yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #89395
[Bug 1983053] [NEW] Add possibility to define default security group rules
Public bug reported:
Currently when default security group rule is created for every new project, there are hardcoded 4 rules added to it. Those rules allows:
1. IPv4 egress traffic from port,
2. IPv6 egress traffic from port,
3 IPv4 ingress traffic to port incoming from other ports which are using same security group,
4. IPv6 ingress traffic to port incoming from other ports which are using same security group.
There is couple of issues with that:
1. it is known fact that SG rules with remote_group_id (rule 3. and 4. above) don't scale well e.g. with neutron-openvswitch-agent,
2. Some operators would like to define different rules to be created by default for each new project.
So this RFE propose to add possibility to define for operators (admin user maybe) SG rules which will be added by default for default security group for each project.
To keep backward compatybility with what we have now and what is working like that since many years, by default we may have configure those 4 rules mentioned above as default SG rules but operator (admin user) will have possibility to change it.
I mentioned that it can be defined by operator or admin user as we may
implement it as new API which will be available for admins only or e.g.
by some special config file (something similar to policy.yaml) and then
it can be possible to modify it by clouds operator.
** Affects: neutron
Importance: Wishlist
Assignee: Slawek Kaplonski (slaweq)
Status: New
** Tags: rfe
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1983053
Title:
Add possibility to define default security group rules
Status in neutron:
New
Bug description:
Currently when default security group rule is created for every new project, there are hardcoded 4 rules added to it. Those rules allows:
1. IPv4 egress traffic from port,
2. IPv6 egress traffic from port,
3 IPv4 ingress traffic to port incoming from other ports which are using same security group,
4. IPv6 ingress traffic to port incoming from other ports which are using same security group.
There is couple of issues with that:
1. it is known fact that SG rules with remote_group_id (rule 3. and 4. above) don't scale well e.g. with neutron-openvswitch-agent,
2. Some operators would like to define different rules to be created by default for each new project.
So this RFE propose to add possibility to define for operators (admin user maybe) SG rules which will be added by default for default security group for each project.
To keep backward compatybility with what we have now and what is working like that since many years, by default we may have configure those 4 rules mentioned above as default SG rules but operator (admin user) will have possibility to change it.
I mentioned that it can be defined by operator or admin user as we may
implement it as new API which will be available for admins only or
e.g. by some special config file (something similar to policy.yaml)
and then it can be possible to modify it by clouds operator.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1983053/+subscriptions
Follow ups