Public bug reported:
In the context of my work, I'm looking to "enforce" some security groups
settings onto all ports of a Network.
For a bit more context, we're configuring a network as external, so that it may
provide network access to a service which is not managed by Openstack. We
wanted, through this network, to allow only specific projects to access said
service, with the following specificities:
- Open access to said service by default (behind a VIP, so essentially
allowing traffic for a specific CIDR/mask)
- Prevent Each VM on this network from seeing each other, so that "exposing"
the service to the VM does not inadvertently provide connectivity between the
VMs (another RFE may address this, to be created)
Opening traffic by default means that we need to somehow enforce the
association of a SecurityGroup with all ports from a Network. As there
is currently no such concept in Neutron, we thought of creating a
SecurityGroupNetworkBinding, which would be included in all security-
group related operations affecting a port (such as listing rules,
listing security groups, etc); but could not be removed through the
port.
As we have no existing mastery of the neutron code, from a bit of reading, we
can surmise that this would invovle at least:
- Adding a new DB model and object for this new concept:
SecurityGroupNetworkBinding
- Adding a new API to allow creating such binding
- Updating existing network APIs, where relevant for updates/removal of the
SecurityGroupNetworkBindings
- Updating the ports APIs to include resolution of the network's bound
SecurityGroups wherever useful (for listing security groups, rules, etc.; as we
imagine that some of these are used by the agents to apply the flow controls
reflecting the security group rules)
- Updating the client Libraries to expose new APIs
- Updating the client CLI plugin to expose new commands for this additional
feature
- Updating whatever plugin which exposes the security-group and network
bindings onto Horizon, and allows to control them
Of course, we're going to put in the work for this, as it's part of our
priority items, hopefully as part of a neutron contribution, if we find a
solution to this issue we can agree on.
** Affects: neutron
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2075955
Title:
[RFE] Allow binding SecurityGroups to Network
Status in neutron:
New
Bug description:
In the context of my work, I'm looking to "enforce" some security
groups settings onto all ports of a Network.
For a bit more context, we're configuring a network as external, so that it
may provide network access to a service which is not managed by Openstack. We
wanted, through this network, to allow only specific projects to access said
service, with the following specificities:
- Open access to said service by default (behind a VIP, so essentially
allowing traffic for a specific CIDR/mask)
- Prevent Each VM on this network from seeing each other, so that "exposing"
the service to the VM does not inadvertently provide connectivity between the
VMs (another RFE may address this, to be created)
Opening traffic by default means that we need to somehow enforce the
association of a SecurityGroup with all ports from a Network. As there
is currently no such concept in Neutron, we thought of creating a
SecurityGroupNetworkBinding, which would be included in all security-
group related operations affecting a port (such as listing rules,
listing security groups, etc); but could not be removed through the
port.
As we have no existing mastery of the neutron code, from a bit of reading, we
can surmise that this would invovle at least:
- Adding a new DB model and object for this new concept:
SecurityGroupNetworkBinding
- Adding a new API to allow creating such binding
- Updating existing network APIs, where relevant for updates/removal of the
SecurityGroupNetworkBindings
- Updating the ports APIs to include resolution of the network's bound
SecurityGroups wherever useful (for listing security groups, rules, etc.; as we
imagine that some of these are used by the agents to apply the flow controls
reflecting the security group rules)
- Updating the client Libraries to expose new APIs
- Updating the client CLI plugin to expose new commands for this additional
feature
- Updating whatever plugin which exposes the security-group and network
bindings onto Horizon, and allows to control them
Of course, we're going to put in the work for this, as it's part of our
priority items, hopefully as part of a neutron contribution, if we find a
solution to this issue we can agree on.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2075955/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
