← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #80420

[Bug 1845622] Re: [RFE] Decouple allow_address_pair service with security_group

  Thread PreviousDate PreviousThread Next 
According to last comment from Yang Youseok, I will mark this rfe as
postponed. If there will be some valid use cases for that we can revive
it in the future.

** Tags removed: rfe-triaged
** Tags added: rfe-postponed

** Changed in: neutron
       Status: Confirmed => Opinion

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1845622

Title:
  [RFE] Decouple allow_address_pair service with security_group

Status in neutron:
  Opinion

Bug description:
  Currently, if user turn off the security_group functionality using
  'enable_security_group=False', allow_address_pair also disabled.

  At a glance, it seems to be reasonable because allow_address_pair only
  deal with ACL which means adding IP table allow rule for specific IP.

  But it makes other implementation which depends on the
  'allowed_address_pair' functionality unusable. For example, Octavia
  allowed_address_pair driver could not initialized when Neutron does
  not have API service endpoint. Therefore, octavia could not working at
  all even if they don't have to make the VIP port accessible (This is
  because security group is already disabled, there is no blocking rule
  for the port)

  I think it's little bit controversial octavia should care about
  'security_group' enabled, in my opinion, it's better to decouple the
  security group and allowed_address_pair in neutron side. This is due
  to the fact that the purpose of allowed_address_pair is merely to
  enable additional access points and any other 3rd implementations
  depends on the purpose. (In fact, we ourselves are actually depending
  on the allowed_address_pair which making additional business logic for
  that).

  So my suggestion is just letting allowed-address-pair extension go
  even if security_group disabled. It would be no-op in neutron side,
  and nothing will be changed.

  Thanks!

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1845622/+subscriptions

References

  Thread PreviousDate PreviousThread Next