ===&lt;br /&gt;
A new object named &amp;quot;access_groups&amp;quot; will be created by user. Each &amp;quot;access_group&amp;quot; represents a bunch of homogeneous &amp;quot;access_rules/access_entries&amp;quot;. &lt;br /&gt;
(homogeneous here means rules of same &amp;quot;access_type &amp;amp; access_level&amp;quot;) &lt;br /&gt;
&lt;br /&gt;
Access Group contains a set of homogeneous access_entries. Each &amp;quot;access_entry&amp;quot; holds/represents, either one &amp;quot;ip-address&amp;quot; or one &amp;quot;user-name&amp;quot; at a time. &lt;br /&gt;
Bunch of access rules associated to an access-group, can be &amp;quot;Either a set of ip addresses OR a set of users&amp;quot;, that requires to be &amp;quot;allowed or denied&amp;quot; in a go. &lt;br /&gt;
&lt;br /&gt;
''Feature requirement is, to provide a mechanism, to allow the access to a share for &amp;quot;a group of ip addresses/users&amp;quot;, in one go, &lt;br /&gt;
instead of allowing each ip-address/user one at a time.'' &lt;br /&gt;
&lt;br /&gt;
=== Challenges ===&lt;br /&gt;
A set of rules applied in a bunch using access-groups. Earlier &amp;quot;allow-access/deny-access&amp;quot; api works on individual access rules. So it can interfere and allow/deny any access without any knowledge of access-group. That has to be taken care of.&lt;br /&gt;
&lt;br /&gt;
A parallel interface to serve same purpose but in different granularity, causes redundancy in database and information.&lt;br /&gt;
&lt;br /&gt;
Object Relationships:-&lt;br /&gt;
[[File: DB_relationships.png| center | 500px| Object Relationship Diagram]]&lt;br /&gt;
&lt;br /&gt;
== Action Flow == &lt;br /&gt;
=== Create Access Group === &lt;br /&gt;
manila access-group-create [--access-level &amp;lt;access_level&amp;gt;] &amp;lt;name&amp;gt; &amp;lt;description&amp;gt; &amp;lt;access_type&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Add Access Group Entries in Access group === &lt;br /&gt;
manila access-group-entry-create &amp;lt;access_to&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Allow Access Group to a share ===  &lt;br /&gt;
manila access-group-allow &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
===== FlowChart =====&lt;br /&gt;
[[File : Allow_access_group_(2).png | center | 500px | Allow access group flow]]&lt;br /&gt;
&lt;br /&gt;
=== * Deny Access Group to a share === &lt;br /&gt;
manila access-group-deny &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
===== Flowchart =====&lt;br /&gt;
[[File : Deny_access_group.png | center | 500px| deny access group flow]]&lt;br /&gt;
&lt;br /&gt;
===== Design Decisions =====&lt;br /&gt;
'''#Ques: What if the share is already mapped to another access_group/access_rules(individual) already,'''&lt;br /&gt;
Ans: Set of access_rules for this access_group, will be applied on share.&lt;br /&gt;
&lt;br /&gt;
Case1: Redundant rules, &lt;br /&gt;
lets say share1 has a access rule already applied to it as            &lt;br /&gt;
Access entry for Share1 -&amp;gt;( user ,admin, rw) (in share_access_map)            &lt;br /&gt;
Now an AG1 with an (user, admin, ro) is created.            &lt;br /&gt;
API request comes as allow_access(share1, AG1).            &lt;br /&gt;
Share1 is asked to map with AG1, what should happen?            &lt;br /&gt;
Its same as case if we apply two redundant rules even without access-groups- we will get an exception access rule for (user, admin) &lt;br /&gt;
is already applied (this rule will be considered as applied already) and we will proceed to see rest of the rules in access_group. &lt;br /&gt;
We need to deny this rule first &amp;quot;to change its level if reqd&amp;quot;.            &lt;br /&gt;
&lt;br /&gt;
'''What if AG1 is made up of &amp;quot;n&amp;quot; rules, only one is redundant?'''''Italic text''&lt;br /&gt;
If any one of the access_rule from this access_group, is already applied on share(individually), lets say due to allow-access api..&lt;br /&gt;
then excluding that access_rule, rest of the rules present in access_group will be applied on share.&lt;br /&gt;
&lt;br /&gt;
'''What if there is an error reported from backend AG1 is made up of n rules, only one is redundant?'''''Italic text''&lt;br /&gt;
If there is an error reported from backend, then error will be registered in share_instance table.&lt;br /&gt;
&amp;quot;access_rules_status&amp;quot; will go in &amp;quot;error&amp;quot; state and &amp;quot;access_status_message&amp;quot; will contain the descriptive message.&lt;br /&gt;
&lt;br /&gt;
'''# What if access group is already mapped to other shares and this is a new mapping.'''&lt;br /&gt;
Simply, rules from the access-group will be applied on the requested share.&lt;br /&gt;
   &lt;br /&gt;
'''#Ques: Two compatible access-groups mapping request got out of order before reaching backend driver.'''            &lt;br /&gt;
e.g two api requests for two access_groups where two access rules are compatible,            &lt;br /&gt;
&lt;br /&gt;
Two access-groups are:&lt;br /&gt;
AG1 has (user, admin, rw), AG2 has (ip, 10.1.1.1, None)            &lt;br /&gt;
&lt;br /&gt;
Two api requests come in this order chronologically,            &lt;br /&gt;
allow_access(share1, AG1) – Req1            &lt;br /&gt;
allow_access(share1, AG2) – Req2            &lt;br /&gt;
&lt;br /&gt;
let’s say these request reach driver layer, out of order, that is backend driver receives, &lt;br /&gt;
first Req2 then Req1. What will happen in such case ?&lt;br /&gt;
&lt;br /&gt;
Ans: Req1 creates a access_mapping in db for (share1 -&amp;gt; AG1) and passes “only new set of rules in AG1&amp;quot; to driver layer.            &lt;br /&gt;
Req2  also creates a access_mapping in db for (share1 -&amp;gt; AG2) and passes that “only new set of rules in AG2&amp;quot; to driver layer.            &lt;br /&gt;
&lt;br /&gt;
Driver layer gets req2 first, it will apply access_rules of req2 first and then access_rules from req1 will be applied on backend.&lt;br /&gt;
&lt;br /&gt;
Ques: What happens if an exception is raised for one of the access-rules in access-group?&lt;br /&gt;
Do we proceed for next rule or we come out ?&lt;br /&gt;
Ans: These are such exceptions which come like&lt;br /&gt;
 1)if share status is not AVAILABLE &amp;gt;&amp;gt; we come out&lt;br /&gt;
 2)If share_access entry already exists for this share ? &amp;gt;&amp;gt; we raise exception but continue to consider next access_rule&lt;br /&gt;
 3)if access_level value requested for is not a valid value &amp;gt;&amp;gt; we come out&lt;br /&gt;
 4)If share_instance is invalid one &amp;gt;&amp;gt; we come out &lt;br /&gt;
 5)if access_rules_status is not active &amp;gt;&amp;gt; we come out &lt;br /&gt;
 in all such cases we raise exception which is coming before rpc request is sent to driver layer.&lt;br /&gt;
&lt;br /&gt;
&amp;quot; access_status_message&amp;quot; field in &amp;quot;share_instances&amp;quot; table - it does not express error messages for such exceptions.&lt;br /&gt;
&amp;quot; access_status_message&amp;quot; field registers the error message from the driver layer.&lt;br /&gt;
in case we gets an error message back from driver, which tells rules it could not apply and why ?&lt;br /&gt;
and registers message in share_instance table.&lt;br /&gt;
  &lt;br /&gt;
'''Ques: Lets say an access-group that contains 4 access_rules, that is applied on a share share1.&lt;br /&gt;
 Now these 4 access_rules have got their entries created in share_access_map too.&lt;br /&gt;
 What is someone deleted/denies the access rule individually ? &lt;br /&gt;
  that is sequence is like&lt;br /&gt;
&lt;br /&gt;
 1) manila access-group-allow &amp;lt;share-id&amp;gt; &amp;lt;access-group-id&amp;gt;&lt;br /&gt;
 2)manila access-deny &amp;lt;share&amp;gt; &amp;lt;id&amp;gt;&lt;br /&gt;
 Now some rules of this access-group are denied individually .. when we go to deny-access-group&lt;br /&gt;
what will happen?&lt;br /&gt;
&lt;br /&gt;
Ans: For each of 4 rules, if anyone is not present in the access_map, we raise exception NotFound and&lt;br /&gt;
continue to next access_entry.&lt;/div&gt;</summary>
		<author><name>Nidhi Mittal Hada</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=File:Allow_access_group_(2).png&amp;diff=123291</id>
		<title>File:Allow access group (2).png</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=File:Allow_access_group_(2).png&amp;diff=123291"/>
				<updated>2016-03-31T12:07:50Z</updated>
		
		<summary type="html">&lt;p&gt;Nidhi Mittal Hada: &lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;&lt;/div&gt;</summary>
		<author><name>Nidhi Mittal Hada</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123286</id>
		<title>Manila/design/access groups</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123286"/>
				<updated>2016-03-31T10:32:57Z</updated>
		
		<summary type="html">&lt;p&gt;Nidhi Mittal Hada: /* Flowchart */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;                                                                                                                       = Manila Access Groups =&lt;br /&gt;
== Applying Access Rules == &lt;br /&gt;
=== Current approach ===&lt;br /&gt;
Today we use &amp;quot;manila allow-access&amp;quot; and &amp;quot;manila deny-access&amp;quot; cli to allow and deny ip address/user, the access, to a particular share. In situation, when we want a share to be accessible by  &lt;br /&gt;
* a subnet OR &lt;br /&gt;
* a set of ip addresses together OR &lt;br /&gt;
* a set users together&lt;br /&gt;
we have to execute allow-access for each (ip address, share) one by one!!&lt;br /&gt;
That is, If we want to allow a same set of 'n' ip addresses, for each of 'n' shares, then it requires n iterations for each of n shares, &lt;br /&gt;
that's n^2 operations from user side. &lt;br /&gt;
''That's cumbersome hence access-groups were proposed.''&lt;br /&gt;
&lt;br /&gt;
=== Requirement ===&lt;br /&gt;
Requirement is to have a mechanism, so that a set of &amp;quot;ip addresses&amp;quot; can be considered as one entity i.e. can be allowed the access to a share together. &lt;br /&gt;
Henceforth, the &amp;quot;same set&amp;quot; can be allowed access to any &amp;quot;other share&amp;quot; in one single request from user. There comes the idea of '''&amp;quot;manila access-groups&amp;quot;.'''&lt;br /&gt;
&lt;br /&gt;
=== Manila Access Groups ===&lt;br /&gt;
A new object named &amp;quot;access_groups&amp;quot; will be created by user. Each &amp;quot;access_group&amp;quot; represents a bunch of homogeneous &amp;quot;access_rules/access_entries&amp;quot;. &lt;br /&gt;
(homogeneous here means rules of same &amp;quot;access_type &amp;amp; access_level&amp;quot;) &lt;br /&gt;
&lt;br /&gt;
Access Group contains a set of homogeneous access_entries. Each &amp;quot;access_entry&amp;quot; holds/represents, either one &amp;quot;ip-address&amp;quot; or one &amp;quot;user-name&amp;quot; at a time. &lt;br /&gt;
Bunch of access rules associated to an access-group, can be &amp;quot;Either a set of ip addresses OR a set of users&amp;quot;, that requires to be &amp;quot;allowed or denied&amp;quot; in a go. &lt;br /&gt;
&lt;br /&gt;
''Feature requirement is, to provide a mechanism, to allow the access to a share for &amp;quot;a group of ip addresses/users&amp;quot;, in one go, &lt;br /&gt;
instead of allowing each ip-address/user one at a time.'' &lt;br /&gt;
&lt;br /&gt;
=== Challenges ===&lt;br /&gt;
A set of rules applied in a bunch using access-groups. Earlier &amp;quot;allow-access/deny-access&amp;quot; api works on individual access rules. So it can interfere and allow/deny any access without any knowledge of access-group. That has to be taken care of.&lt;br /&gt;
&lt;br /&gt;
A parallel interface to serve same purpose but in different granularity, causes redundancy in database and information.&lt;br /&gt;
&lt;br /&gt;
Object Relationships:-&lt;br /&gt;
[[File: DB_relationships.png| center | 500px| Object Relationship Diagram]]&lt;br /&gt;
&lt;br /&gt;
== Action Flow == &lt;br /&gt;
=== Create Access Group === &lt;br /&gt;
manila access-group-create [--access-level &amp;lt;access_level&amp;gt;] &amp;lt;name&amp;gt; &amp;lt;description&amp;gt; &amp;lt;access_type&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Add Access Group Entries in Access group === &lt;br /&gt;
manila access-group-entry-create &amp;lt;access_to&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Allow Access Group to a share ===  &lt;br /&gt;
manila access-group-allow &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
===== FlowChart =====&lt;br /&gt;
[[File : Allow_access_group.png | center | 500px | Allow access group flow]]&lt;br /&gt;
&lt;br /&gt;
=== * Deny Access Group to a share === &lt;br /&gt;
manila access-group-deny &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
===== Flowchart =====&lt;br /&gt;
[[File : Deny_access_group.png | center | 500px| deny access group flow]]&lt;br /&gt;
&lt;br /&gt;
===== Design Decisions =====&lt;br /&gt;
'''#Ques: What if the share is already mapped to another access_group/access_rules(individual) already,'''&lt;br /&gt;
Ans: Set of access_rules for this access_group, will be applied on share.&lt;br /&gt;
&lt;br /&gt;
Case1: Redundant rules, &lt;br /&gt;
lets say share1 has a access rule already applied to it as            &lt;br /&gt;
Access entry for Share1 -&amp;gt;( user ,admin, rw) (in share_access_map)            &lt;br /&gt;
Now an AG1 with an (user, admin, ro) is created.            &lt;br /&gt;
API request comes as allow_access(share1, AG1).            &lt;br /&gt;
Share1 is asked to map with AG1, what should happen?            &lt;br /&gt;
Its same as case if we apply two redundant rules even without access-groups- we will get an exception access rule for (user, admin) &lt;br /&gt;
is already applied (this rule will be considered as applied already) and we will proceed to see rest of the rules in access_group. &lt;br /&gt;
We need to deny this rule first &amp;quot;to change its level if reqd&amp;quot;.            &lt;br /&gt;
&lt;br /&gt;
'''What if AG1 is made up of &amp;quot;n&amp;quot; rules, only one is redundant?'''''Italic text''&lt;br /&gt;
If any one of the access_rule from this access_group, is already applied on share(individually), lets say due to allow-access api..&lt;br /&gt;
then excluding that access_rule, rest of the rules present in access_group will be applied on share.&lt;br /&gt;
&lt;br /&gt;
'''What if there is an error reported from backend AG1 is made up of n rules, only one is redundant?'''''Italic text''&lt;br /&gt;
If there is an error reported from backend, then error will be registered in share_instance table.&lt;br /&gt;
&amp;quot;access_rules_status&amp;quot; will go in &amp;quot;error&amp;quot; state and &amp;quot;access_status_message&amp;quot; will contain the descriptive message.&lt;br /&gt;
&lt;br /&gt;
'''# What if access group is already mapped to other shares and this is a new mapping.'''&lt;br /&gt;
Simply, rules from the access-group will be applied on the requested share.&lt;br /&gt;
   &lt;br /&gt;
'''#Ques: Two compatible access-groups mapping request got out of order before reaching backend driver.'''            &lt;br /&gt;
e.g two api requests for two access_groups where two access rules are compatible,            &lt;br /&gt;
&lt;br /&gt;
Two access-groups are:&lt;br /&gt;
AG1 has (user, admin, rw), AG2 has (ip, 10.1.1.1, None)            &lt;br /&gt;
&lt;br /&gt;
Two api requests come in this order chronologically,            &lt;br /&gt;
allow_access(share1, AG1) – Req1            &lt;br /&gt;
allow_access(share1, AG2) – Req2            &lt;br /&gt;
&lt;br /&gt;
let’s say these request reach driver layer, out of order, that is backend driver receives, &lt;br /&gt;
first Req2 then Req1. What will happen in such case ?&lt;br /&gt;
&lt;br /&gt;
Ans: Req1 creates a access_mapping in db for (share1 -&amp;gt; AG1) and passes “only new set of rules in AG1&amp;quot; to driver layer.            &lt;br /&gt;
Req2  also creates a access_mapping in db for (share1 -&amp;gt; AG2) and passes that “only new set of rules in AG2&amp;quot; to driver layer.            &lt;br /&gt;
&lt;br /&gt;
Driver layer gets req2 first, it will apply access_rules of req2 first and then access_rules from req1 will be applied on backend.&lt;br /&gt;
&lt;br /&gt;
Ques: What happens if an exception is raised for one of the access-rules in access-group?&lt;br /&gt;
Do we proceed for next rule or we come out ?&lt;br /&gt;
Ans: These are such exceptions which come like&lt;br /&gt;
 1)if share status is not AVAILABLE &amp;gt;&amp;gt; we come out&lt;br /&gt;
 2)If share_access entry already exists for this share ? &amp;gt;&amp;gt; we raise exception but continue to consider next access_rule&lt;br /&gt;
 3)if access_level value requested for is not a valid value &amp;gt;&amp;gt; we come out&lt;br /&gt;
 4)If share_instance is invalid one &amp;gt;&amp;gt; we come out &lt;br /&gt;
 5)if access_rules_status is not active &amp;gt;&amp;gt; we come out &lt;br /&gt;
 in all such cases we raise exception which is coming before rpc request is sent to driver layer.&lt;br /&gt;
&lt;br /&gt;
&amp;quot; access_status_message&amp;quot; field in &amp;quot;share_instances&amp;quot; table - it does not express error messages for such exceptions.&lt;br /&gt;
&amp;quot; access_status_message&amp;quot; field registers the error message from the driver layer.&lt;br /&gt;
in case we gets an error message back from driver, which tells rules it could not apply and why ?&lt;br /&gt;
and registers message in share_instance table.&lt;br /&gt;
  &lt;br /&gt;
'''Ques: Lets say an access-group that contains 4 access_rules, that is applied on a share share1.&lt;br /&gt;
 Now these 4 access_rules have got their entries created in share_access_map too.&lt;br /&gt;
 What is someone deleted/denies the access rule individually ? &lt;br /&gt;
  that is sequence is like&lt;br /&gt;
&lt;br /&gt;
 1) manila access-group-allow &amp;lt;share-id&amp;gt; &amp;lt;access-group-id&amp;gt;&lt;br /&gt;
 2)manila access-deny &amp;lt;share&amp;gt; &amp;lt;id&amp;gt;&lt;br /&gt;
 Now some rules of this access-group are denied individually .. when we go to deny-access-group&lt;br /&gt;
what will happen?&lt;br /&gt;
&lt;br /&gt;
Ans: For each of 4 rules, if anyone is not present in the access_map, we raise exception NotFound and&lt;br /&gt;
continue to next access_entry.&lt;/div&gt;</summary>
		<author><name>Nidhi Mittal Hada</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123285</id>
		<title>Manila/design/access groups</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123285"/>
				<updated>2016-03-31T10:32:30Z</updated>
		
		<summary type="html">&lt;p&gt;Nidhi Mittal Hada: /* FlowChart */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;                                                                                                                       = Manila Access Groups =&lt;br /&gt;
== Applying Access Rules == &lt;br /&gt;
=== Current approach ===&lt;br /&gt;
Today we use &amp;quot;manila allow-access&amp;quot; and &amp;quot;manila deny-access&amp;quot; cli to allow and deny ip address/user, the access, to a particular share. In situation, when we want a share to be accessible by  &lt;br /&gt;
* a subnet OR &lt;br /&gt;
* a set of ip addresses together OR &lt;br /&gt;
* a set users together&lt;br /&gt;
we have to execute allow-access for each (ip address, share) one by one!!&lt;br /&gt;
That is, If we want to allow a same set of 'n' ip addresses, for each of 'n' shares, then it requires n iterations for each of n shares, &lt;br /&gt;
that's n^2 operations from user side. &lt;br /&gt;
''That's cumbersome hence access-groups were proposed.''&lt;br /&gt;
&lt;br /&gt;
=== Requirement ===&lt;br /&gt;
Requirement is to have a mechanism, so that a set of &amp;quot;ip addresses&amp;quot; can be considered as one entity i.e. can be allowed the access to a share together. &lt;br /&gt;
Henceforth, the &amp;quot;same set&amp;quot; can be allowed access to any &amp;quot;other share&amp;quot; in one single request from user. There comes the idea of '''&amp;quot;manila access-groups&amp;quot;.'''&lt;br /&gt;
&lt;br /&gt;
=== Manila Access Groups ===&lt;br /&gt;
A new object named &amp;quot;access_groups&amp;quot; will be created by user. Each &amp;quot;access_group&amp;quot; represents a bunch of homogeneous &amp;quot;access_rules/access_entries&amp;quot;. &lt;br /&gt;
(homogeneous here means rules of same &amp;quot;access_type &amp;amp; access_level&amp;quot;) &lt;br /&gt;
&lt;br /&gt;
Access Group contains a set of homogeneous access_entries. Each &amp;quot;access_entry&amp;quot; holds/represents, either one &amp;quot;ip-address&amp;quot; or one &amp;quot;user-name&amp;quot; at a time. &lt;br /&gt;
Bunch of access rules associated to an access-group, can be &amp;quot;Either a set of ip addresses OR a set of users&amp;quot;, that requires to be &amp;quot;allowed or denied&amp;quot; in a go. &lt;br /&gt;
&lt;br /&gt;
''Feature requirement is, to provide a mechanism, to allow the access to a share for &amp;quot;a group of ip addresses/users&amp;quot;, in one go, &lt;br /&gt;
instead of allowing each ip-address/user one at a time.'' &lt;br /&gt;
&lt;br /&gt;
=== Challenges ===&lt;br /&gt;
A set of rules applied in a bunch using access-groups. Earlier &amp;quot;allow-access/deny-access&amp;quot; api works on individual access rules. So it can interfere and allow/deny any access without any knowledge of access-group. That has to be taken care of.&lt;br /&gt;
&lt;br /&gt;
A parallel interface to serve same purpose but in different granularity, causes redundancy in database and information.&lt;br /&gt;
&lt;br /&gt;
Object Relationships:-&lt;br /&gt;
[[File: DB_relationships.png| center | 500px| Object Relationship Diagram]]&lt;br /&gt;
&lt;br /&gt;
== Action Flow == &lt;br /&gt;
=== Create Access Group === &lt;br /&gt;
manila access-group-create [--access-level &amp;lt;access_level&amp;gt;] &amp;lt;name&amp;gt; &amp;lt;description&amp;gt; &amp;lt;access_type&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Add Access Group Entries in Access group === &lt;br /&gt;
manila access-group-entry-create &amp;lt;access_to&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Allow Access Group to a share ===  &lt;br /&gt;
manila access-group-allow &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
===== FlowChart =====&lt;br /&gt;
[[File : Allow_access_group.png | center | 500px | Allow access group flow]]&lt;br /&gt;
&lt;br /&gt;
=== * Deny Access Group to a share === &lt;br /&gt;
manila access-group-deny &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
===== Flowchart =====&lt;br /&gt;
[[File : Deny_access_group.png | center | 100px| deny access group flow]]&lt;br /&gt;
&lt;br /&gt;
===== Design Decisions =====&lt;br /&gt;
'''#Ques: What if the share is already mapped to another access_group/access_rules(individual) already,'''&lt;br /&gt;
Ans: Set of access_rules for this access_group, will be applied on share.&lt;br /&gt;
&lt;br /&gt;
Case1: Redundant rules, &lt;br /&gt;
lets say share1 has a access rule already applied to it as            &lt;br /&gt;
Access entry for Share1 -&amp;gt;( user ,admin, rw) (in share_access_map)            &lt;br /&gt;
Now an AG1 with an (user, admin, ro) is created.            &lt;br /&gt;
API request comes as allow_access(share1, AG1).            &lt;br /&gt;
Share1 is asked to map with AG1, what should happen?            &lt;br /&gt;
Its same as case if we apply two redundant rules even without access-groups- we will get an exception access rule for (user, admin) &lt;br /&gt;
is already applied (this rule will be considered as applied already) and we will proceed to see rest of the rules in access_group. &lt;br /&gt;
We need to deny this rule first &amp;quot;to change its level if reqd&amp;quot;.            &lt;br /&gt;
&lt;br /&gt;
'''What if AG1 is made up of &amp;quot;n&amp;quot; rules, only one is redundant?'''''Italic text''&lt;br /&gt;
If any one of the access_rule from this access_group, is already applied on share(individually), lets say due to allow-access api..&lt;br /&gt;
then excluding that access_rule, rest of the rules present in access_group will be applied on share.&lt;br /&gt;
&lt;br /&gt;
'''What if there is an error reported from backend AG1 is made up of n rules, only one is redundant?'''''Italic text''&lt;br /&gt;
If there is an error reported from backend, then error will be registered in share_instance table.&lt;br /&gt;
&amp;quot;access_rules_status&amp;quot; will go in &amp;quot;error&amp;quot; state and &amp;quot;access_status_message&amp;quot; will contain the descriptive message.&lt;br /&gt;
&lt;br /&gt;
'''# What if access group is already mapped to other shares and this is a new mapping.'''&lt;br /&gt;
Simply, rules from the access-group will be applied on the requested share.&lt;br /&gt;
   &lt;br /&gt;
'''#Ques: Two compatible access-groups mapping request got out of order before reaching backend driver.'''            &lt;br /&gt;
e.g two api requests for two access_groups where two access rules are compatible,            &lt;br /&gt;
&lt;br /&gt;
Two access-groups are:&lt;br /&gt;
AG1 has (user, admin, rw), AG2 has (ip, 10.1.1.1, None)            &lt;br /&gt;
&lt;br /&gt;
Two api requests come in this order chronologically,            &lt;br /&gt;
allow_access(share1, AG1) – Req1            &lt;br /&gt;
allow_access(share1, AG2) – Req2            &lt;br /&gt;
&lt;br /&gt;
let’s say these request reach driver layer, out of order, that is backend driver receives, &lt;br /&gt;
first Req2 then Req1. What will happen in such case ?&lt;br /&gt;
&lt;br /&gt;
Ans: Req1 creates a access_mapping in db for (share1 -&amp;gt; AG1) and passes “only new set of rules in AG1&amp;quot; to driver layer.            &lt;br /&gt;
Req2  also creates a access_mapping in db for (share1 -&amp;gt; AG2) and passes that “only new set of rules in AG2&amp;quot; to driver layer.            &lt;br /&gt;
&lt;br /&gt;
Driver layer gets req2 first, it will apply access_rules of req2 first and then access_rules from req1 will be applied on backend.&lt;br /&gt;
&lt;br /&gt;
Ques: What happens if an exception is raised for one of the access-rules in access-group?&lt;br /&gt;
Do we proceed for next rule or we come out ?&lt;br /&gt;
Ans: These are such exceptions which come like&lt;br /&gt;
 1)if share status is not AVAILABLE &amp;gt;&amp;gt; we come out&lt;br /&gt;
 2)If share_access entry already exists for this share ? &amp;gt;&amp;gt; we raise exception but continue to consider next access_rule&lt;br /&gt;
 3)if access_level value requested for is not a valid value &amp;gt;&amp;gt; we come out&lt;br /&gt;
 4)If share_instance is invalid one &amp;gt;&amp;gt; we come out &lt;br /&gt;
 5)if access_rules_status is not active &amp;gt;&amp;gt; we come out &lt;br /&gt;
 in all such cases we raise exception which is coming before rpc request is sent to driver layer.&lt;br /&gt;
&lt;br /&gt;
&amp;quot; access_status_message&amp;quot; field in &amp;quot;share_instances&amp;quot; table - it does not express error messages for such exceptions.&lt;br /&gt;
&amp;quot; access_status_message&amp;quot; field registers the error message from the driver layer.&lt;br /&gt;
in case we gets an error message back from driver, which tells rules it could not apply and why ?&lt;br /&gt;
and registers message in share_instance table.&lt;br /&gt;
  &lt;br /&gt;
'''Ques: Lets say an access-group that contains 4 access_rules, that is applied on a share share1.&lt;br /&gt;
 Now these 4 access_rules have got their entries created in share_access_map too.&lt;br /&gt;
 What is someone deleted/denies the access rule individually ? &lt;br /&gt;
  that is sequence is like&lt;br /&gt;
&lt;br /&gt;
 1) manila access-group-allow &amp;lt;share-id&amp;gt; &amp;lt;access-group-id&amp;gt;&lt;br /&gt;
 2)manila access-deny &amp;lt;share&amp;gt; &amp;lt;id&amp;gt;&lt;br /&gt;
 Now some rules of this access-group are denied individually .. when we go to deny-access-group&lt;br /&gt;
what will happen?&lt;br /&gt;
&lt;br /&gt;
Ans: For each of 4 rules, if anyone is not present in the access_map, we raise exception NotFound and&lt;br /&gt;
continue to next access_entry.&lt;/div&gt;</summary>
		<author><name>Nidhi Mittal Hada</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123284</id>
		<title>Manila/design/access groups</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123284"/>
				<updated>2016-03-31T10:32:04Z</updated>
		
		<summary type="html">&lt;p&gt;Nidhi Mittal Hada: /* Challenges */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;                                                                                                                       = Manila Access Groups =&lt;br /&gt;
== Applying Access Rules == &lt;br /&gt;
=== Current approach ===&lt;br /&gt;
Today we use &amp;quot;manila allow-access&amp;quot; and &amp;quot;manila deny-access&amp;quot; cli to allow and deny ip address/user, the access, to a particular share. In situation, when we want a share to be accessible by  &lt;br /&gt;
* a subnet OR &lt;br /&gt;
* a set of ip addresses together OR &lt;br /&gt;
* a set users together&lt;br /&gt;
we have to execute allow-access for each (ip address, share) one by one!!&lt;br /&gt;
That is, If we want to allow a same set of 'n' ip addresses, for each of 'n' shares, then it requires n iterations for each of n shares, &lt;br /&gt;
that's n^2 operations from user side. &lt;br /&gt;
''That's cumbersome hence access-groups were proposed.''&lt;br /&gt;
&lt;br /&gt;
=== Requirement ===&lt;br /&gt;
Requirement is to have a mechanism, so that a set of &amp;quot;ip addresses&amp;quot; can be considered as one entity i.e. can be allowed the access to a share together. &lt;br /&gt;
Henceforth, the &amp;quot;same set&amp;quot; can be allowed access to any &amp;quot;other share&amp;quot; in one single request from user. There comes the idea of '''&amp;quot;manila access-groups&amp;quot;.'''&lt;br /&gt;
&lt;br /&gt;
=== Manila Access Groups ===&lt;br /&gt;
A new object named &amp;quot;access_groups&amp;quot; will be created by user. Each &amp;quot;access_group&amp;quot; represents a bunch of homogeneous &amp;quot;access_rules/access_entries&amp;quot;. &lt;br /&gt;
(homogeneous here means rules of same &amp;quot;access_type &amp;amp; access_level&amp;quot;) &lt;br /&gt;
&lt;br /&gt;
Access Group contains a set of homogeneous access_entries. Each &amp;quot;access_entry&amp;quot; holds/represents, either one &amp;quot;ip-address&amp;quot; or one &amp;quot;user-name&amp;quot; at a time. &lt;br /&gt;
Bunch of access rules associated to an access-group, can be &amp;quot;Either a set of ip addresses OR a set of users&amp;quot;, that requires to be &amp;quot;allowed or denied&amp;quot; in a go. &lt;br /&gt;
&lt;br /&gt;
''Feature requirement is, to provide a mechanism, to allow the access to a share for &amp;quot;a group of ip addresses/users&amp;quot;, in one go, &lt;br /&gt;
instead of allowing each ip-address/user one at a time.'' &lt;br /&gt;
&lt;br /&gt;
=== Challenges ===&lt;br /&gt;
A set of rules applied in a bunch using access-groups. Earlier &amp;quot;allow-access/deny-access&amp;quot; api works on individual access rules. So it can interfere and allow/deny any access without any knowledge of access-group. That has to be taken care of.&lt;br /&gt;
&lt;br /&gt;
A parallel interface to serve same purpose but in different granularity, causes redundancy in database and information.&lt;br /&gt;
&lt;br /&gt;
Object Relationships:-&lt;br /&gt;
[[File: DB_relationships.png| center | 500px| Object Relationship Diagram]]&lt;br /&gt;
&lt;br /&gt;
== Action Flow == &lt;br /&gt;
=== Create Access Group === &lt;br /&gt;
manila access-group-create [--access-level &amp;lt;access_level&amp;gt;] &amp;lt;name&amp;gt; &amp;lt;description&amp;gt; &amp;lt;access_type&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Add Access Group Entries in Access group === &lt;br /&gt;
manila access-group-entry-create &amp;lt;access_to&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Allow Access Group to a share ===  &lt;br /&gt;
manila access-group-allow &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
===== FlowChart =====&lt;br /&gt;
[[File : Allow_access_group.png | center | 100px | Allow access group flow]]&lt;br /&gt;
&lt;br /&gt;
=== * Deny Access Group to a share === &lt;br /&gt;
manila access-group-deny &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
===== Flowchart =====&lt;br /&gt;
[[File : Deny_access_group.png | center | 100px| deny access group flow]]&lt;br /&gt;
&lt;br /&gt;
===== Design Decisions =====&lt;br /&gt;
'''#Ques: What if the share is already mapped to another access_group/access_rules(individual) already,'''&lt;br /&gt;
Ans: Set of access_rules for this access_group, will be applied on share.&lt;br /&gt;
&lt;br /&gt;
Case1: Redundant rules, &lt;br /&gt;
lets say share1 has a access rule already applied to it as            &lt;br /&gt;
Access entry for Share1 -&amp;gt;( user ,admin, rw) (in share_access_map)            &lt;br /&gt;
Now an AG1 with an (user, admin, ro) is created.            &lt;br /&gt;
API request comes as allow_access(share1, AG1).            &lt;br /&gt;
Share1 is asked to map with AG1, what should happen?            &lt;br /&gt;
Its same as case if we apply two redundant rules even without access-groups- we will get an exception access rule for (user, admin) &lt;br /&gt;
is already applied (this rule will be considered as applied already) and we will proceed to see rest of the rules in access_group. &lt;br /&gt;
We need to deny this rule first &amp;quot;to change its level if reqd&amp;quot;.            &lt;br /&gt;
&lt;br /&gt;
'''What if AG1 is made up of &amp;quot;n&amp;quot; rules, only one is redundant?'''''Italic text''&lt;br /&gt;
If any one of the access_rule from this access_group, is already applied on share(individually), lets say due to allow-access api..&lt;br /&gt;
then excluding that access_rule, rest of the rules present in access_group will be applied on share.&lt;br /&gt;
&lt;br /&gt;
'''What if there is an error reported from backend AG1 is made up of n rules, only one is redundant?'''''Italic text''&lt;br /&gt;
If there is an error reported from backend, then error will be registered in share_instance table.&lt;br /&gt;
&amp;quot;access_rules_status&amp;quot; will go in &amp;quot;error&amp;quot; state and &amp;quot;access_status_message&amp;quot; will contain the descriptive message.&lt;br /&gt;
&lt;br /&gt;
'''# What if access group is already mapped to other shares and this is a new mapping.'''&lt;br /&gt;
Simply, rules from the access-group will be applied on the requested share.&lt;br /&gt;
   &lt;br /&gt;
'''#Ques: Two compatible access-groups mapping request got out of order before reaching backend driver.'''            &lt;br /&gt;
e.g two api requests for two access_groups where two access rules are compatible,            &lt;br /&gt;
&lt;br /&gt;
Two access-groups are:&lt;br /&gt;
AG1 has (user, admin, rw), AG2 has (ip, 10.1.1.1, None)            &lt;br /&gt;
&lt;br /&gt;
Two api requests come in this order chronologically,            &lt;br /&gt;
allow_access(share1, AG1) – Req1            &lt;br /&gt;
allow_access(share1, AG2) – Req2            &lt;br /&gt;
&lt;br /&gt;
let’s say these request reach driver layer, out of order, that is backend driver receives, &lt;br /&gt;
first Req2 then Req1. What will happen in such case ?&lt;br /&gt;
&lt;br /&gt;
Ans: Req1 creates a access_mapping in db for (share1 -&amp;gt; AG1) and passes “only new set of rules in AG1&amp;quot; to driver layer.            &lt;br /&gt;
Req2  also creates a access_mapping in db for (share1 -&amp;gt; AG2) and passes that “only new set of rules in AG2&amp;quot; to driver layer.            &lt;br /&gt;
&lt;br /&gt;
Driver layer gets req2 first, it will apply access_rules of req2 first and then access_rules from req1 will be applied on backend.&lt;br /&gt;
&lt;br /&gt;
Ques: What happens if an exception is raised for one of the access-rules in access-group?&lt;br /&gt;
Do we proceed for next rule or we come out ?&lt;br /&gt;
Ans: These are such exceptions which come like&lt;br /&gt;
 1)if share status is not AVAILABLE &amp;gt;&amp;gt; we come out&lt;br /&gt;
 2)If share_access entry already exists for this share ? &amp;gt;&amp;gt; we raise exception but continue to consider next access_rule&lt;br /&gt;
 3)if access_level value requested for is not a valid value &amp;gt;&amp;gt; we come out&lt;br /&gt;
 4)If share_instance is invalid one &amp;gt;&amp;gt; we come out &lt;br /&gt;
 5)if access_rules_status is not active &amp;gt;&amp;gt; we come out &lt;br /&gt;
 in all such cases we raise exception which is coming before rpc request is sent to driver layer.&lt;br /&gt;
&lt;br /&gt;
&amp;quot; access_status_message&amp;quot; field in &amp;quot;share_instances&amp;quot; table - it does not express error messages for such exceptions.&lt;br /&gt;
&amp;quot; access_status_message&amp;quot; field registers the error message from the driver layer.&lt;br /&gt;
in case we gets an error message back from driver, which tells rules it could not apply and why ?&lt;br /&gt;
and registers message in share_instance table.&lt;br /&gt;
  &lt;br /&gt;
'''Ques: Lets say an access-group that contains 4 access_rules, that is applied on a share share1.&lt;br /&gt;
 Now these 4 access_rules have got their entries created in share_access_map too.&lt;br /&gt;
 What is someone deleted/denies the access rule individually ? &lt;br /&gt;
  that is sequence is like&lt;br /&gt;
&lt;br /&gt;
 1) manila access-group-allow &amp;lt;share-id&amp;gt; &amp;lt;access-group-id&amp;gt;&lt;br /&gt;
 2)manila access-deny &amp;lt;share&amp;gt; &amp;lt;id&amp;gt;&lt;br /&gt;
 Now some rules of this access-group are denied individually .. when we go to deny-access-group&lt;br /&gt;
what will happen?&lt;br /&gt;
&lt;br /&gt;
Ans: For each of 4 rules, if anyone is not present in the access_map, we raise exception NotFound and&lt;br /&gt;
continue to next access_entry.&lt;/div&gt;</summary>
		<author><name>Nidhi Mittal Hada</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123283</id>
		<title>Manila/design/access groups</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123283"/>
				<updated>2016-03-31T10:31:32Z</updated>
		
		<summary type="html">&lt;p&gt;Nidhi Mittal Hada: /* Challenges */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;                                                                                                                       = Manila Access Groups =&lt;br /&gt;
== Applying Access Rules == &lt;br /&gt;
=== Current approach ===&lt;br /&gt;
Today we use &amp;quot;manila allow-access&amp;quot; and &amp;quot;manila deny-access&amp;quot; cli to allow and deny ip address/user, the access, to a particular share. In situation, when we want a share to be accessible by  &lt;br /&gt;
* a subnet OR &lt;br /&gt;
* a set of ip addresses together OR &lt;br /&gt;
* a set users together&lt;br /&gt;
we have to execute allow-access for each (ip address, share) one by one!!&lt;br /&gt;
That is, If we want to allow a same set of 'n' ip addresses, for each of 'n' shares, then it requires n iterations for each of n shares, &lt;br /&gt;
that's n^2 operations from user side. &lt;br /&gt;
''That's cumbersome hence access-groups were proposed.''&lt;br /&gt;
&lt;br /&gt;
=== Requirement ===&lt;br /&gt;
Requirement is to have a mechanism, so that a set of &amp;quot;ip addresses&amp;quot; can be considered as one entity i.e. can be allowed the access to a share together. &lt;br /&gt;
Henceforth, the &amp;quot;same set&amp;quot; can be allowed access to any &amp;quot;other share&amp;quot; in one single request from user. There comes the idea of '''&amp;quot;manila access-groups&amp;quot;.'''&lt;br /&gt;
&lt;br /&gt;
=== Manila Access Groups ===&lt;br /&gt;
A new object named &amp;quot;access_groups&amp;quot; will be created by user. Each &amp;quot;access_group&amp;quot; represents a bunch of homogeneous &amp;quot;access_rules/access_entries&amp;quot;. &lt;br /&gt;
(homogeneous here means rules of same &amp;quot;access_type &amp;amp; access_level&amp;quot;) &lt;br /&gt;
&lt;br /&gt;
Access Group contains a set of homogeneous access_entries. Each &amp;quot;access_entry&amp;quot; holds/represents, either one &amp;quot;ip-address&amp;quot; or one &amp;quot;user-name&amp;quot; at a time. &lt;br /&gt;
Bunch of access rules associated to an access-group, can be &amp;quot;Either a set of ip addresses OR a set of users&amp;quot;, that requires to be &amp;quot;allowed or denied&amp;quot; in a go. &lt;br /&gt;
&lt;br /&gt;
''Feature requirement is, to provide a mechanism, to allow the access to a share for &amp;quot;a group of ip addresses/users&amp;quot;, in one go, &lt;br /&gt;
instead of allowing each ip-address/user one at a time.'' &lt;br /&gt;
&lt;br /&gt;
=== Challenges ===&lt;br /&gt;
A set of rules applied in a bunch using access-groups. Earlier &amp;quot;allow-access/deny-access&amp;quot; api works on individual access rules. So it can interfere and allow/deny any access without any knowledge of access-group. That has to be taken care of.&lt;br /&gt;
&lt;br /&gt;
A parallel interface to serve same purpose but in different granularity, causes redundancy in database and information.&lt;br /&gt;
&lt;br /&gt;
Object Relationships:-&lt;br /&gt;
[[File: DB_relationships.png| center | 1000px| Object Relationship Diagram]]&lt;br /&gt;
&lt;br /&gt;
== Action Flow == &lt;br /&gt;
=== Create Access Group === &lt;br /&gt;
manila access-group-create [--access-level &amp;lt;access_level&amp;gt;] &amp;lt;name&amp;gt; &amp;lt;description&amp;gt; &amp;lt;access_type&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Add Access Group Entries in Access group === &lt;br /&gt;
manila access-group-entry-create &amp;lt;access_to&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Allow Access Group to a share ===  &lt;br /&gt;
manila access-group-allow &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
===== FlowChart =====&lt;br /&gt;
[[File : Allow_access_group.png | center | 100px | Allow access group flow]]&lt;br /&gt;
&lt;br /&gt;
=== * Deny Access Group to a share === &lt;br /&gt;
manila access-group-deny &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
===== Flowchart =====&lt;br /&gt;
[[File : Deny_access_group.png | center | 100px| deny access group flow]]&lt;br /&gt;
&lt;br /&gt;
===== Design Decisions =====&lt;br /&gt;
'''#Ques: What if the share is already mapped to another access_group/access_rules(individual) already,'''&lt;br /&gt;
Ans: Set of access_rules for this access_group, will be applied on share.&lt;br /&gt;
&lt;br /&gt;
Case1: Redundant rules, &lt;br /&gt;
lets say share1 has a access rule already applied to it as            &lt;br /&gt;
Access entry for Share1 -&amp;gt;( user ,admin, rw) (in share_access_map)            &lt;br /&gt;
Now an AG1 with an (user, admin, ro) is created.            &lt;br /&gt;
API request comes as allow_access(share1, AG1).            &lt;br /&gt;
Share1 is asked to map with AG1, what should happen?            &lt;br /&gt;
Its same as case if we apply two redundant rules even without access-groups- we will get an exception access rule for (user, admin) &lt;br /&gt;
is already applied (this rule will be considered as applied already) and we will proceed to see rest of the rules in access_group. &lt;br /&gt;
We need to deny this rule first &amp;quot;to change its level if reqd&amp;quot;.            &lt;br /&gt;
&lt;br /&gt;
'''What if AG1 is made up of &amp;quot;n&amp;quot; rules, only one is redundant?'''''Italic text''&lt;br /&gt;
If any one of the access_rule from this access_group, is already applied on share(individually), lets say due to allow-access api..&lt;br /&gt;
then excluding that access_rule, rest of the rules present in access_group will be applied on share.&lt;br /&gt;
&lt;br /&gt;
'''What if there is an error reported from backend AG1 is made up of n rules, only one is redundant?'''''Italic text''&lt;br /&gt;
If there is an error reported from backend, then error will be registered in share_instance table.&lt;br /&gt;
&amp;quot;access_rules_status&amp;quot; will go in &amp;quot;error&amp;quot; state and &amp;quot;access_status_message&amp;quot; will contain the descriptive message.&lt;br /&gt;
&lt;br /&gt;
'''# What if access group is already mapped to other shares and this is a new mapping.'''&lt;br /&gt;
Simply, rules from the access-group will be applied on the requested share.&lt;br /&gt;
   &lt;br /&gt;
'''#Ques: Two compatible access-groups mapping request got out of order before reaching backend driver.'''            &lt;br /&gt;
e.g two api requests for two access_groups where two access rules are compatible,            &lt;br /&gt;
&lt;br /&gt;
Two access-groups are:&lt;br /&gt;
AG1 has (user, admin, rw), AG2 has (ip, 10.1.1.1, None)            &lt;br /&gt;
&lt;br /&gt;
Two api requests come in this order chronologically,            &lt;br /&gt;
allow_access(share1, AG1) – Req1            &lt;br /&gt;
allow_access(share1, AG2) – Req2            &lt;br /&gt;
&lt;br /&gt;
let’s say these request reach driver layer, out of order, that is backend driver receives, &lt;br /&gt;
first Req2 then Req1. What will happen in such case ?&lt;br /&gt;
&lt;br /&gt;
Ans: Req1 creates a access_mapping in db for (share1 -&amp;gt; AG1) and passes “only new set of rules in AG1&amp;quot; to driver layer.            &lt;br /&gt;
Req2  also creates a access_mapping in db for (share1 -&amp;gt; AG2) and passes that “only new set of rules in AG2&amp;quot; to driver layer.            &lt;br /&gt;
&lt;br /&gt;
Driver layer gets req2 first, it will apply access_rules of req2 first and then access_rules from req1 will be applied on backend.&lt;br /&gt;
&lt;br /&gt;
Ques: What happens if an exception is raised for one of the access-rules in access-group?&lt;br /&gt;
Do we proceed for next rule or we come out ?&lt;br /&gt;
Ans: These are such exceptions which come like&lt;br /&gt;
