GaOrtiga opened a new pull request, #7153: URL: https://github.com/apache/cloudstack/pull/7153
In ACS the creation of tiers of a VPC is restricted to the same account that owns the VPC; therefore, each account needs to have its own VPC and it is not possible to group tiers owned by different accounts in the same VPC. These tiers cannot share the same VR that is used to implement the VPC, for instance. However, in private cloud scenarios to reduce the number of VRs, it might be interesting to have VPCs, where its tiers are owned by different accounts; thus, they (the accounts) share the same VR/VPC, but each one has their own broadcast domain and features implemented by the VPC, such as DHCP, NAT, and so on. To address this situation, the concept of Domain VPCs has been created (only available on the API so far), where a VPC can be managed by a domain and its tiers can be created to accounts inside the domain. In the `createNetwork` API it will be possible to create networks (tiers) to a VPC from a different account; however, the target account must be accessible for the account that owns the VPC. The tiers will be isolated from the broadcast domain and will consume the same VR, in accordance with the current behavior. Also, if a VPN is setup in the VPC, the user will have access to all networks, in accordance with the current behavior. ### Types of changes - [ ] Breaking change (fix or feature that would cause existing functionality to change) - [X] New feature (non-breaking change which adds functionality) - [ ] Bug fix (non-breaking change which fixes an issue) - [ ] Enhancement (improves an existing feature and functionality) - [ ] Cleanup (Code refactoring and cleanup, that may add test cases) ### Feature/Enhancement Scale or Bug Severity #### Feature/Enhancement Scale - [ ] Major - [X] Minor #### Bug Severity - [ ] BLOCKER - [ ] Critical - [ ] Major - [ ] Minor - [ ] Trivial ### How Has This Been Tested? I created VPCs with Root Admin, Domain Admin, and user accounts and tried creating tiers in these VPCs for the other accounts (should only be able to create if the VPC account has access to the account that owns the network). | # | VPC owner account | Network Owner account | Same Domain | Could Create | Expected Result | ------ | ------ | ------ | ------ |------ | ------ | | 1 | Root Admin | Any | Any | Y | Y | | 2 | Domain Admin |Any | N | N| Y | | 3 | Domain Admin | Any | Y | Y | Y | | 4 | User | Same User | Y | Y | Y | | 5 | User | Any Other | Any | N |Y | I also ran some basic tests like deploying VMs in the created networks and checking that the networks were working properly. <!-- Please read the [CONTRIBUTING](https://github.com/apache/cloudstack/blob/main/CONTRIBUTING.md) document --> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
