yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1659416] Re: RFE: extend security group rules to support logging

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Armando Migliaccio <1659416@xxxxxxxxxxxxxxxxxx>
Date: Thu, 26 Jan 2017 20:13:14 -0000
Reply-to: Bug 1659416 <1659416@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: neutron
   Importance: Undecided => Wishlist

** Changed in: neutron
       Status: New => Confirmed

** Changed in: neutron
       Status: Confirmed => Won't Fix

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1659416

Title:
  RFE: extend security group rules to support logging

Status in neutron:
  Won't Fix

Bug description:
  It is important for operators to have visibility for security rule
  enforcements, as described in [1]. A specific requirement is to be
  able to control logging behaviour at rule level.

  A typical use case is, when defining rules for a new application, or
  when an application has new clients, the user wants to observe/learn
  what are the active flows in "monitoring" phase, to avoid missing
  rules. During this phase, a "allow any" rule can be added to the
  security group for that application, and packets hitting that rule can
  be logged (with rate limiting).

  For this purpose, rule level logging enabling/disabling is required.
  Instead of a generic logging API, this RFE propose a simple extension
  to security rule resource, to add a "log" property. It will be each
  plugin's choice whether and how to support it. Take networking-ovn as
  an example, it will be straightforward to translate this into the
  "log" keyword in OVN ACL.

  [1] https://bugs.launchpad.net/neutron/+bug/1468366

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1659416/+subscriptions

References

[Bug 1659416] [NEW] RFE: extend security group rules to support logging
From: Han Zhou, 2017-01-25