 1)if share status is not AVAILABLE &amp;gt;&amp;gt; we come out&lt;br /&gt;
 2)If share_access entry already exists for this share ? &amp;gt;&amp;gt; we raise exception but continue to consider next access_rule&lt;br /&gt;
 3)if access_level value requested for is not a valid value &amp;gt;&amp;gt; we come out&lt;br /&gt;
 4)If share_instance is invalid one &amp;gt;&amp;gt; we come out &lt;br /&gt;
 5)if access_rules_status is not active &amp;gt;&amp;gt; we come out &lt;br /&gt;
 in all such cases we raise exception which is coming before rpc request is sent to driver layer.&lt;br /&gt;
&lt;br /&gt;
&amp;quot; access_status_message&amp;quot; field in &amp;quot;share_instances&amp;quot; table - it does not express error messages for such exceptions.&lt;br /&gt;
&amp;quot; access_status_message&amp;quot; field registers the error message from the driver layer.&lt;br /&gt;
in case we gets an error message back from driver, which tells rules it could not apply and why ?&lt;br /&gt;
and registers message in share_instance table.&lt;br /&gt;
  &lt;br /&gt;
'''Ques: Lets say an access-group that contains 4 access_rules, that is applied on a share share1.&lt;br /&gt;
 Now these 4 access_rules have got their entries created in share_access_map too.&lt;br /&gt;
 What is someone deleted/denies the access rule individually ? &lt;br /&gt;
  that is sequence is like&lt;br /&gt;
&lt;br /&gt;
 1) manila access-group-allow &amp;lt;share-id&amp;gt; &amp;lt;access-group-id&amp;gt;&lt;br /&gt;
 2)manila access-deny &amp;lt;share&amp;gt; &amp;lt;id&amp;gt;&lt;br /&gt;
 Now some rules of this access-group are denied individually .. when we go to deny-access-group&lt;br /&gt;
what will happen?&lt;br /&gt;
&lt;br /&gt;
Ans: For each of 4 rules, if anyone is not present in the access_map, we raise exception NotFound and&lt;br /&gt;
continue to next access_entry.&lt;/div&gt;</summary>
		<author><name>Nidhi Mittal Hada</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123282</id>
		<title>Manila/design/access groups</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123282"/>
				<updated>2016-03-31T10:31:00Z</updated>
		
		<summary type="html">&lt;p&gt;Nidhi Mittal Hada: /* Challenges */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;                                                                                                                       = Manila Access Groups =&lt;br /&gt;
== Applying Access Rules == &lt;br /&gt;
=== Current approach ===&lt;br /&gt;
Today we use &amp;quot;manila allow-access&amp;quot; and &amp;quot;manila deny-access&amp;quot; cli to allow and deny ip address/user, the access, to a particular share. In situation, when we want a share to be accessible by  &lt;br /&gt;
* a subnet OR &lt;br /&gt;
* a set of ip addresses together OR &lt;br /&gt;
* a set users together&lt;br /&gt;
we have to execute allow-access for each (ip address, share) one by one!!&lt;br /&gt;
That is, If we want to allow a same set of 'n' ip addresses, for each of 'n' shares, then it requires n iterations for each of n shares, &lt;br /&gt;
that's n^2 operations from user side. &lt;br /&gt;
''That's cumbersome hence access-groups were proposed.''&lt;br /&gt;
&lt;br /&gt;
=== Requirement ===&lt;br /&gt;
Requirement is to have a mechanism, so that a set of &amp;quot;ip addresses&amp;quot; can be considered as one entity i.e. can be allowed the access to a share together. &lt;br /&gt;
Henceforth, the &amp;quot;same set&amp;quot; can be allowed access to any &amp;quot;other share&amp;quot; in one single request from user. There comes the idea of '''&amp;quot;manila access-groups&amp;quot;.'''&lt;br /&gt;
&lt;br /&gt;
=== Manila Access Groups ===&lt;br /&gt;
A new object named &amp;quot;access_groups&amp;quot; will be created by user. Each &amp;quot;access_group&amp;quot; represents a bunch of homogeneous &amp;quot;access_rules/access_entries&amp;quot;. &lt;br /&gt;
(homogeneous here means rules of same &amp;quot;access_type &amp;amp; access_level&amp;quot;) &lt;br /&gt;
&lt;br /&gt;
Access Group contains a set of homogeneous access_entries. Each &amp;quot;access_entry&amp;quot; holds/represents, either one &amp;quot;ip-address&amp;quot; or one &amp;quot;user-name&amp;quot; at a time. &lt;br /&gt;
Bunch of access rules associated to an access-group, can be &amp;quot;Either a set of ip addresses OR a set of users&amp;quot;, that requires to be &amp;quot;allowed or denied&amp;quot; in a go. &lt;br /&gt;
&lt;br /&gt;
''Feature requirement is, to provide a mechanism, to allow the access to a share for &amp;quot;a group of ip addresses/users&amp;quot;, in one go, &lt;br /&gt;
instead of allowing each ip-address/user one at a time.'' &lt;br /&gt;
&lt;br /&gt;
=== Challenges ===&lt;br /&gt;
A set of rules applied in a bunch using access-groups. Earlier &amp;quot;allow-access/deny-access&amp;quot; api works on individual access rules. So it can interfere and allow/deny any access without any knowledge of access-group. That has to be taken care of.&lt;br /&gt;
&lt;br /&gt;
A parallel interface to serve same purpose but in different granularity, causes redundancy in database and information.&lt;br /&gt;
&lt;br /&gt;
Object Relationships:-&lt;br /&gt;
[[File: DB_relationships.png| center | 10000px| Object Relationship Diagram]]&lt;br /&gt;
&lt;br /&gt;
== Action Flow == &lt;br /&gt;
=== Create Access Group === &lt;br /&gt;
manila access-group-create [--access-level &amp;lt;access_level&amp;gt;] &amp;lt;name&amp;gt; &amp;lt;description&amp;gt; &amp;lt;access_type&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Add Access Group Entries in Access group === &lt;br /&gt;
manila access-group-entry-create &amp;lt;access_to&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Allow Access Group to a share ===  &lt;br /&gt;
manila access-group-allow &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
===== FlowChart =====&lt;br /&gt;
[[File : Allow_access_group.png | center | 100px | Allow access group flow]]&lt;br /&gt;
&lt;br /&gt;
=== * Deny Access Group to a share === &lt;br /&gt;
manila access-group-deny &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
===== Flowchart =====&lt;br /&gt;
[[File : Deny_access_group.png | center | 100px| deny access group flow]]&lt;br /&gt;
&lt;br /&gt;
===== Design Decisions =====&lt;br /&gt;
'''#Ques: What if the share is already mapped to another access_group/access_rules(individual) already,'''&lt;br /&gt;
Ans: Set of access_rules for this access_group, will be applied on share.&lt;br /&gt;
&lt;br /&gt;
Case1: Redundant rules, &lt;br /&gt;
lets say share1 has a access rule already applied to it as            &lt;br /&gt;
Access entry for Share1 -&amp;gt;( user ,admin, rw) (in share_access_map)            &lt;br /&gt;
Now an AG1 with an (user, admin, ro) is created.            &lt;br /&gt;
API request comes as allow_access(share1, AG1).            &lt;br /&gt;
Share1 is asked to map with AG1, what should happen?            &lt;br /&gt;
Its same as case if we apply two redundant rules even without access-groups- we will get an exception access rule for (user, admin) &lt;br /&gt;
is already applied (this rule will be considered as applied already) and we will proceed to see rest of the rules in access_group. &lt;br /&gt;
We need to deny this rule first &amp;quot;to change its level if reqd&amp;quot;.            &lt;br /&gt;
&lt;br /&gt;
'''What if AG1 is made up of &amp;quot;n&amp;quot; rules, only one is redundant?'''''Italic text''&lt;br /&gt;
If any one of the access_rule from this access_group, is already applied on share(individually), lets say due to allow-access api..&lt;br /&gt;
then excluding that access_rule, rest of the rules present in access_group will be applied on share.&lt;br /&gt;
&lt;br /&gt;
'''What if there is an error reported from backend AG1 is made up of n rules, only one is redundant?'''''Italic text''&lt;br /&gt;
If there is an error reported from backend, then error will be registered in share_instance table.&lt;br /&gt;
&amp;quot;access_rules_status&amp;quot; will go in &amp;quot;error&amp;quot; state and &amp;quot;access_status_message&amp;quot; will contain the descriptive message.&lt;br /&gt;
&lt;br /&gt;
'''# What if access group is already mapped to other shares and this is a new mapping.'''&lt;br /&gt;
Simply, rules from the access-group will be applied on the requested share.&lt;br /&gt;
   &lt;br /&gt;
'''#Ques: Two compatible access-groups mapping request got out of order before reaching backend driver.'''            &lt;br /&gt;
e.g two api requests for two access_groups where two access rules are compatible,            &lt;br /&gt;
&lt;br /&gt;
Two access-groups are:&lt;br /&gt;
AG1 has (user, admin, rw), AG2 has (ip, 10.1.1.1, None)            &lt;br /&gt;
&lt;br /&gt;
Two api requests come in this order chronologically,            &lt;br /&gt;
allow_access(share1, AG1) – Req1            &lt;br /&gt;
allow_access(share1, AG2) – Req2            &lt;br /&gt;
&lt;br /&gt;
let’s say these request reach driver layer, out of order, that is backend driver receives, &lt;br /&gt;
first Req2 then Req1. What will happen in such case ?&lt;br /&gt;
&lt;br /&gt;
Ans: Req1 creates a access_mapping in db for (share1 -&amp;gt; AG1) and passes “only new set of rules in AG1&amp;quot; to driver layer.            &lt;br /&gt;
Req2  also creates a access_mapping in db for (share1 -&amp;gt; AG2) and passes that “only new set of rules in AG2&amp;quot; to driver layer.            &lt;br /&gt;
&lt;br /&gt;
Driver layer gets req2 first, it will apply access_rules of req2 first and then access_rules from req1 will be applied on backend.&lt;br /&gt;
&lt;br /&gt;
Ques: What happens if an exception is raised for one of the access-rules in access-group?&lt;br /&gt;
Do we proceed for next rule or we come out ?&lt;br /&gt;
Ans: These are such exceptions which come like&lt;br /&gt;
 1)if share status is not AVAILABLE &amp;gt;&amp;gt; we come out&lt;br /&gt;
 2)If share_access entry already exists for this share ? &amp;gt;&amp;gt; we raise exception but continue to consider next access_rule&lt;br /&gt;
 3)if access_level value requested for is not a valid value &amp;gt;&amp;gt; we come out&lt;br /&gt;
 4)If share_instance is invalid one &amp;gt;&amp;gt; we come out &lt;br /&gt;
 5)if access_rules_status is not active &amp;gt;&amp;gt; we come out &lt;br /&gt;
 in all such cases we raise exception which is coming before rpc request is sent to driver layer.&lt;br /&gt;
&lt;br /&gt;
&amp;quot; access_status_message&amp;quot; field in &amp;quot;share_instances&amp;quot; table - it does not express error messages for such exceptions.&lt;br /&gt;
&amp;quot; access_status_message&amp;quot; field registers the error message from the driver layer.&lt;br /&gt;
in case we gets an error message back from driver, which tells rules it could not apply and why ?&lt;br /&gt;
and registers message in share_instance table.&lt;br /&gt;
  &lt;br /&gt;
'''Ques: Lets say an access-group that contains 4 access_rules, that is applied on a share share1.&lt;br /&gt;
 Now these 4 access_rules have got their entries created in share_access_map too.&lt;br /&gt;
 What is someone deleted/denies the access rule individually ? &lt;br /&gt;
  that is sequence is like&lt;br /&gt;
&lt;br /&gt;
 1) manila access-group-allow &amp;lt;share-id&amp;gt; &amp;lt;access-group-id&amp;gt;&lt;br /&gt;
 2)manila access-deny &amp;lt;share&amp;gt; &amp;lt;id&amp;gt;&lt;br /&gt;
 Now some rules of this access-group are denied individually .. when we go to deny-access-group&lt;br /&gt;
what will happen?&lt;br /&gt;
&lt;br /&gt;
Ans: For each of 4 rules, if anyone is not present in the access_map, we raise exception NotFound and&lt;br /&gt;
continue to next access_entry.&lt;/div&gt;</summary>
		<author><name>Nidhi Mittal Hada</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123281</id>
		<title>Manila/design/access groups</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123281"/>
				<updated>2016-03-31T10:26:38Z</updated>
		
		<summary type="html">&lt;p&gt;Nidhi Mittal Hada: &lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;                                                                                                                       = Manila Access Groups =&lt;br /&gt;
== Applying Access Rules == &lt;br /&gt;
=== Current approach ===&lt;br /&gt;
Today we use &amp;quot;manila allow-access&amp;quot; and &amp;quot;manila deny-access&amp;quot; cli to allow and deny ip address/user, the access, to a particular share. In situation, when we want a share to be accessible by  &lt;br /&gt;
* a subnet OR &lt;br /&gt;
* a set of ip addresses together OR &lt;br /&gt;
* a set users together&lt;br /&gt;
we have to execute allow-access for each (ip address, share) one by one!!&lt;br /&gt;
That is, If we want to allow a same set of 'n' ip addresses, for each of 'n' shares, then it requires n iterations for each of n shares, &lt;br /&gt;
that's n^2 operations from user side. &lt;br /&gt;
''That's cumbersome hence access-groups were proposed.''&lt;br /&gt;
&lt;br /&gt;
=== Requirement ===&lt;br /&gt;
Requirement is to have a mechanism, so that a set of &amp;quot;ip addresses&amp;quot; can be considered as one entity i.e. can be allowed the access to a share together. &lt;br /&gt;
Henceforth, the &amp;quot;same set&amp;quot; can be allowed access to any &amp;quot;other share&amp;quot; in one single request from user. There comes the idea of '''&amp;quot;manila access-groups&amp;quot;.'''&lt;br /&gt;
&lt;br /&gt;
=== Manila Access Groups ===&lt;br /&gt;
A new object named &amp;quot;access_groups&amp;quot; will be created by user. Each &amp;quot;access_group&amp;quot; represents a bunch of homogeneous &amp;quot;access_rules/access_entries&amp;quot;. &lt;br /&gt;
(homogeneous here means rules of same &amp;quot;access_type &amp;amp; access_level&amp;quot;) &lt;br /&gt;
&lt;br /&gt;
Access Group contains a set of homogeneous access_entries. Each &amp;quot;access_entry&amp;quot; holds/represents, either one &amp;quot;ip-address&amp;quot; or one &amp;quot;user-name&amp;quot; at a time. &lt;br /&gt;
Bunch of access rules associated to an access-group, can be &amp;quot;Either a set of ip addresses OR a set of users&amp;quot;, that requires to be &amp;quot;allowed or denied&amp;quot; in a go. &lt;br /&gt;
&lt;br /&gt;
''Feature requirement is, to provide a mechanism, to allow the access to a share for &amp;quot;a group of ip addresses/users&amp;quot;, in one go, &lt;br /&gt;
instead of allowing each ip-address/user one at a time.'' &lt;br /&gt;
&lt;br /&gt;
=== Challenges ===&lt;br /&gt;
A set of rules applied in a bunch using access-groups. Earlier &amp;quot;allow-access/deny-access&amp;quot; api works on individual access rules. So it can interfere and allow/deny any access without any knowledge of access-group. That has to be taken care of.&lt;br /&gt;
&lt;br /&gt;
A parallel interface to serve same purpose but in different granularity, causes redundancy in database and information.&lt;br /&gt;
&lt;br /&gt;
Object Relationships:-&lt;br /&gt;
[[File: DB_relationships.png| center | 100px| Object Relationship Diagram]]&lt;br /&gt;
&lt;br /&gt;
== Action Flow == &lt;br /&gt;
=== Create Access Group === &lt;br /&gt;
