yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1845622] [NEW] Decouple allow_address_pair service with security_group

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Yang Youseok <1845622@xxxxxxxxxxxxxxxxxx>
Date: Fri, 27 Sep 2019 09:47:33 -0000
Reply-to: Bug 1845622 <1845622@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

Currently, if user turn off the security_group functionality using
'enable_security_group=False', allow_address_pair also disabled.

At a glance, it seems to be reasonable because allow_address_pair only
deal with ACL which means adding IP table allow rule for specific IP.

But it makes other implementation which depends on the
'allowed_address_pair' functionality unusable. For example, Octavia
allowed_address_pair driver could not initialized when Neutron does not
have API service endpoint. Therefore, octavia could not working at all
even if they don't have to make the VIP port accessible (This is because
security group is already disabled, there is no blocking rule for the
port)

I think it's little bit controversial octavia should care about
'security_group' enabled, in my opinion, it's better to decouple the
security group and allowed_address_pair in neutron side. This is due to
the fact that the purpose of allowed_address_pair is merely to enable
additional access points and any other 3rd implementations depends on
the purpose. (In fact, we ourselves are actually depending on the
allowed_address_pair which making additional business logic for that).

So my suggestion is just letting allowed-address-pair extension go even
if security_group disabled. It would be no-op in neutron side, and
nothing will be changed.

Thanks!

** Affects: neutron
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1845622

Title:
  Decouple allow_address_pair service with security_group

Status in neutron:
  New

Bug description:
  Currently, if user turn off the security_group functionality using
  'enable_security_group=False', allow_address_pair also disabled.

  At a glance, it seems to be reasonable because allow_address_pair only
  deal with ACL which means adding IP table allow rule for specific IP.

  But it makes other implementation which depends on the
  'allowed_address_pair' functionality unusable. For example, Octavia
  allowed_address_pair driver could not initialized when Neutron does
  not have API service endpoint. Therefore, octavia could not working at
  all even if they don't have to make the VIP port accessible (This is
  because security group is already disabled, there is no blocking rule
  for the port)

  I think it's little bit controversial octavia should care about
  'security_group' enabled, in my opinion, it's better to decouple the
  security group and allowed_address_pair in neutron side. This is due
  to the fact that the purpose of allowed_address_pair is merely to
  enable additional access points and any other 3rd implementations
  depends on the purpose. (In fact, we ourselves are actually depending
  on the allowed_address_pair which making additional business logic for
  that).

  So my suggestion is just letting allowed-address-pair extension go
  even if security_group disabled. It would be no-op in neutron side,
  and nothing will be changed.

  Thanks!

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1845622/+subscriptions

Follow ups

[Bug 1845622] Re: [RFE] Decouple allow_address_pair service with security_group
From: Slawek Kaplonski, 2019-10-18