LBaaS Layer 7 rules¶
Launchpad blueprint:
https://blueprints.launchpad.net/neutron/+spec/lbaas-l7-rules
Layer 7 switching takes its name from the OSI model, indicating that the device switches requests based on layer 7 (application) data. Layer 7 switching is also known as “request switching”, “application switching”, and “content based routing”. A layer 7 switch presents to the outside world a “virtual server” that accepts requests on behalf of a number of servers and distributes those requests based on policies that use application data to determine which server should service which request. This allows for the application infrastructure to be specifically tuned/optimized to serve specific types of content. For example, one server can be tuned to serve only images, another for execution of server-side scripting languages like PHP and ASP, and another for static content such as HTML, CSS and JavaScript.
Problem Description¶
Use Cases:
Redirect traffic to a Pool that supports static content (HTML, CSS)
Redirect traffic to a Pool that serves images (jpg, png, etc)
Proposed Change¶
Extend the LBaaS API and support Layer 7 switching.
- L7 Entities:
L7Rule - Set of attributes that defines which part of the request should be matched and how it should be matched.
L7Policy - A collection of L7Rules. Holds the action that should be performed when the rules are matched.(Redirect to Pool, Redirect to URL, Reject). L7Policy holds a Listener id, so a Listner can evaluate a collection of L7Policies. L7Policy will return ‘true’ when all of the L7Rules that belong to this L7Policy are matched. L7Policies under a specific Listener are ordered and the first l7Policy that returns a match will be executed. When none of the policies match the request gets forwarded to listener.default_pool_id
Data Model Impact¶
Model:
+--------------------+ +--------------------+
| Listener | | L7Policy |
+--------------------+ +--------------------+
| | | |
| id | | id |
| other attributes +--------+ action |
| | | pool id |
| | | redirect url |
| | | listener id |
+--------------------+ | index |
| |
| |
+-----------------+--+
|
|
+------------------+--+
| L7Rule |
+---------------------+
| |
| id |
| l7 policy id |
| type |
| compare type |
| key |
| value |
| |
+---------------------+
Two new entities are introduced: L7Rule and L7Policy The L7Policy is a container of L7Rules. The L7Policy contains a reference to a Listener
L7Rule object Data Model.
Field
Type
Null
Key
Default
id
string(36)
NO
PRI
l7_policy_id
string(36)
NO
FK
type
Enum (*)
NO
compare_type
Enum (*)
NO
key
string(36)
NO
value
string(36)
YES
type values
Hostname
Path
- FileType: This is the file extension. Examples: txt, jpg, png, xls
A rule that is looking for text files will look like: type = FileType, compare_type=EqualTo, value = txt
Header
- Cookie: This is the value of a specific cookie
A rule that is looking for a cookie named ‘department’ with the value starting with ‘finance-’ will look like: type = Cookie, compare_type=StartsWith, key = department value = finance-
compare_type values
Regexp
StartsWith
EndsWith
Contains
EqualTo
GreaterThan
LessThan
L7Policy object Data Model.
Field
Type
Null
Key
Default
id
string(36)
NO
PRI
listener_id
string(36)
NO
FK
action
Enum (*)
NO
pool_id
string(36)
YES
redirect_url
string(256)
YES
index
int
NO
action: [Reject,RedirectToURL,RedirectToPool]
If action is RedirectToURL redirect_url can not be null
If action is RedirectToPool pool_id can not be null
Index
If total policies for this listener is less than index, append to end of list.
Index numbering starts with 0
If policy with same index number exists, insert the new policy at that index number and increment all policy indexes for this listener with an equal or higher index value.
Not specifying an index appends the policy to the list.
REST API Impact¶
l7rule-create Create a L7Rule for a given tenant.
Request
POST /v2.0/l7rules Accept: application/json
{
"l7rule":{
"l7_policy_id": "6b96ff0cb17a4b859e1e575d221683c5",
"type":"Header",
"compare_type":"StartsWith",
"key":'department',
"value":"HR"
}
}
Response
{
"l7rule":{
"id": "6b96ff0cb17a4b859e1e575d221683d7",
"l7_policy_id": "6b96ff0cb17a4b859e1e575d221683c5",
"type":"Header",
"compare_type":"StartsWith",
"key":'department',
"value":"HR",
"tenant_id":"6b96ff0cb17a4b859e1e575d2216845"
}
}
l7rule-show Show information of a given L7Rule.
Request
GET /v2.0/l7rules/6b96ff0cb17a4b859e1e575d221683d7 Accept: application/json
Response
{
"l7rule":{
"id": "6b96ff0cb17a4b859e1e575d221683d7",
"l7_policy_id": "6b96ff0cb17a4b859e1e575d221683c5",
"type":"Header",
"compare_type":"StartsWith",
"key":'department',
"value":"HR"
"tenant_id":"6b96ff0cb17a4b859e1e575d2216845"
}
}
l7rule-delete Delete a given L7Rule.
Request
DELETE /v2.0/l7rules/6b96ff0cb17a4b859e1e575d221683d7 Accept: application/json
l7policy-create Create a L7Policy for a given tenant.
POST /v2.0/l7policies Accept: application/json
{
"l7policy":{
"listener_id": "6b96ff0cb17a4b859e1e575d221683c5",
"action":"RedirectToPool",
"pool_id":6b96ff0cb17a4b859e1e575d22168399,
"index": 2
}
}
Response
{
"l7policy":{
"id": "6b96ff0cb17a4b859e1e575d221683d7",
"listener_id": "6b96ff0cb17a4b859e1e575d221683c5",
"action":"RedirectToPool",
"pool_id":6b96ff0cb17a4b859e1e575d22168399,
"tenant_id":"6b96ff0cb17a4b859e1e575d2216845",
"index": 2
}
}
l7policy-show Show information of a given L7Policy.
Request
GET /v2.0/l7policies/6b96ff0cb17a4b859e1e575d221683d7 Accept: application/json
Response
{
"l7policy":{
"id": "6b96ff0cb17a4b859e1e575d221683d7",
"listener_id": "6b96ff0cb17a4b859e1e575d221683c5",
"action":"RedirectToPool",
"pool_id":6b96ff0cb17a4b859e1e575d22168399,
"tenant_id":"6b96ff0cb17a4b859e1e575d2216845",
"index": 2
}
}
l7policy-delete Delete a given L7Policy.
Request
DELETE /v2.0/l7policies/6b96ff0cb17a4b859e1e575d221683d7 Accept: application/json
Security Impact¶
None.
Notifications Impact¶
None.
Other End User Impact¶
None.
Performance Impact¶
None.
IPv6 Impact¶
None
Other Deployer Impact¶
None.
Developer Impact¶
None.
Community Impact¶
This change has been in review since Juno. Much discussion has taken place over IRC and the mailing list.
Alternatives¶
None.
Implementation¶
Assignee(s)¶
- Primary assignee:
- Other contributors:
TBD
Work Items¶
REST API
DB Schema
LBaaS plugin and driver API
CLI update
Dependencies¶
Depends on the new LBaaS model https://review.openstack.org/#/c/89903/
Testing¶
Tempest Tests¶
DB mixin and schema tests
LBaaS Plugin with mocked driver end-to-end tests
Tempest tests
CLI tests
Functional Tests¶
Specific driver tests for each existing driver supporting L7 switching
API Tests¶
REST API and attributes validation tests
Documentation Impact¶
User Documentation¶
Neutron CLI should be modified with L7Rule and L7Policy entities
Developer Documentation¶
Neutron API should be modified with L7Rule and L7Policy entities