manila access-group-create [--access-level &amp;lt;access_level&amp;gt;] &amp;lt;name&amp;gt; &amp;lt;description&amp;gt; &amp;lt;access_type&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Add Access Group Entries in Access group === &lt;br /&gt;
manila access-group-entry-create &amp;lt;access_to&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Allow Access Group to a share ===  &lt;br /&gt;
manila access-group-allow &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
===== FlowChart =====&lt;br /&gt;
[[File : Allow_access_group.png | center | 100px | Allow access group flow]]&lt;br /&gt;
&lt;br /&gt;
=== * Deny Access Group to a share === &lt;br /&gt;
manila access-group-deny &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
===== Flowchart =====&lt;br /&gt;
[[File : Deny_access_group.png | center | 100px| deny access group flow]]&lt;br /&gt;
&lt;br /&gt;
===== Design Decisions =====&lt;br /&gt;
'''#Ques: What if the share is already mapped to another access_group/access_rules(individual) already,'''&lt;br /&gt;
Ans: Set of access_rules for this access_group, will be applied on share.&lt;br /&gt;
&lt;br /&gt;
Case1: Redundant rules, &lt;br /&gt;
lets say share1 has a access rule already applied to it as            &lt;br /&gt;
Access entry for Share1 -&amp;gt;( user ,admin, rw) (in share_access_map)            &lt;br /&gt;
Now an AG1 with an (user, admin, ro) is created.            &lt;br /&gt;
API request comes as allow_access(share1, AG1).            &lt;br /&gt;
Share1 is asked to map with AG1, what should happen?            &lt;br /&gt;
Its same as case if we apply two redundant rules even without access-groups- we will get an exception access rule for (user, admin) &lt;br /&gt;
is already applied (this rule will be considered as applied already) and we will proceed to see rest of the rules in access_group. &lt;br /&gt;
We need to deny this rule first &amp;quot;to change its level if reqd&amp;quot;.            &lt;br /&gt;
&lt;br /&gt;
'''What if AG1 is made up of &amp;quot;n&amp;quot; rules, only one is redundant?'''''Italic text''&lt;br /&gt;
If any one of the access_rule from this access_group, is already applied on share(individually), lets say due to allow-access api..&lt;br /&gt;
then excluding that access_rule, rest of the rules present in access_group will be applied on share.&lt;br /&gt;
&lt;br /&gt;
'''What if there is an error reported from backend AG1 is made up of n rules, only one is redundant?'''''Italic text''&lt;br /&gt;
If there is an error reported from backend, then error will be registered in share_instance table.&lt;br /&gt;
&amp;quot;access_rules_status&amp;quot; will go in &amp;quot;error&amp;quot; state and &amp;quot;access_status_message&amp;quot; will contain the descriptive message.&lt;br /&gt;
&lt;br /&gt;
'''# What if access group is already mapped to other shares and this is a new mapping.'''&lt;br /&gt;
Simply, rules from the access-group will be applied on the requested share.&lt;br /&gt;
   &lt;br /&gt;
'''#Ques: Two compatible access-groups mapping request got out of order before reaching backend driver.'''            &lt;br /&gt;
e.g two api requests for two access_groups where two access rules are compatible,            &lt;br /&gt;
&lt;br /&gt;
Two access-groups are:&lt;br /&gt;
AG1 has (user, admin, rw), AG2 has (ip, 10.1.1.1, None)            &lt;br /&gt;
&lt;br /&gt;
Two api requests come in this order chronologically,            &lt;br /&gt;
allow_access(share1, AG1) – Req1            &lt;br /&gt;
allow_access(share1, AG2) – Req2            &lt;br /&gt;
&lt;br /&gt;
let’s say these request reach driver layer, out of order, that is backend driver receives, &lt;br /&gt;
first Req2 then Req1. What will happen in such case ?&lt;br /&gt;
&lt;br /&gt;
Ans: Req1 creates a access_mapping in db for (share1 -&amp;gt; AG1) and passes “only new set of rules in AG1&amp;quot; to driver layer.            &lt;br /&gt;
Req2  also creates a access_mapping in db for (share1 -&amp;gt; AG2) and passes that “only new set of rules in AG2&amp;quot; to driver layer.            &lt;br /&gt;
&lt;br /&gt;
Driver layer gets req2 first, it will apply access_rules of req2 first and then access_rules from req1 will be applied on backend.&lt;br /&gt;
&lt;br /&gt;
Ques: What happens if an exception is raised for one of the access-rules in access-group?&lt;br /&gt;
Do we proceed for next rule or we come out ?&lt;br /&gt;
Ans: These are such exceptions which come like&lt;br /&gt;
 1)if share status is not AVAILABLE &amp;gt;&amp;gt; we come out&lt;br /&gt;
 2)If share_access entry already exists for this share ? &amp;gt;&amp;gt; we raise exception but continue to consider next access_rule&lt;br /&gt;
 3)if access_level value requested for is not a valid value &amp;gt;&amp;gt; we come out&lt;br /&gt;
 4)If share_instance is invalid one &amp;gt;&amp;gt; we come out &lt;br /&gt;
 5)if access_rules_status is not active &amp;gt;&amp;gt; we come out &lt;br /&gt;
 in all such cases we raise exception which is coming before rpc request is sent to driver layer.&lt;br /&gt;
&lt;br /&gt;
&amp;quot; access_status_message&amp;quot; field in &amp;quot;share_instances&amp;quot; table - it does not express error messages for such exceptions.&lt;br /&gt;
&amp;quot; access_status_message&amp;quot; field registers the error message from the driver layer.&lt;br /&gt;
in case we gets an error message back from driver, which tells rules it could not apply and why ?&lt;br /&gt;
and registers message in share_instance table.&lt;br /&gt;
  &lt;br /&gt;
'''Ques: Lets say an access-group that contains 4 access_rules, that is applied on a share share1.&lt;br /&gt;
 Now these 4 access_rules have got their entries created in share_access_map too.&lt;br /&gt;
 What is someone deleted/denies the access rule individually ? &lt;br /&gt;
  that is sequence is like&lt;br /&gt;
&lt;br /&gt;
 1) manila access-group-allow &amp;lt;share-id&amp;gt; &amp;lt;access-group-id&amp;gt;&lt;br /&gt;
 2)manila access-deny &amp;lt;share&amp;gt; &amp;lt;id&amp;gt;&lt;br /&gt;
 Now some rules of this access-group are denied individually .. when we go to deny-access-group&lt;br /&gt;
what will happen?&lt;br /&gt;
&lt;br /&gt;
Ans: For each of 4 rules, if anyone is not present in the access_map, we raise exception NotFound and&lt;br /&gt;
continue to next access_entry.&lt;/div&gt;</summary>
		<author><name>Nidhi Mittal Hada</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123280</id>
		<title>Manila/design/access groups</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123280"/>
				<updated>2016-03-31T10:00:13Z</updated>
		
		<summary type="html">&lt;p&gt;Nidhi Mittal Hada: &lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;                                                                                                                       = Manila Access Groups =&lt;br /&gt;
== Applying Access Rules == &lt;br /&gt;
=== Current approach ===&lt;br /&gt;
Today we use &amp;quot;manila allow-access&amp;quot; and &amp;quot;manila deny-access&amp;quot; cli to allow and deny ip address/user, the access, to a particular share. In situation, when we want a share to be accessible by  &lt;br /&gt;
* a subnet OR &lt;br /&gt;
* a set of ip addresses together OR &lt;br /&gt;
* a set users together&lt;br /&gt;
we have to execute allow-access for each (ip address, share) one by one!!&lt;br /&gt;
That is, If we want to allow a same set of 'n' ip addresses, for each of 'n' shares, then it requires n iterations for each of n shares, &lt;br /&gt;
that's n^2 operations from user side. &lt;br /&gt;
''That's cumbersome hence access-groups were proposed.''&lt;br /&gt;
&lt;br /&gt;
=== Requirement ===&lt;br /&gt;
Requirement is to have a mechanism, so that a set of &amp;quot;ip addresses&amp;quot; can be considered as one entity i.e. can be allowed the access to a share together. &lt;br /&gt;
Henceforth, the &amp;quot;same set&amp;quot; can be allowed access to any &amp;quot;other share&amp;quot; in one single request from user. There comes the idea of '''&amp;quot;manila access-groups&amp;quot;.'''&lt;br /&gt;
&lt;br /&gt;
=== Manila Access Groups ===&lt;br /&gt;
A new object named &amp;quot;access_groups&amp;quot; will be created by user. Each &amp;quot;access_group&amp;quot; represents a bunch of homogeneous &amp;quot;access_rules/access_entries&amp;quot;. &lt;br /&gt;
(homogeneous here means rules of same &amp;quot;access_type &amp;amp; access_level&amp;quot;) &lt;br /&gt;
&lt;br /&gt;
Access Group contains a set of homogeneous access_entries. Each &amp;quot;access_entry&amp;quot; holds/represents, either one &amp;quot;ip-address&amp;quot; or one &amp;quot;user-name&amp;quot; at a time. &lt;br /&gt;
Bunch of access rules associated to an access-group, can be &amp;quot;Either a set of ip addresses OR a set of users&amp;quot;, that requires to be &amp;quot;allowed or denied&amp;quot; in a go. &lt;br /&gt;
&lt;br /&gt;
''Feature requirement is, to provide a mechanism, to allow the access to a share for &amp;quot;a group of ip addresses/users&amp;quot;, in one go, &lt;br /&gt;
instead of allowing each ip-address/user one at a time.'' &lt;br /&gt;
&lt;br /&gt;
=== Challenges ===&lt;br /&gt;
A set of rules applied in a bunch using access-groups. Earlier &amp;quot;allow-access/deny-access&amp;quot; api works on individual access rules. So it can interfere and allow/deny any access without any knowledge of access-group. That has to be taken care of.&lt;br /&gt;
&lt;br /&gt;
A parallel interface to serve same purpose but in different granularity, causes redundancy in database and information.&lt;br /&gt;
&lt;br /&gt;
Object Relationships:-&lt;br /&gt;
[[File: DB_relationships.png| center | 100px| Object Relationship Diagram]]&lt;br /&gt;
&lt;br /&gt;
== Action Flow == &lt;br /&gt;
=== Create Access Group === &lt;br /&gt;
Create an access group:-       &lt;br /&gt;
manila access-group-create [--access-level &amp;lt;access_level&amp;gt;] &amp;lt;name&amp;gt; &amp;lt;description&amp;gt; &amp;lt;access_type&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Add Access Group Entries in Access group === &lt;br /&gt;
usage: manila access-group-entry-create &amp;lt;access_to&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Allow Access Group to a share ===  &lt;br /&gt;
Associating an access_group with a share - Allow access(cli)            &lt;br /&gt;
usage: manila access-group-allow &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
&lt;br /&gt;
===== FlowChart =====&lt;br /&gt;
[[File : Allow_access_group.png | center | 100px | Allow access group flow]]&lt;br /&gt;
&lt;br /&gt;
=== * Deny Access Group to a share === &lt;br /&gt;
usage: manila access-group-deny &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
===== Flowchart =====&lt;br /&gt;
[[File : Deny_access_group.png | center | 100px| deny access group flow]]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
===== Design Decisions =====&lt;br /&gt;
'''#Ques: What if the share is already mapped to another access_group/access_rules(individual) already,'''&lt;br /&gt;
Will all rules for this share id - consolidating the ones from earlier mappings and this new one, be reapplied?&lt;br /&gt;
&lt;br /&gt;
Ans: No, set of access_rules for this access_group only, will be applied on share.&lt;br /&gt;
===== Case1 Redundant Rules =====&lt;br /&gt;
If any access_rule from this access_group, is already applied on share(individually), due to access_allow api..&lt;br /&gt;
then excluding that access_rule, rest of the rules present in access_group will be applied on share.&lt;br /&gt;
&lt;br /&gt;
===== Case2 Contradictory Rules =====&lt;br /&gt;
lets say share1 has a access rule already applied to it as            &lt;br /&gt;
Access entry for Share1 -&amp;gt;( user ,admin, rw) (in share_access_map)            &lt;br /&gt;
Now an AG1 with an (user, admin, ro) is created.            &lt;br /&gt;
API request comes as allow_access(share1, AG1).            &lt;br /&gt;
&lt;br /&gt;
Share1 is asked to map with AG1, what should happen?            &lt;br /&gt;
&lt;br /&gt;
I think its same as case if we apply two contradictory rules even without access-groups- we will get an error access rule for user admin is already applied.            &lt;br /&gt;
We need to deny it first to change it.            &lt;br /&gt;
If there is an error reported from backend, then error will be registered in share_instance table.&lt;br /&gt;
access_rules_status will go in error state and access_status_message will contain the descriptive message.&lt;br /&gt;
&lt;br /&gt;
'''# What if access group is already mapped to other shares and this is a new mapping.'''&lt;br /&gt;
Simply, rules from the access-group will be applied on the share.&lt;br /&gt;
   &lt;br /&gt;
'''# Ques: Two compatible access-groups mapping request got out of order before reaching backend driver.'''            &lt;br /&gt;
Two api requests for two access_groups where two access rules are compatible,            &lt;br /&gt;
came such as            &lt;br /&gt;
AG1 has (user, admin, rw)            &lt;br /&gt;
AG2 has (ip, 10.1.1.1, None)            &lt;br /&gt;
            &lt;br /&gt;
2 Api requests come in this order            &lt;br /&gt;
allow_access(share1, AG1) – Req1            &lt;br /&gt;
allow_access(share1, AG2) – Req2            &lt;br /&gt;
&lt;br /&gt;
let’s say these request reach driver, out of order, that is backend driver receives, first Req2 then Req1.            &lt;br /&gt;
            &lt;br /&gt;
https://etherpad.openstack.org/p/manila-access-groups-api-proposal line 324 says            &lt;br /&gt;
**NOTE** the backend driver will always have to update the export rules to whatever the current state reflected in the database may be, to avoid race conditions with changes to the access group. For example, if someone makes two requests to the api and the messages arrive out of order to the driver, the end state of the first message will incorperate both changes and the second message will be a noop            &lt;br /&gt;
            &lt;br /&gt;
That is It says  :-&lt;br /&gt;
Req2 -&amp;gt; tells the driver to update export rules as per current state in DB.            &lt;br /&gt;
Current state in DB is -&amp;gt; for share1 -&amp;gt; add two rules for AG1 and AG2 both.            &lt;br /&gt;
Req1 -&amp;gt; for driver is noop            &lt;br /&gt;
            &lt;br /&gt;
My Doubt :- &lt;br /&gt;
What I see is Req1 creates a access_mapping in db for share1 -&amp;gt; AG1 and passes that “only new” set of rules to driver layer.            &lt;br /&gt;
            &lt;br /&gt;
Currently driver doesn’t work on current state of DB            &lt;br /&gt;
           &lt;br /&gt;
    def allow_access(self, context, share_instance_id, access_rules):            &lt;br /&gt;
       &amp;quot;&amp;quot;&amp;quot;Allow access to some share instance.&amp;quot;&amp;quot;&amp;quot;            &lt;br /&gt;
add_rules = [self.db.share_access_get(context, rule_id)            &lt;br /&gt;
                           for rule_id in access_rules] &amp;gt;&amp;gt;            &lt;br /&gt;
            &lt;br /&gt;
2. Adding/Deleting of several access rules - 'access_rules' contains            &lt;br /&gt;
        all access_rules, 'add_rules' and 'delete_rules' contain rules which            &lt;br /&gt;
        should be added/deleted.Driver can ignore rules in 'access_rules' and            &lt;br /&gt;
        apply only rules from 'add_rules' and 'delete_rules'.            &lt;br /&gt;
