← Back to team overview

openstack team mailing list archive

OpenStack Security Group Extension Prohibits same group source in rules

 

I would like to be able to create a security group rule which allows communication between VMs within the group. Using the EC2 API this can be done as follows:

rjh@cloud1:~$ euca-describe-groups
GROUP rjhproject  default     default
PERMISSION  rjhproject  default     ALLOWS      tcp   22    22    FROM  CIDR  0.0.0.0/0
PERMISSION  rjhproject  default     ALLOWS      icmp  -1    -1    FROM  CIDR  0.0.0.0/0
PERMISSION  rjhproject  default     ALLOWS      tcp   80    80    GRPNAME     default
rjh@cloud1:~$ euca-add-group -d 'permissive group' rjhgroup
GROUP rjhgroup    permissive group
rjh@cloud1:~$ euca-authorize -o rjhgroup rjhgroup
rjhgroup rjhgroup None tcp None None 0.0.0.0/0
GROUP rjhgroup
PERMISSION  rjhgroup    ALLOWS      tcp   GRPNAME     rjhgroup    FROM  CIDR  0.0.0.0/0
rjh@cloud1:~$ euca-describe-groups
GROUP rjhproject  default     default
PERMISSION  rjhproject  default     ALLOWS      tcp   22    22    FROM  CIDR  0.0.0.0/0
PERMISSION  rjhproject  default     ALLOWS      icmp  -1    -1    FROM  CIDR  0.0.0.0/0
PERMISSION  rjhproject  default     ALLOWS      tcp   80    80    GRPNAME     default
GROUP rjhproject  rjhgroup    permissive group
PERMISSION  rjhproject  rjhgroup    ALLOWS      icmp  -1    -1    GRPNAME     rjhgroup
PERMISSION  rjhproject  rjhgroup    ALLOWS      tcp   1     65535 GRPNAME     rjhgroup
PERMISSION  rjhproject  rjhgroup    ALLOWS      udp   1     65536 GRPNAME     rjhgroup

So, it looks like security groups support the notion of a group with rules that mention the group containing the rule as a source. However, the security_groups.py extension contains an explicit check that the source group id is not the same as the parent group id. Why is this done? I would like to remove this restriction allowing rules to be created similar to the one created above using EC2. Any objections?

-Ray Hookway (rjh)


Follow ups