yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #82443
[Bug 1875516] [NEW] [RFE] Allow sharing security groups as read-only
Public bug reported:
Currently, security groups can be shared with the rbac system, but the
only valid action is `access_as_shared`, which allows the target tenant
to create/delete (only) new rules on the security group. This works fine
for use-cases where the group should be shared in a nearly equal way.
[Problem description]
Some users/services may want a security group to be visible, but read-only. A prime example of this would be to enable ProjectB to add a security group owned by ProjectA as a remotely trusted group on their own security group.
The immediate need for this is found in the following Octavia patch:
https://review.opendev.org/723735
Octavia would like to share the security group it creates for each load-
balancer with the load-balancer's owner, so they can open access to
their backend members for only a specific load-balancer.
[Proposed solution]
Add a new action type for security group RBAC: `access_as_readonly` (or similar, name up for debate). This action would allow the target tenant to see the shared security group with Show/List, but not create/delete new rules for it or change it in any way.
[Alternatives]
Overload `access_as_external` to be valid for security groups as well, and define it to mean the same as above (entirely read-only access). This makes some sense, but it is probably cleaner to simply add a new action.
** Affects: neutron
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1875516
Title:
[RFE] Allow sharing security groups as read-only
Status in neutron:
New
Bug description:
Currently, security groups can be shared with the rbac system, but the
only valid action is `access_as_shared`, which allows the target
tenant to create/delete (only) new rules on the security group. This
works fine for use-cases where the group should be shared in a nearly
equal way.
[Problem description]
Some users/services may want a security group to be visible, but read-only. A prime example of this would be to enable ProjectB to add a security group owned by ProjectA as a remotely trusted group on their own security group.
The immediate need for this is found in the following Octavia patch:
https://review.opendev.org/723735
Octavia would like to share the security group it creates for each
load-balancer with the load-balancer's owner, so they can open access
to their backend members for only a specific load-balancer.
[Proposed solution]
Add a new action type for security group RBAC: `access_as_readonly` (or similar, name up for debate). This action would allow the target tenant to see the shared security group with Show/List, but not create/delete new rules for it or change it in any way.
[Alternatives]
Overload `access_as_external` to be valid for security groups as well, and define it to mean the same as above (entirely read-only access). This makes some sense, but it is probably cleaner to simply add a new action.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1875516/+subscriptions
Follow ups