yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1659416] [NEW] RFE: extend security group rules to support logging

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Han Zhou <zhouhan@xxxxxxxxx>
Date: Wed, 25 Jan 2017 20:59:39 -0000
Reply-to: Bug 1659416 <1659416@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

It is important for operators to have visibility for security rule
enforcements, as described in [1]. A specific requirement is to be able
to control logging behaviour at rule level.

A typical use case is, when defining rules for a new application, or
when an application has new clients, the user wants to observe/learn
what are the active flows in "monitoring" phase, to avoid missing rules.
During this phase, a "allow any" rule can be added to the security group
for that application, and packets hitting that rule can be logged (with
rate limiting).

For this purpose, rule level logging enabling/disabling is required.
Instead of a generic logging API, this RFE propose a simple extension to
security rule resource, to add a "log" property. It will be each
plugin's choice whether and how to support it. Take networking-ovn as an
example, it will be straightforward to translate this into the "log"
keyword in OVN ACL.

[1] https://bugs.launchpad.net/neutron/+bug/1468366

** Affects: neutron
     Importance: Undecided
         Status: New


** Tags: rfe

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1659416

Title:
  RFE: extend security group rules to support logging

Status in neutron:
  New

Bug description:
  It is important for operators to have visibility for security rule
  enforcements, as described in [1]. A specific requirement is to be
  able to control logging behaviour at rule level.

  A typical use case is, when defining rules for a new application, or
  when an application has new clients, the user wants to observe/learn
  what are the active flows in "monitoring" phase, to avoid missing
  rules. During this phase, a "allow any" rule can be added to the
  security group for that application, and packets hitting that rule can
  be logged (with rate limiting).

  For this purpose, rule level logging enabling/disabling is required.
  Instead of a generic logging API, this RFE propose a simple extension
  to security rule resource, to add a "log" property. It will be each
  plugin's choice whether and how to support it. Take networking-ovn as
  an example, it will be straightforward to translate this into the
  "log" keyword in OVN ACL.

  [1] https://bugs.launchpad.net/neutron/+bug/1468366

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1659416/+subscriptions

Follow ups

[Bug 1659416] Re: RFE: extend security group rules to support logging
From: Armando Migliaccio, 2017-01-26