openstack team mailing list archive

Thread
Date

Re: OpenStack Security Group Extension Prohibits same group source in rules

To: "Hookway, Ray" <Ray.Hookway@xxxxxx>
From: Vishvananda Ishaya <vishvananda@xxxxxxxxx>
Date: Tue, 29 Nov 2011 10:11:14 -0800
Cc: "openstack@xxxxxxxxxxxxxxxxxxx" <openstack@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <C22D024952C80F43A3DF46437798D9995C912AD911@GVW1338EXA.americas.hpqcorp.net>

+1.  This sounds like a bug. FYI there are some issues related to adding source group rules that specify ports that need to be fixed.  We have also discussed whether or not the same group should be allow all by default. In ec2 it does.  I personally like having it explicit like this, but I don't know if it is confusing to people coming from other clouds.

Vish

On Nov 28, 2011, at 8:32 PM, Hookway, Ray wrote:

> I would like to be able to create a security group rule which allows communication between VMs within the group. Using the EC2 API this can be done as follows:
>  
> rjh@cloud1:~$ euca-describe-groups
> GROUP rjhproject  default     default
> PERMISSION  rjhproject  default     ALLOWS      tcp   22    22    FROM  CIDR  0.0.0.0/0
> PERMISSION  rjhproject  default     ALLOWS      icmp  -1    -1    FROM  CIDR  0.0.0.0/0
> PERMISSION  rjhproject  default     ALLOWS      tcp   80    80    GRPNAME     default
> rjh@cloud1:~$ euca-add-group -d 'permissive group' rjhgroup
> GROUP rjhgroup    permissive group
> rjh@cloud1:~$ euca-authorize -o rjhgroup rjhgroup
> rjhgroup rjhgroup None tcp None None 0.0.0.0/0
> GROUP rjhgroup
> PERMISSION  rjhgroup    ALLOWS      tcp   GRPNAME     rjhgroup    FROM  CIDR  0.0.0.0/0
> rjh@cloud1:~$ euca-describe-groups
> GROUP rjhproject  default     default
> PERMISSION  rjhproject  default     ALLOWS      tcp   22    22    FROM  CIDR  0.0.0.0/0
> PERMISSION  rjhproject  default     ALLOWS      icmp  -1    -1    FROM  CIDR  0.0.0.0/0
> PERMISSION  rjhproject  default     ALLOWS      tcp   80    80    GRPNAME     default
> GROUP rjhproject  rjhgroup    permissive group
> PERMISSION  rjhproject  rjhgroup    ALLOWS      icmp  -1    -1    GRPNAME     rjhgroup
> PERMISSION  rjhproject  rjhgroup    ALLOWS      tcp   1     65535 GRPNAME     rjhgroup
> PERMISSION  rjhproject  rjhgroup    ALLOWS      udp   1     65536 GRPNAME     rjhgroup
>  
> So, it looks like security groups support the notion of a group with rules that mention the group containing the rule as a source. However, the security_groups.py extension contains an explicit check that the source group id is not the same as the parent group id. Why is this done? I would like to remove this restriction allowing rules to be created similar to the one created above using EC2. Any objections?
>  
> -Ray Hookway (rjh)
>  
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp

References

OpenStack Security Group Extension Prohibits same group source in rules
From: Hookway, Ray, 2011-11-29