Hence driver will only apply rules from req1 only.            &lt;br /&gt;
My understanding is Req1 driver stage won’t apply req2’s rules on share.            &lt;br /&gt;
            &lt;br /&gt;
Case3:- Access group contains multiple entries, where backend could apply only a  few successfully, a few could not be applied.            &lt;br /&gt;
            &lt;br /&gt;
Ques3: A share allow_access(share1, AG1)            &lt;br /&gt;
            &lt;br /&gt;
AG1 has 3 access rule entries            &lt;br /&gt;
            &lt;br /&gt;
[{ip, 1.1.1.1, none}, {ip, 2.2.2.2, None}, {ip, 3.3.3.3, None}]            &lt;br /&gt;
            &lt;br /&gt;
Changes made to share_access_group_mapping table.            &lt;br /&gt;
            &lt;br /&gt;
Backend could not apply 3rd rule successfully{ip, 3.3.3.3, None}            &lt;br /&gt;
            &lt;br /&gt;
Result status will be marked in access_rules_status field, access_status_message will show the reason.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
Case 4: if there are 4 rules to be applied as part of access_group, lets say 1 rule is redundant - does it try for 3 others ??&lt;br /&gt;
 or a exception comes and it doesnt try further ?&lt;br /&gt;
 These are such exceptions which come like&lt;br /&gt;
 1)if share status is not AVAILABLE &lt;br /&gt;
 2)If share_access entry already exists for this share ?&lt;br /&gt;
 3)if access_level value requested for is not a valid value&lt;br /&gt;
 4)If share_instance is invalid one&lt;br /&gt;
 5)if access_rules_status is not active&lt;br /&gt;
 in all such cases we raise exception which is coming before rpc request is sent to driver layer.&lt;br /&gt;
&lt;br /&gt;
 Now need to decide&lt;br /&gt;
&amp;quot; access_status_message&amp;quot; field in &amp;quot;share_instances&amp;quot; table - will it express such messages for such exceptions?&lt;br /&gt;
 OR &lt;br /&gt;
will it express the concern if driver has in applying those rules?e ex&lt;br /&gt;
If yes,  in that case, it has to get a message back from driver, to know which rules it could not apply and why ?&lt;br /&gt;
How to get that status back from driver (Need to check)&lt;br /&gt;
 &lt;br /&gt;
 &lt;br /&gt;
 Case5:- What if an access-group that contains 4 access_rules is applied on a share share1.&lt;br /&gt;
 Now these 4 access_rules have got their entries created in share_access_map  too.&lt;br /&gt;
 What is someone deleted/denies the access rule individually ? &lt;br /&gt;
 &lt;br /&gt;
 that is &lt;br /&gt;
 1) manila access-group-allow &amp;lt;share-id&amp;gt; &amp;lt;access-group-id&amp;gt;&lt;br /&gt;
 then &lt;br /&gt;
 2)manila access-deny &amp;lt;share&amp;gt; &amp;lt;id&amp;gt;&lt;br /&gt;
 &lt;br /&gt;
 Now some rules of this access-group are denied individually .. when we go to deny it&lt;/div&gt;</summary>
		<author><name>Nidhi Mittal Hada</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123279</id>
		<title>Manila/design/access groups</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123279"/>
				<updated>2016-03-31T09:40:03Z</updated>
		
		<summary type="html">&lt;p&gt;Nidhi Mittal Hada: /* * Deny Access Group to a share */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;                                                                                                                       = Manila Access Groups =&lt;br /&gt;
== Applying Access Rules == &lt;br /&gt;
=== Current approach ===&lt;br /&gt;
Today we use &amp;quot;manila allow-access&amp;quot; and &amp;quot;manila deny-access&amp;quot; cli to allow and deny ip address/user, the access, to a particular share. In situation, when we want a share to be accessible by  &lt;br /&gt;
* a subnet OR &lt;br /&gt;
* a set of ip addresses together OR &lt;br /&gt;
* a set users together&lt;br /&gt;
we have to execute allow-access for each (ip address, share) one by one!!&lt;br /&gt;
That is, If we want to allow a same set of 'n' ip addresses, for each of 'n' shares, then it requires n iterations for each of n shares, &lt;br /&gt;
that's n^2 operations from user side. &lt;br /&gt;
''That's cumbersome hence access-groups were proposed.''&lt;br /&gt;
&lt;br /&gt;
=== Requirement ===&lt;br /&gt;
Requirement is to have a mechanism, so that a set of &amp;quot;ip addresses&amp;quot; can be considered as one entity i.e. can be allowed the access to a share together. &lt;br /&gt;
Henceforth, the &amp;quot;same set&amp;quot; can be allowed access to any &amp;quot;other share&amp;quot; in one single request from user. There comes the idea of '''&amp;quot;manila access-groups&amp;quot;.'''&lt;br /&gt;
&lt;br /&gt;
=== Manila Access Groups ===&lt;br /&gt;
A new object named &amp;quot;access_groups&amp;quot; will be created by user. Each &amp;quot;access_group&amp;quot; represents a bunch of homogeneous &amp;quot;access_rules/access_entries&amp;quot;. &lt;br /&gt;
(homogeneous here means rules of same &amp;quot;access_type &amp;amp; access_level&amp;quot;) &lt;br /&gt;
&lt;br /&gt;
Access Group contains a set of homogeneous access_entries. Each &amp;quot;access_entry&amp;quot; holds/represents, either one &amp;quot;ip-address&amp;quot; or one &amp;quot;user-name&amp;quot; at a time. &lt;br /&gt;
Bunch of access rules associated to an access-group, can be &amp;quot;Either a set of ip addresses OR a set of users&amp;quot;, that requires to be &amp;quot;allowed or denied&amp;quot; in a go. &lt;br /&gt;
&lt;br /&gt;
''Feature requirement is, to provide a mechanism, to allow the access to a share for &amp;quot;a group of ip addresses/users&amp;quot;, in one go, &lt;br /&gt;
instead of allowing each ip-address/user one at a time.'' &lt;br /&gt;
&lt;br /&gt;
=== Challenges ===&lt;br /&gt;
A set of rules applied in a bunch using access-groups. Earlier &amp;quot;allow-access/deny-access&amp;quot; api works on individual access rules. So it can interfere and allow/deny any access without any knowledge of access-group. That has to be taken care of.&lt;br /&gt;
&lt;br /&gt;
A parallel interface to serve same purpose but in different granularity, causes redundancy in database and information.&lt;br /&gt;
&lt;br /&gt;
Object Relationships:-&lt;br /&gt;
[[File: DB_relationships.png| center | 100px| Object Relationship Diagram]]&lt;br /&gt;
&lt;br /&gt;
== Action Flow == &lt;br /&gt;
=== Create Access Group === &lt;br /&gt;
Create an access group:-       &lt;br /&gt;
manila access-group-create [--access-level &amp;lt;access_level&amp;gt;] &amp;lt;name&amp;gt; &amp;lt;description&amp;gt; &amp;lt;access_type&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Add Access Group Entries in Access group === &lt;br /&gt;
usage: manila access-group-entry-create &amp;lt;access_to&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Allow Access Group to a share ===  &lt;br /&gt;
Associating an access_group with a share - Allow access(cli)            &lt;br /&gt;
usage: manila access-group-allow &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
&lt;br /&gt;
===== Steps =====&lt;br /&gt;
1)Check if share_access_group_mapping doesn't exist  for given share_id and access_group_id, then a record will be added to “share_access_group_mapping” table.&lt;br /&gt;
   else the obtained record will be returned. End.&lt;br /&gt;
&lt;br /&gt;
2)For each 'access_group_entry' in 'access_group_entries' for this access_group: &lt;br /&gt;
       check sanity of each access_group_entry (if its already applied through access-allow api separately, OR if its a invalid access_level etc raise exception in such cases, continue the loop to next entry)&lt;br /&gt;
       create a new &amp;quot;share_access_map&amp;quot; record - obtain it.&lt;br /&gt;
       append a list of such access rules.&lt;br /&gt;
 &lt;br /&gt;
3)Pass 'access_rules_list' to be applied as a &amp;quot;bunch&amp;quot;, to each of share_instance, associated with share.&lt;br /&gt;
&lt;br /&gt;
===== FlowChart =====&lt;br /&gt;
[[File : | allow_access_group.png | center | Allow access group flow]]&lt;br /&gt;
&lt;br /&gt;
===== Design Decisions =====&lt;br /&gt;
'''#Ques: What if the share is already mapped to another access_group/access_rules(individual) already,'''&lt;br /&gt;
Will all rules for this share id - consolidating the ones from earlier mappings and this new one, be reapplied?&lt;br /&gt;
&lt;br /&gt;
Ans: No, set of access_rules for this access_group only, will be applied on share.&lt;br /&gt;
===== Case1 Redundant Rules =====&lt;br /&gt;
If any access_rule from this access_group, is already applied on share(individually), due to access_allow api..&lt;br /&gt;
then excluding that access_rule, rest of the rules present in access_group will be applied on share.&lt;br /&gt;
&lt;br /&gt;
===== Case2 Contradictory Rules =====&lt;br /&gt;
If a contradictory rule is already applied, there is an error reported from backend, then error will be registered in share_instance table.&lt;br /&gt;
access_rules_status will go in error state and access_status_message will contain the descriptive message.&lt;br /&gt;
&lt;br /&gt;
'''# What if access group is already mapped to other shares and this is a new mapping.'''&lt;br /&gt;
Simply, rules from the access-group will be applied on the share.&lt;br /&gt;
&lt;br /&gt;
=== * Deny Access Group to a share === &lt;br /&gt;
usage: manila access-group-deny &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Flowchart for the process:-&lt;br /&gt;
[[File : | Deny_access_group.png | center | deny access group flow]]&lt;/div&gt;</summary>
		<author><name>Nidhi Mittal Hada</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123278</id>
		<title>Manila/design/access groups</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123278"/>
				<updated>2016-03-31T09:38:51Z</updated>
		
		<summary type="html">&lt;p&gt;Nidhi Mittal Hada: &lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;                                                                                                                       = Manila Access Groups =&lt;br /&gt;
== Applying Access Rules == &lt;br /&gt;
=== Current approach ===&lt;br /&gt;
Today we use &amp;quot;manila allow-access&amp;quot; and &amp;quot;manila deny-access&amp;quot; cli to allow and deny ip address/user, the access, to a particular share. In situation, when we want a share to be accessible by  &lt;br /&gt;
* a subnet OR &lt;br /&gt;
* a set of ip addresses together OR &lt;br /&gt;
* a set users together&lt;br /&gt;
we have to execute allow-access for each (ip address, share) one by one!!&lt;br /&gt;
That is, If we want to allow a same set of 'n' ip addresses, for each of 'n' shares, then it requires n iterations for each of n shares, &lt;br /&gt;
that's n^2 operations from user side. &lt;br /&gt;
''That's cumbersome hence access-groups were proposed.''&lt;br /&gt;
&lt;br /&gt;
=== Requirement ===&lt;br /&gt;
Requirement is to have a mechanism, so that a set of &amp;quot;ip addresses&amp;quot; can be considered as one entity i.e. can be allowed the access to a share together. &lt;br /&gt;
Henceforth, the &amp;quot;same set&amp;quot; can be allowed access to any &amp;quot;other share&amp;quot; in one single request from user. There comes the idea of '''&amp;quot;manila access-groups&amp;quot;.'''&lt;br /&gt;
&lt;br /&gt;
=== Manila Access Groups ===&lt;br /&gt;
A new object named &amp;quot;access_groups&amp;quot; will be created by user. Each &amp;quot;access_group&amp;quot; represents a bunch of homogeneous &amp;quot;access_rules/access_entries&amp;quot;. &lt;br /&gt;
(homogeneous here means rules of same &amp;quot;access_type &amp;amp; access_level&amp;quot;) &lt;br /&gt;
&lt;br /&gt;
Access Group contains a set of homogeneous access_entries. Each &amp;quot;access_entry&amp;quot; holds/represents, either one &amp;quot;ip-address&amp;quot; or one &amp;quot;user-name&amp;quot; at a time. &lt;br /&gt;
Bunch of access rules associated to an access-group, can be &amp;quot;Either a set of ip addresses OR a set of users&amp;quot;, that requires to be &amp;quot;allowed or denied&amp;quot; in a go. &lt;br /&gt;
&lt;br /&gt;
''Feature requirement is, to provide a mechanism, to allow the access to a share for &amp;quot;a group of ip addresses/users&amp;quot;, in one go, &lt;br /&gt;
instead of allowing each ip-address/user one at a time.'' &lt;br /&gt;
&lt;br /&gt;
=== Challenges ===&lt;br /&gt;
A set of rules applied in a bunch using access-groups. Earlier &amp;quot;allow-access/deny-access&amp;quot; api works on individual access rules. So it can interfere and allow/deny any access without any knowledge of access-group. That has to be taken care of.&lt;br /&gt;
&lt;br /&gt;
A parallel interface to serve same purpose but in different granularity, causes redundancy in database and information.&lt;br /&gt;
&lt;br /&gt;
Object Relationships:-&lt;br /&gt;
[[File: DB_relationships.png| center | 100px| Object Relationship Diagram]]&lt;br /&gt;
&lt;br /&gt;
== Action Flow == &lt;br /&gt;
=== Create Access Group === &lt;br /&gt;
Create an access group:-       &lt;br /&gt;
manila access-group-create [--access-level &amp;lt;access_level&amp;gt;] &amp;lt;name&amp;gt; &amp;lt;description&amp;gt; &amp;lt;access_type&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Add Access Group Entries in Access group === &lt;br /&gt;
usage: manila access-group-entry-create &amp;lt;access_to&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Allow Access Group to a share ===  &lt;br /&gt;
Associating an access_group with a share - Allow access(cli)            &lt;br /&gt;
usage: manila access-group-allow &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
&lt;br /&gt;
===== Steps =====&lt;br /&gt;
1)Check if share_access_group_mapping doesn't exist  for given share_id and access_group_id, then a record will be added to “share_access_group_mapping” table.&lt;br /&gt;
   else the obtained record will be returned. End.&lt;br /&gt;
&lt;br /&gt;
2)For each 'access_group_entry' in 'access_group_entries' for this access_group: &lt;br /&gt;
       check sanity of each access_group_entry (if its already applied through access-allow api separately, OR if its a invalid access_level etc raise exception in such cases, continue the loop to next entry)&lt;br /&gt;
       create a new &amp;quot;share_access_map&amp;quot; record - obtain it.&lt;br /&gt;
       append a list of such access rules.&lt;br /&gt;
 &lt;br /&gt;
3)Pass 'access_rules_list' to be applied as a &amp;quot;bunch&amp;quot;, to each of share_instance, associated with share.&lt;br /&gt;
&lt;br /&gt;
===== FlowChart =====&lt;br /&gt;
[[File : | allow_access_group.png | center | Allow access group flow]]&lt;br /&gt;
&lt;br /&gt;
===== Design Decisions =====&lt;br /&gt;
'''#Ques: What if the share is already mapped to another access_group/access_rules(individual) already,'''&lt;br /&gt;
Will all rules for this share id - consolidating the ones from earlier mappings and this new one, be reapplied?&lt;br /&gt;
&lt;br /&gt;
Ans: No, set of access_rules for this access_group only, will be applied on share.&lt;br /&gt;
===== Case1 Redundant Rules =====&lt;br /&gt;
If any access_rule from this access_group, is already applied on share(individually), due to access_allow api..&lt;br /&gt;
then excluding that access_rule, rest of the rules present in access_group will be applied on share.&lt;br /&gt;
&lt;br /&gt;
===== Case2 Contradictory Rules =====&lt;br /&gt;
If a contradictory rule is already applied, there is an error reported from backend, then error will be registered in share_instance table.&lt;br /&gt;
access_rules_status will go in error state and access_status_message will contain the descriptive message.&lt;br /&gt;
&lt;br /&gt;
'''# What if access group is already mapped to other shares and this is a new mapping.'''&lt;br /&gt;
Simply, rules from the access-group will be applied on the share.&lt;br /&gt;
&lt;br /&gt;
=== * Deny Access Group to a share === &lt;br /&gt;
usage: manila access-group-deny &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Flowchart for the process:-&lt;br /&gt;
[[File : | deny_access_group.png | center | deny access group flow]]&lt;/div&gt;</summary>
		<author><name>Nidhi Mittal Hada</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123275</id>
		<title>Manila/design/access groups</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123275"/>
				<updated>2016-03-31T09:06:24Z</updated>
		
		<summary type="html">&lt;p&gt;Nidhi Mittal Hada: /* Action Flow */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;&amp;lt;gallery&amp;gt;&lt;br /&gt;
Example.jpg|Caption1&lt;br /&gt;
Example.jpg|Caption2&lt;br /&gt;
&amp;lt;/gallery&amp;gt;&lt;br /&gt;
== Current approach for access rules to a share==&lt;br /&gt;
Today we use &amp;quot;manila allow-access&amp;quot; and &amp;quot;manila deny-access&amp;quot; cli to allow and ip address/user the access to a particular share. In case we want a share to be accessible &lt;br /&gt;
to a subnet OR &lt;br /&gt;
a set of ip addresses together OR &lt;br /&gt;
a set users together&lt;br /&gt;
we have to allow each ip address separately one by one!!&lt;br /&gt;
If we want to allow a same set of 'n' ip addresses, for each of 'n' shares, then n number of ip addresses will require n iterations for each share &lt;br /&gt;
that's n^2 operations from user side. &lt;br /&gt;
&lt;br /&gt;
That's cumbersome hence access-groups were proposed.&lt;br /&gt;
&lt;br /&gt;
=== Requirement ===&lt;br /&gt;
Requirement is to have a mechanism so that a set of ip addresses can be considered as one entity, can be allowed the access to a share together. &lt;br /&gt;
Henceforth, the same set can be allowed access to any other share in one single request from user. There comes the idea of manila access-groups.&lt;br /&gt;
&lt;br /&gt;
=== Manila Access groups ===&lt;br /&gt;
A new object named &amp;quot;access_groups&amp;quot; will be created by user. Each &amp;quot;access_group&amp;quot; represents a bunch of &amp;quot;access_rules&amp;quot; of same &amp;quot;access_type &amp;amp; access_level&amp;quot;.&lt;br /&gt;
Bunch of access rules can be either a &amp;quot;set of ip addresses or can be set of users&amp;quot;, to be allowed or denied in a go. &lt;br /&gt;
&lt;br /&gt;
Access Group contains a set of &amp;quot;homogeneous access_entries&amp;quot;. Each &amp;quot;access_entry&amp;quot; holds either one &amp;quot;ip-address&amp;quot; or one &amp;quot;user-name&amp;quot; at a time. &lt;br /&gt;
Feature requirement is to provide a mechanism, to allow the access to a share for &amp;quot;a group of ip addresses/users&amp;quot;, in one go, &lt;br /&gt;
instead of allowing each ip-address/user one at a time. &lt;br /&gt;
&lt;br /&gt;
=== Challenges ===&lt;br /&gt;
A set of rules applied in a bunch using access-groups. Earlier &amp;quot;allow-access/deny-access&amp;quot; api works on individual access rules. So it can interfere and allow/deny any access without any knowledge of access-group. That has to be taken care of.&lt;br /&gt;
&lt;br /&gt;
A parallel interface to serve same purpose but in different granularity, causes redundancy in database and information.&lt;br /&gt;
&lt;br /&gt;
Object Relationships:-&lt;br /&gt;
[[File: DB_relationships.png| center | 100px| Object Relationship Diagram]]&lt;br /&gt;
&lt;br /&gt;
== Action Flow == &lt;br /&gt;
=== Create Access Group === &lt;br /&gt;
Create an access group:-       &lt;br /&gt;
stack@controller:~/devstack$ manila help  access-group-create&lt;br /&gt;
usage: manila access-group-create [--access-level &amp;lt;access_level&amp;gt;] &amp;lt;name&amp;gt; &amp;lt;description&amp;gt; &amp;lt;access_type&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Add a new access group.&lt;br /&gt;
&lt;br /&gt;
Positional arguments:&lt;br /&gt;
  &amp;lt;name&amp;gt;                access group name.&lt;br /&gt;
  &amp;lt;description&amp;gt;         access group description.&lt;br /&gt;
  &amp;lt;access_type&amp;gt;         access type of access group.&lt;br /&gt;
&lt;br /&gt;
Optional arguments:&lt;br /&gt;
  --access-level &amp;lt;access_level&amp;gt;, --access_level &amp;lt;access_level&amp;gt;&lt;br /&gt;
                        Share access level (&amp;quot;rw&amp;quot; and &amp;quot;ro&amp;quot; access levels are&lt;br /&gt;
                        supported). Defaults to rw.&lt;br /&gt;
e.g.&lt;br /&gt;
manila access-group-create  &amp;quot;AG2&amp;quot; &amp;quot;2nd&amp;quot;  &amp;quot;user&amp;quot;  --access_level &amp;quot;rw&amp;quot;&lt;br /&gt;
&lt;br /&gt;
=== Add Access Group Entries in Access group === &lt;br /&gt;
stack@controller:~/devstack$ manila help access-group-entry-create&lt;br /&gt;
usage: manila access-group-entry-create &amp;lt;access_to&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Add a new access group entry.&lt;br /&gt;
&lt;br /&gt;
Positional arguments:&lt;br /&gt;
  &amp;lt;access_to&amp;gt;        Value that defines access.&lt;br /&gt;
  &amp;lt;access_group_id&amp;gt;  Access Group ID.&lt;br /&gt;
&lt;br /&gt;
manila --debug access-group-entry-create  &amp;quot;demou&amp;quot; b81aafa9-9a46-4cf6-9d70-6c3d97442cfb &lt;br /&gt;
&lt;br /&gt;
=== Allow Access Group to a share ===  &lt;br /&gt;
Associating an access_group with a share - Allow access(cli)            &lt;br /&gt;
stack@controller:~/devstack$ manila help access-group-allow&lt;br /&gt;
usage: manila access-group-allow &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Map access group to the share.&lt;br /&gt;
&lt;br /&gt;
Positional arguments:&lt;br /&gt;
  &amp;lt;share&amp;gt;            ID of the NAS share to modify.&lt;br /&gt;
  &amp;lt;access_group_id&amp;gt;  ID of the access_group.&lt;br /&gt;
stack@controller:~/devstack$             &lt;br /&gt;
&lt;br /&gt;
manila --debug access-group-allow 0244bc55-ba39-4977-879d-96f8a5d4894c  b81aafa9-9a46-4cf6-9d70-6c3d97442cfb         &lt;br /&gt;
&lt;br /&gt;
===== Steps =====&lt;br /&gt;
1)Check if share_access_group_mapping doesn't exist  for given share_id and access_group_id, then a record will be added to “share_access_group_mapping” table.&lt;br /&gt;
   else the obtained record will be returned. End.&lt;br /&gt;
&lt;br /&gt;
2)For each 'access_group_entry' in 'access_group_entries' for this access_group: &lt;br /&gt;
       check sanity of each access_group_entry (if its already applied through access-allow api separately, OR if its a invalid access_level etc raise exception in such cases, continue the loop to next entry)&lt;br /&gt;
       create a new &amp;quot;share_access_map&amp;quot; record - obtain it.&lt;br /&gt;
       append a list of such access rules.&lt;br /&gt;
 &lt;br /&gt;
3)Pass 'access_rules_list' to be applied as a &amp;quot;bunch&amp;quot;, to each of share_instance, associated with share.&lt;br /&gt;
&lt;br /&gt;
===== FlowChart =====&lt;br /&gt;
[[File:: | Allow_access_group.png | center | Allow access group flow]]&lt;br /&gt;
&lt;br /&gt;
===== Design Decisions =====&lt;br /&gt;
# What if The share is already mapped to another access_group already ??&lt;br /&gt;
All rules for this share id - consolidating the ones from earlier mappings and this new one will be reapplied???&lt;br /&gt;
No, set of access_rules for this access_group only, will be applied on share.&lt;br /&gt;
If any access_rule from this access_group, is already applied on share(individually), due to access_allow api..&lt;br /&gt;
then excluding that access_rule, rest of the rules present in access_group will be applied on share.&lt;br /&gt;
&lt;br /&gt;
# What if access group is already mapped to other shares and this is a new mapping.            &lt;br /&gt;
Simply, rules from the access-group will be applied on the share.&lt;br /&gt;
&lt;br /&gt;
Need to check this (Pending)!!!&lt;br /&gt;
&lt;br /&gt;
result_rules = [entries in access_group_id AG1] union [set of entries in share_access_map table for this share_id] &lt;br /&gt;
will be sent to driver like this.            &lt;br /&gt;
&lt;br /&gt;
self.driver.update_access(            &lt;br /&gt;
                    context,            &lt;br /&gt;
                    share_instance,            &lt;br /&gt;
                    result_rules,&amp;gt;&amp;gt;&amp;gt;&amp;gt;&amp;gt;&amp;gt;&amp;gt;&amp;gt;&amp;gt;&amp;gt;&amp;gt;&amp;gt;&amp;gt;&amp;gt;&amp;gt;&amp;gt;&amp;gt;&amp;gt; all rules            &lt;br /&gt;
                    add_rules=add_rules,&amp;gt;&amp;gt;&amp;gt;&amp;gt; rules present only in AG1            &lt;br /&gt;
                    delete_rules=delete_rules,            &lt;br /&gt;
                    share_server=share_server            &lt;br /&gt;
                )            &lt;br /&gt;
If there is an error in applying rules, due to any reason, “access_rule_status” for share will reflect that with a descriptive error message.            &lt;br /&gt;
&lt;br /&gt;
=== * Deny Access Group to a share === &lt;br /&gt;
stack@controller:~/devstack$ manila help access-group-deny&lt;br /&gt;
usage: manila access-group-deny &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
Unmap access group to the share.&lt;br /&gt;
Positional arguments:&lt;br /&gt;
  &amp;lt;share&amp;gt;            Name or ID of the NAS share to modify.&lt;br /&gt;
  &amp;lt;access_group_id&amp;gt;  ID of the access group to be unmapped.&lt;br /&gt;
stack@controller:~/devstack$ &lt;br /&gt;
manila --debug access-group-deny 0244bc55-ba39-4977-879d-96f8a5d4894c  b81aafa9-9a46-4cf6-9d70-6c3d97442cfb&lt;br /&gt;
&lt;br /&gt;
If it’s found in share_access_mapping, it will delete the mapping - will obtain all rules in the given access-group - and call update_access to delete these rules.&lt;br /&gt;
Action = deny_access_group            &lt;br /&gt;
JSON Request            &lt;br /&gt;
{            &lt;br /&gt;
 &amp;quot;deny_access_group&amp;quot;: &lt;br /&gt;
      {            &lt;br /&gt;
           &amp;quot;access_group&amp;quot;:  &amp;lt;Access-group-uuid&amp;gt;, &lt;br /&gt;
     }            &lt;br /&gt;
 }            &lt;br /&gt;
            &lt;br /&gt;
 Flowchart for the process:-&lt;br /&gt;
&amp;lt;gallery&amp;gt;&lt;br /&gt;
Allow_access_group.png|Caption1&lt;br /&gt;
&amp;lt;/gallery&amp;gt;&lt;/div&gt;</summary>
		<author><name>Nidhi Mittal Hada</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123274</id>
		<title>Manila/design/access groups</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123274"/>
				<updated>2016-03-31T08:54:42Z</updated>
		
		<summary type="html">&lt;p&gt;Nidhi Mittal Hada: /* * Create Access Group */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;&amp;lt;gallery&amp;gt;&lt;br /&gt;
Example.jpg|Caption1&lt;br /&gt;
Example.jpg|Caption2&lt;br /&gt;
&amp;lt;/gallery&amp;gt;&lt;br /&gt;
== Current approach for access rules to a share==&lt;br /&gt;
Today we use &amp;quot;manila allow-access&amp;quot; and &amp;quot;manila deny-access&amp;quot; cli to allow and ip address/user the access to a particular share. In case we want a share to be accessible &lt;br /&gt;
to a subnet OR &lt;br /&gt;
a set of ip addresses together OR &lt;br /&gt;
a set users together&lt;br /&gt;
we have to allow each ip address separately one by one!!&lt;br /&gt;
If we want to allow a same set of 'n' ip addresses, for each of 'n' shares, then n number of ip addresses will require n iterations for each share &lt;br /&gt;
that's n^2 operations from user side. &lt;br /&gt;
&lt;br /&gt;
That's cumbersome hence access-groups were proposed.&lt;br /&gt;
&lt;br /&gt;
=== Requirement ===&lt;br /&gt;
Requirement is to have a mechanism so that a set of ip addresses can be considered as one entity, can be allowed the access to a share together. &lt;br /&gt;
Henceforth, the same set can be allowed access to any other share in one single request from user. There comes the idea of manila access-groups.&lt;br /&gt;
&lt;br /&gt;
=== Manila Access groups ===&lt;br /&gt;
A new object named &amp;quot;access_groups&amp;quot; will be created by user. Each &amp;quot;access_group&amp;quot; represents a bunch of &amp;quot;access_rules&amp;quot; of same &amp;quot;access_type &amp;amp; access_level&amp;quot;.&lt;br /&gt;
Bunch of access rules can be either a &amp;quot;set of ip addresses or can be set of users&amp;quot;, to be allowed or denied in a go. &lt;br /&gt;
&lt;br /&gt;
Access Group contains a set of &amp;quot;homogeneous access_entries&amp;quot;. Each &amp;quot;access_entry&amp;quot; holds either one &amp;quot;ip-address&amp;quot; or one &amp;quot;user-name&amp;quot; at a time. &lt;br /&gt;
Feature requirement is to provide a mechanism, to allow the access to a share for &amp;quot;a group of ip addresses/users&amp;quot;, in one go, &lt;br /&gt;
instead of allowing each ip-address/user one at a time. &lt;br /&gt;
&lt;br /&gt;
=== Challenges ===&lt;br /&gt;
A set of rules applied in a bunch using access-groups. Earlier &amp;quot;allow-access/deny-access&amp;quot; api works on individual access rules. So it can interfere and allow/deny any access without any knowledge of access-group. That has to be taken care of.&lt;br /&gt;
&lt;br /&gt;
A parallel interface to serve same purpose but in different granularity, causes redundancy in database and information.&lt;br /&gt;
&lt;br /&gt;
Object Relationships:-&lt;br /&gt;
[[File: DB_relationships.png| center | 100px| Object Relationship Diagram]]&lt;br /&gt;
&lt;br /&gt;
== Action Flow == &lt;br /&gt;
=== * Create Access Group === &lt;br /&gt;
Create an access group:-       &lt;br /&gt;
stack@controller:~/devstack$ manila help  access-group-create&lt;br /&gt;
usage: manila access-group-create [--access-level &amp;lt;access_level&amp;gt;] &amp;lt;name&amp;gt; &amp;lt;description&amp;gt; &amp;lt;access_type&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Add a new access group.&lt;br /&gt;
&lt;br /&gt;
Positional arguments:&lt;br /&gt;
  &amp;lt;name&amp;gt;                access group name.&lt;br /&gt;
  &amp;lt;description&amp;gt;         access group description.&lt;br /&gt;
  &amp;lt;access_type&amp;gt;         access type of access group.&lt;br /&gt;
&lt;br /&gt;
Optional arguments:&lt;br /&gt;
  --access-level &amp;lt;access_level&amp;gt;, --access_level &amp;lt;access_level&amp;gt;&lt;br /&gt;
                        Share access level (&amp;quot;rw&amp;quot; and &amp;quot;ro&amp;quot; access levels are&lt;br /&gt;
                        supported). Defaults to rw.&lt;br /&gt;
e.g.&lt;br /&gt;
manila access-group-create  &amp;quot;AG2&amp;quot; &amp;quot;2nd&amp;quot;  &amp;quot;user&amp;quot;  --access_level &amp;quot;rw&amp;quot;&lt;br /&gt;
&lt;br /&gt;
=== * Add Access Group Entries in Access group === &lt;br /&gt;
stack@controller:~/devstack$ manila help access-group-entry-create&lt;br /&gt;
