Re: [Openstack] modify policy for security group on neutron

[Giuseppa Muscianisi]

Hi Salvatore,
as you wrote, it works. Thanks a lot.

Regarding to my second question "Add additional rules to the default 
security group", I would add rules in the "default" of the "default 
security group". In other words, I'm able to modify each security 
group   named "default" of each tenant, but I would add rules to the 
default rules of the default security group (at the moment they are only 
4), so that I don't have to modify the rules of the default security 
group every time for each tenant.

Do you have any suggestion?

Thanks. Giusy


Il 17/05/2015 20:36, Mike Dorman ha scritto:
Yup.  This is exactly what we do, with Neutron policy.json.  I can 
confirm that this works and achieves what you need.

Mike


From: Salvatore Orlando
Date: Saturday, May 16, 2015 at 12:54 AM
To: Giuseppa Muscianisi
Cc: "openstack@lists.openstack.org <mailto:openstack@lists.openstack.org>"
Subject: Re: [Openstack] modify policy for security group on neutron

Perhaps you can achieve this by editing policy.json (located by 
default in /etc/neutron).

For instance you can allow only admin users to add security group 
rules to any security group by specifying the following:

"create_security_group_rule": "admin_only"

Similar rules for update and deletion of security group rules will 
prevent you from modifying existing rules.
This same set of rules will anyway allow admin users to add rules to 
the default security group.

Salvatore




On 15 May 2015 at 09:31, Giuseppa Muscianisi <g.muscian...@cineca.it 
<mailto:g.muscian...@cineca.it>> wrote:

    Dear all,

    in our openstack cluster, we would restrict the actions that users
    can do with security group and security group rules.

    Here's what we'd like to achieve: 1. Lock down security group (and
    rules) so that only admin (or tenant admin?) can modify them. 2.
    Add additional rules to the default security group.

    Can you please give me some advices on how to achieve these goals?

    Thanks in advance, Giusy

    -- 
    ---------------------------------------------------------------
    " Considerate la vostra semenza:
       fatti non foste a viver come bruti,
       ma per seguir virtute e canoscenza "

                                                     Dante Alighieri
                              Divina Commedia - Inferno - Canto XXVI
    ---------------------------------------------------------------

    Giuseppa Muscianisi, Ph.D.
    CINECA - SuperComputing, Applications and Innovation Department
    Via Magnanelli 6/3, 40033 Casalecchio di Reno (BO) - Italy
    Phone: +39 051 6171 775
    www.cineca.it  <http://www.cineca.it>


    _______________________________________________
    Mailing list:
    http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
    Post to     : openstack@lists.openstack.org
    <mailto:openstack@lists.openstack.org>
    Unsubscribe :
    http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack




_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to     : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack


_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to     : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack