[openstack-dev] [nova] [neutron] Replacement of SecurityGroup object model API

Tan, Lin lin.tan at intel.com
Tue Dec 24 12:31:07 UTC 2013

Hi all,

I have struggled with SecurityGroup and SecurityGroupRule object model for a while. And I have some questions about how to handle with SecurityGroup from Neutron.
Here is the work flow for my solution now:
[cid:image001.png at 01CF00E7.12B37570]
Before Object Model, SecurityGroup is a dict and contains SecurityGroupRule like this:
{'id': 1, 'ip_protocol': 'tcp', 'from_port': 22, 'to_port': 22, rules: []}
With Object Model, SecurityGroup and SecurityGroupRule will be two individual identities. Only SecurityGroupRule knows who its parent_group is.  But sometimes we only have SecurityGroup and need to know its rules. So we need to search in dB to find its rules. This works fine with nova SecurityGroup. But it doesn't work with Neutron SecurityGroup, because they are not in Nova dB.
Right now, I pass neutron securityGroup to EC2 as dict, and EC2 will behavior varies depends on the SecurityGroup they received.

So the problem is do we have to convert the neutron group into object model as well? If so, then where to store the group and rule information, like nova dB? (I tried to save them in API request or store in neutron_driver, but they can't work) Otherwise we need to modify the design of Security Group Object, like combine them into one object?

You can see more details here: https://review.openstack.org/#/c/59655/

Best Regards,


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20131224/8932314d/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 19890 bytes
Desc: image001.png
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20131224/8932314d/attachment.png>

More information about the OpenStack-dev mailing list