usage: manila access-group-entry-create &amp;lt;access_to&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Add a new access group entry.&lt;br /&gt;
&lt;br /&gt;
Positional arguments:&lt;br /&gt;
  &amp;lt;access_to&amp;gt;        Value that defines access.&lt;br /&gt;
  &amp;lt;access_group_id&amp;gt;  Access Group ID.&lt;br /&gt;
&lt;br /&gt;
manila --debug access-group-entry-create  &amp;quot;demou&amp;quot; b81aafa9-9a46-4cf6-9d70-6c3d97442cfb &lt;br /&gt;
&lt;br /&gt;
=== * Allow Access Group to a share ===  &lt;br /&gt;
Associating an access_group with a share - Allow access(cli)            &lt;br /&gt;
stack@controller:~/devstack$ manila help access-group-allow&lt;br /&gt;
usage: manila access-group-allow &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Map access group to the share.&lt;br /&gt;
&lt;br /&gt;
Positional arguments:&lt;br /&gt;
  &amp;lt;share&amp;gt;            ID of the NAS share to modify.&lt;br /&gt;
  &amp;lt;access_group_id&amp;gt;  ID of the access_group.&lt;br /&gt;
stack@controller:~/devstack$             &lt;br /&gt;
&lt;br /&gt;
manila --debug access-group-allow 0244bc55-ba39-4977-879d-96f8a5d4894c  b81aafa9-9a46-4cf6-9d70-6c3d97442cfb         &lt;br /&gt;
&lt;br /&gt;
1)Check if share_access_group_mapping doesnt exist  for given share_id and access_group_id. , then an entry will be added to“share_access_group_mapping” table.&lt;br /&gt;
&lt;br /&gt;
2)For each 'access_group_entry' in 'access_group_entries' for this access_group: &lt;br /&gt;
check sanity of each access_group_entry (if its already applied through access-allow api separately, OR if its a invalid access_level etc raise exception in such cases, continue the loop to next entry)&lt;br /&gt;
create a new &amp;quot;share_access_map&amp;quot; record - obtain it.&lt;br /&gt;
append a list of such access rules.&lt;br /&gt;
 &lt;br /&gt;
3)Pass 'access_rules_list' to be applied as a &amp;quot;bunch&amp;quot;, to each of share_instance, associated with share.&lt;br /&gt;
&lt;br /&gt;
Flowchart link:-&lt;br /&gt;
https://wiki.openstack.org/w/images/8/85/Allow_access_group.png&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
** What if The share is already mapped to another access_group already ??&lt;br /&gt;
All rules for this share id - consolidating the ones from earlier mappings and this new one will be reapplied???&lt;br /&gt;
No, set of access_rules for this access_group only, will be applied on share.&lt;br /&gt;
If any access_rule from this access_group, is already applied on share(individually), due to access_allow api..&lt;br /&gt;
then excluding that access_rule, rest of the rules present in access_group will be applied on share.&lt;br /&gt;
&lt;br /&gt;
** What if access group is already mapped to other shares and this is a new mapping.            &lt;br /&gt;
Simply, rules from the access-group will be applied on the share.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
Need to check this (Pending)!!!&lt;br /&gt;
&lt;br /&gt;
result_rules = [entries in access_group_id AG1] union [set of entries in share_access_map table for this share_id] &lt;br /&gt;
will be sent to driver like this.            &lt;br /&gt;
&lt;br /&gt;
self.driver.update_access(            &lt;br /&gt;
                    context,            &lt;br /&gt;
                    share_instance,            &lt;br /&gt;
                    result_rules,&amp;gt;&amp;gt;&amp;gt;&amp;gt;&amp;gt;&amp;gt;&amp;gt;&amp;gt;&amp;gt;&amp;gt;&amp;gt;&amp;gt;&amp;gt;&amp;gt;&amp;gt;&amp;gt;&amp;gt;&amp;gt; all rules            &lt;br /&gt;
                    add_rules=add_rules,&amp;gt;&amp;gt;&amp;gt;&amp;gt; rules present only in AG1            &lt;br /&gt;
                    delete_rules=delete_rules,            &lt;br /&gt;
                    share_server=share_server            &lt;br /&gt;
                )            &lt;br /&gt;
If there is an error in applying rules, due to any reason, “access_rule_status” for share will reflect that with a descriptive error message.            &lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
=== * Deny Access Group to a share === &lt;br /&gt;
stack@controller:~/devstack$ manila help access-group-deny&lt;br /&gt;
usage: manila access-group-deny &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
Unmap access group to the share.&lt;br /&gt;
Positional arguments:&lt;br /&gt;
  &amp;lt;share&amp;gt;            Name or ID of the NAS share to modify.&lt;br /&gt;
  &amp;lt;access_group_id&amp;gt;  ID of the access group to be unmapped.&lt;br /&gt;
stack@controller:~/devstack$ &lt;br /&gt;
manila --debug access-group-deny 0244bc55-ba39-4977-879d-96f8a5d4894c  b81aafa9-9a46-4cf6-9d70-6c3d97442cfb&lt;br /&gt;
&lt;br /&gt;
If it’s found in share_access_mapping, it will delete the mapping - will obtain all rules in the given access-group - and call update_access to delete these rules.&lt;br /&gt;
Action = deny_access_group            &lt;br /&gt;
JSON Request            &lt;br /&gt;
{            &lt;br /&gt;
 &amp;quot;deny_access_group&amp;quot;: &lt;br /&gt;
      {            &lt;br /&gt;
           &amp;quot;access_group&amp;quot;:  &amp;lt;Access-group-uuid&amp;gt;, &lt;br /&gt;
     }            &lt;br /&gt;
 }            &lt;br /&gt;
            &lt;br /&gt;
 Flowchart for the process:-&lt;br /&gt;
https://wiki.openstack.org/wiki/File:Deny_access_group.png&lt;/div&gt;</summary>
		<author><name>Nidhi Mittal Hada</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123273</id>
		<title>Manila/design/access groups</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&amp;diff=123273"/>
				<updated>2016-03-31T08:51:21Z</updated>
		
		<summary type="html">&lt;p&gt;Nidhi Mittal Hada: /* Current approach for access rules to a share */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;&amp;lt;gallery&amp;gt;&lt;br /&gt;
Example.jpg|Caption1&lt;br /&gt;
Example.jpg|Caption2&lt;br /&gt;
&amp;lt;/gallery&amp;gt;&lt;br /&gt;
== Current approach for access rules to a share==&lt;br /&gt;
Today we use &amp;quot;manila allow-access&amp;quot; and &amp;quot;manila deny-access&amp;quot; cli to allow and ip address/user the access to a particular share. In case we want a share to be accessible &lt;br /&gt;
to a subnet OR &lt;br /&gt;
a set of ip addresses together OR &lt;br /&gt;
a set users together&lt;br /&gt;
we have to allow each ip address separately one by one!!&lt;br /&gt;
If we want to allow a same set of 'n' ip addresses, for each of 'n' shares, then n number of ip addresses will require n iterations for each share &lt;br /&gt;
that's n^2 operations from user side. &lt;br /&gt;
&lt;br /&gt;
That's cumbersome hence access-groups were proposed.&lt;br /&gt;
&lt;br /&gt;
=== Requirement ===&lt;br /&gt;
Requirement is to have a mechanism so that a set of ip addresses can be considered as one entity, can be allowed the access to a share together. &lt;br /&gt;
Henceforth, the same set can be allowed access to any other share in one single request from user. There comes the idea of manila access-groups.&lt;br /&gt;
&lt;br /&gt;
=== Manila Access groups ===&lt;br /&gt;
A new object named &amp;quot;access_groups&amp;quot; will be created by user. Each &amp;quot;access_group&amp;quot; represents a bunch of &amp;quot;access_rules&amp;quot; of same &amp;quot;access_type &amp;amp; access_level&amp;quot;.&lt;br /&gt;
Bunch of access rules can be either a &amp;quot;set of ip addresses or can be set of users&amp;quot;, to be allowed or denied in a go. &lt;br /&gt;
&lt;br /&gt;
Access Group contains a set of &amp;quot;homogeneous access_entries&amp;quot;. Each &amp;quot;access_entry&amp;quot; holds either one &amp;quot;ip-address&amp;quot; or one &amp;quot;user-name&amp;quot; at a time. &lt;br /&gt;
Feature requirement is to provide a mechanism, to allow the access to a share for &amp;quot;a group of ip addresses/users&amp;quot;, in one go, &lt;br /&gt;
instead of allowing each ip-address/user one at a time. &lt;br /&gt;
&lt;br /&gt;
=== Challenges ===&lt;br /&gt;
A set of rules applied in a bunch using access-groups. Earlier &amp;quot;allow-access/deny-access&amp;quot; api works on individual access rules. So it can interfere and allow/deny any access without any knowledge of access-group. That has to be taken care of.&lt;br /&gt;
&lt;br /&gt;
A parallel interface to serve same purpose but in different granularity, causes redundancy in database and information.&lt;br /&gt;
&lt;br /&gt;
Object Relationships:-&lt;br /&gt;
[[File: DB_relationships.png| center | 100px| Object Relationship Diagram]]&lt;br /&gt;
&lt;br /&gt;
== Action Flow == &lt;br /&gt;
=== * Create Access Group === &lt;br /&gt;
Create an access group:-       &lt;br /&gt;
stack@controller:~/devstack$ manila help  access-group-create&lt;br /&gt;
usage: manila access-group-create [--access-level &amp;lt;access_level&amp;gt;]&lt;br /&gt;
                                  &amp;lt;name&amp;gt; &amp;lt;description&amp;gt; &amp;lt;access_type&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Add a new access group.&lt;br /&gt;
&lt;br /&gt;
Positional arguments:&lt;br /&gt;
  &amp;lt;name&amp;gt;                access group name.&lt;br /&gt;
  &amp;lt;description&amp;gt;         access group description.&lt;br /&gt;
  &amp;lt;access_type&amp;gt;         access type of access group.&lt;br /&gt;
&lt;br /&gt;
Optional arguments:&lt;br /&gt;
  --access-level &amp;lt;access_level&amp;gt;, --access_level &amp;lt;access_level&amp;gt;&lt;br /&gt;
                        Share access level (&amp;quot;rw&amp;quot; and &amp;quot;ro&amp;quot; access levels are&lt;br /&gt;
                        supported). Defaults to rw.&lt;br /&gt;
e.g.&lt;br /&gt;
manila access-group-create  &amp;quot;AG2&amp;quot; &amp;quot;2nd&amp;quot;  &amp;quot;user&amp;quot;  --access_level &amp;quot;rw&amp;quot;&lt;br /&gt;
&lt;br /&gt;
=== * Add Access Group Entries in Access group === &lt;br /&gt;
stack@controller:~/devstack$ manila help access-group-entry-create&lt;br /&gt;
usage: manila access-group-entry-create &amp;lt;access_to&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Add a new access group entry.&lt;br /&gt;
&lt;br /&gt;
Positional arguments:&lt;br /&gt;
  &amp;lt;access_to&amp;gt;        Value that defines access.&lt;br /&gt;
  &amp;lt;access_group_id&amp;gt;  Access Group ID.&lt;br /&gt;
&lt;br /&gt;
manila --debug access-group-entry-create  &amp;quot;demou&amp;quot; b81aafa9-9a46-4cf6-9d70-6c3d97442cfb &lt;br /&gt;
&lt;br /&gt;
=== * Allow Access Group to a share ===  &lt;br /&gt;
Associating an access_group with a share - Allow access(cli)            &lt;br /&gt;
stack@controller:~/devstack$ manila help access-group-allow&lt;br /&gt;
usage: manila access-group-allow &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Map access group to the share.&lt;br /&gt;
&lt;br /&gt;
Positional arguments:&lt;br /&gt;
  &amp;lt;share&amp;gt;            ID of the NAS share to modify.&lt;br /&gt;
  &amp;lt;access_group_id&amp;gt;  ID of the access_group.&lt;br /&gt;
stack@controller:~/devstack$             &lt;br /&gt;
&lt;br /&gt;
manila --debug access-group-allow 0244bc55-ba39-4977-879d-96f8a5d4894c  b81aafa9-9a46-4cf6-9d70-6c3d97442cfb         &lt;br /&gt;
&lt;br /&gt;
1)Check if share_access_group_mapping doesnt exist  for given share_id and access_group_id. , then an entry will be added to“share_access_group_mapping” table.&lt;br /&gt;
&lt;br /&gt;
2)For each 'access_group_entry' in 'access_group_entries' for this access_group: &lt;br /&gt;
check sanity of each access_group_entry (if its already applied through access-allow api separately, OR if its a invalid access_level etc raise exception in such cases, continue the loop to next entry)&lt;br /&gt;
create a new &amp;quot;share_access_map&amp;quot; record - obtain it.&lt;br /&gt;
append a list of such access rules.&lt;br /&gt;
 &lt;br /&gt;
3)Pass 'access_rules_list' to be applied as a &amp;quot;bunch&amp;quot;, to each of share_instance, associated with share.&lt;br /&gt;
&lt;br /&gt;
Flowchart link:-&lt;br /&gt;
https://wiki.openstack.org/w/images/8/85/Allow_access_group.png&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
** What if The share is already mapped to another access_group already ??&lt;br /&gt;
All rules for this share id - consolidating the ones from earlier mappings and this new one will be reapplied???&lt;br /&gt;
No, set of access_rules for this access_group only, will be applied on share.&lt;br /&gt;
If any access_rule from this access_group, is already applied on share(individually), due to access_allow api..&lt;br /&gt;
then excluding that access_rule, rest of the rules present in access_group will be applied on share.&lt;br /&gt;
&lt;br /&gt;
** What if access group is already mapped to other shares and this is a new mapping.            &lt;br /&gt;
Simply, rules from the access-group will be applied on the share.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
Need to check this (Pending)!!!&lt;br /&gt;
&lt;br /&gt;
result_rules = [entries in access_group_id AG1] union [set of entries in share_access_map table for this share_id] &lt;br /&gt;
will be sent to driver like this.            &lt;br /&gt;
&lt;br /&gt;
self.driver.update_access(            &lt;br /&gt;
                    context,            &lt;br /&gt;
                    share_instance,            &lt;br /&gt;
                    result_rules,&amp;gt;&amp;gt;&amp;gt;&amp;gt;&amp;gt;&amp;gt;&amp;gt;&amp;gt;&amp;gt;&amp;gt;&amp;gt;&amp;gt;&amp;gt;&amp;gt;&amp;gt;&amp;gt;&amp;gt;&amp;gt; all rules            &lt;br /&gt;
                    add_rules=add_rules,&amp;gt;&amp;gt;&amp;gt;&amp;gt; rules present only in AG1            &lt;br /&gt;
                    delete_rules=delete_rules,            &lt;br /&gt;
                    share_server=share_server            &lt;br /&gt;
                )            &lt;br /&gt;
If there is an error in applying rules, due to any reason, “access_rule_status” for share will reflect that with a descriptive error message.            &lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
=== * Deny Access Group to a share === &lt;br /&gt;
stack@controller:~/devstack$ manila help access-group-deny&lt;br /&gt;
usage: manila access-group-deny &amp;lt;share&amp;gt; &amp;lt;access_group_id&amp;gt;&lt;br /&gt;
Unmap access group to the share.&lt;br /&gt;
Positional arguments:&lt;br /&gt;
  &amp;lt;share&amp;gt;            Name or ID of the NAS share to modify.&lt;br /&gt;
  &amp;lt;access_group_id&amp;gt;  ID of the access group to be unmapped.&lt;br /&gt;
stack@controller:~/devstack$ &lt;br /&gt;
manila --debug access-group-deny 0244bc55-ba39-4977-879d-96f8a5d4894c  b81aafa9-9a46-4cf6-9d70-6c3d97442cfb&lt;br /&gt;
&lt;br /&gt;
If it’s found in share_access_mapping, it will delete the mapping - will obtain all rules in the given access-group - and call update_access to delete these rules.&lt;br /&gt;
Action = deny_access_group            &lt;br /&gt;
JSON Request            &lt;br /&gt;
{            &lt;br /&gt;
 &amp;quot;deny_access_group&amp;quot;: &lt;br /&gt;
      {            &lt;br /&gt;
           &amp;quot;access_group&amp;quot;:  &amp;lt;Access-group-uuid&amp;gt;, &lt;br /&gt;
     }            &lt;br /&gt;
 }            &lt;br /&gt;
            &lt;br /&gt;
 Flowchart for the process:-&lt;br /&gt;
https://wiki.openstack.org/wiki/File:Deny_access_group.png&lt;/div&gt;</summary>
		<author><name>Nidhi Mittal Hada</name></author>	</entry>

	</feed>