Jump to: navigation, search

Difference between revisions of "Manila/design/access groups"

< Manila‎ | design
(Created page with "<gallery> Example.jpg|Caption1 Example.jpg|Caption2 </gallery> == Current design of access rules === Today we use "manila allow-access" and "manila deny-access" cli to allow a...")
 
(Current design of access rules =)
Line 3: Line 3:
 
Example.jpg|Caption2
 
Example.jpg|Caption2
 
</gallery>
 
</gallery>
== Current design of access rules ===
+
== Current approach for access rules to a share===
Today we use "manila allow-access" and "manila deny-access" cli to allow and ip address/user the access to a particular share. In case we want a share to be accessible to a subnet or
+
Today we use "manila allow-access" and "manila deny-access" cli to allow and ip address/user the access to a particular share. In case we want a share to be accessible  
a set of ip addresses together or a set users we have to allow each ip address one by one. If we want to allow 'n' ip addresses for each of 'n' shares, then n number of ip addresses will require another n iterations for each share that's n^2 commands from user.
+
to a subnet OR
 +
a set of ip addresses together OR
 +
a set users together
 +
we have to allow each ip address separately one by one!!
 +
If we want to allow a same set of 'n' ip addresses, for each of 'n' shares, then n number of ip addresses will require n iterations for each share  
 +
that's n^2 operations from user side. That's cumbersome hence access-groups were proposed.
  
=== Proposal ===
+
=== Requirement ===
Proposal is to have a mechanism so that a set of ip addresses as one entity, can be allowed to access a share together and that set can be allowed access to any other share in one go.
+
Requirement is to have a mechanism so that a set of ip addresses can be considered as one entity, can be allowed the access to a share together.
There comes the idea of manila access-groups
+
Henceforth, the same set can be allowed access to any other share in one single request from user. There comes the idea of manila access-groups.
  
 
=== Manila Access groups ===
 
=== Manila Access groups ===
Access Groups is a object contains a set of homogeneous access_entries. Each access_entry holds one ip-address or one user-name. This feature is to provide a mechanism, to allow access to a group of ip addresses/users, in one go, instead of allowing each ip-address/user one at a time.  
+
A new object named "access_groups" will be created by user. Each "access_group" represents a bunch of "access_rules" of same "access_type & access_level".
 +
Bunch of access rules can be either a "set of ip addresses or can be set of users", to be allowed or denied in a go.  
  
=== Proposal :- ===
+
Access Group contains a set of "homogeneous access_entries". Each "access_entry" holds either one "ip-address" or one "user-name" at a time.  
A new object named "access_groups" will be created by user. Each "access_group" represents a bunch of "access_rules" of same "access_type & access_level".
+
Feature requirement is to provide a mechanism, to allow the access to a share for "a group of ip addresses/users", in one go,
Bunch of access rules can be either a set of ip addresses or can be set of users, to be allowed or denied in a go.  
+
instead of allowing each ip-address/user one at a time.  
  
 
=== Challenges ===
 
=== Challenges ===
Line 24: Line 30:
  
 
Object Relationships:-
 
Object Relationships:-
 
<gallery>
 
https://wiki.openstack.org/wiki/File:DB_relationships.png
 
</gallery>
 

Revision as of 06:51, 31 March 2016

  • Example.jpg

    Caption1

  • Example.jpg

    Caption2

Current approach for access rules to a share=

Today we use "manila allow-access" and "manila deny-access" cli to allow and ip address/user the access to a particular share. In case we want a share to be accessible to a subnet OR a set of ip addresses together OR a set users together we have to allow each ip address separately one by one!! If we want to allow a same set of 'n' ip addresses, for each of 'n' shares, then n number of ip addresses will require n iterations for each share that's n^2 operations from user side. That's cumbersome hence access-groups were proposed.

Requirement

Requirement is to have a mechanism so that a set of ip addresses can be considered as one entity, can be allowed the access to a share together. Henceforth, the same set can be allowed access to any other share in one single request from user. There comes the idea of manila access-groups.

Manila Access groups

A new object named "access_groups" will be created by user. Each "access_group" represents a bunch of "access_rules" of same "access_type & access_level". Bunch of access rules can be either a "set of ip addresses or can be set of users", to be allowed or denied in a go.

Access Group contains a set of "homogeneous access_entries". Each "access_entry" holds either one "ip-address" or one "user-name" at a time. Feature requirement is to provide a mechanism, to allow the access to a share for "a group of ip addresses/users", in one go, instead of allowing each ip-address/user one at a time.

Challenges

A set of rules applied in a bunch using access-groups. Earlier "allow-access/deny-access" api works on individual access rules. So it can interfere and allow/deny any access without any knowledge of access-group. That has to be taken care of.

A parallel interface to serve same purpose but in different granularity, causes redundancy in database and information.

Object Relationships:-

Retrieved from "https://wiki.openstack.org/w/index.php?title=Manila/design/access_groups&oldid=123266"