This is a simple server which can be used to manage complex Neutron policies
which are not possible to be managed using the default Neutron policy.json
file due to the lack of programmatic control. It covers the following use
cases:
The default Neutron policy does not allow the use of allowed address pairs for provider networks. However, in a use case where you need to run a highly available service on a provider network, you may need to use allowed address pairs to allow multiple instances to share the same IP address.
This service intercepts the existing Neutron policy and allows the use of allowed address pairs for provider networks under these circumstances:
- Users can modify an
allowed_address_pairsattribute to their port if they own another port on the same network with the same MAC & IP address. - Users cannot delete a port if another port on the same network has an
allowed_address_pairsattribute with the same MAC & IP address. - Users cannot modify the
fixed_ipsattribute of a port if another port on the same network has anallowed_address_pairsattribute with the IP.