<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On 31 October 2016 at 22:28, David G. Bingham <span dir="ltr"><<a href="mailto:dbingham@godaddy.com" target="_blank">dbingham@godaddy.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div style="word-wrap:break-word;color:rgb(0,0,0);font-size:14px;font-family:calibri,sans-serif">
<div>
<div id="gmail-m_-806543532683939605magicdomid4" style="margin:0px;padding:0px;font-family:"helvetica neue",arial,sans-serif;font-size:12px;font-variant-ligatures:normal">
<span style="margin:0px;padding:1px 0px">Yo Neutron devs :-)</span></div>
<div id="gmail-m_-806543532683939605magicdomid5" style="margin:0px;padding:0px;font-family:"helvetica neue",arial,sans-serif;font-size:12px;font-variant-ligatures:normal">
<br style="margin:0px;padding:0px">
</div>
<div id="gmail-m_-806543532683939605magicdomid1323" class="gmail-m_-806543532683939605ace-line" style="margin:0px;padding:0px;font-family:"helvetica neue",arial,sans-serif;font-size:12px;font-variant-ligatures:normal">
<span style="margin:0px;padding:1px 0px">I was wondering if something like the following subject has come up: "Cloud-provider Security Groups”.</span></div>
<div id="gmail-m_-806543532683939605magicdomid1323" class="gmail-m_-806543532683939605ace-line" style="margin:0px;padding:0px;font-family:"helvetica neue",arial,sans-serif;font-size:12px;font-variant-ligatures:normal">
<span style="margin:0px;padding:1px 0px"><br>
</span></div>
<div id="gmail-m_-806543532683939605magicdomid1323" class="gmail-m_-806543532683939605ace-line" style="margin:0px;padding:0px;font-family:"helvetica neue",arial,sans-serif;font-size:12px;font-variant-ligatures:normal">
*Goal of this email*: Gauge the community’s need and see if this has come up in past.</div>
<div id="gmail-m_-806543532683939605magicdomid2020" class="gmail-m_-806543532683939605ace-line" style="margin:0px;padding:0px;font-family:"helvetica neue",arial,sans-serif;font-size:12px;font-variant-ligatures:normal">
<span style="margin:0px;padding:1px 0px">*Requirement*: Apply a provider-managed global set of network flows to all instances.</span></div>
<div id="gmail-m_-806543532683939605magicdomid2021" class="gmail-m_-806543532683939605ace-line" style="margin:0px;padding:0px;font-family:"helvetica neue",arial,sans-serif;font-size:12px;font-variant-ligatures:normal">
<span style="margin:0px;padding:1px 0px">*Use Case*: For our private cloud, have need to dynamically allow network traffic flows from other internal network sources across all instances.</span></div>
<div id="gmail-m_-806543532683939605magicdomid2022" class="gmail-m_-806543532683939605ace-line" style="margin:0px;padding:0px;font-family:"helvetica neue",arial,sans-serif;font-size:12px;font-variant-ligatures:normal">
<span style="margin:0px;padding:1px 0px">*Basic Idea*: Provide an *admin-only* accessible security group ruleset that would persist and apply these "cloud-provider" security group rules to all instances of a cloud. This *may* be in
the form of new "provider" API or an extension to existing API only accessible via "admin". When instances are created, this global SG ruleset would be applied to each VM/ironic instance. This feature likely should be capable of being enabled/disabled depending
on the provider's need.</span></div>
<div id="gmail-m_-806543532683939605magicdomid2027" class="gmail-m_-806543532683939605ace-line" style="margin:0px;padding:0px;font-family:"helvetica neue",arial,sans-serif;font-size:12px;font-variant-ligatures:normal">
<span style="margin:0px;padding:1px 0px"><br>
</span></div>
<div id="gmail-m_-806543532683939605magicdomid2027" class="gmail-m_-806543532683939605ace-line" style="margin:0px;padding:0px;font-family:"helvetica neue",arial,sans-serif;font-size:12px;font-variant-ligatures:normal">
<span style="margin:0px;padding:1px 0px">*Real example*: Company security team wants to audit consistent security software installations (i.e. HIPS) across our entire fleet of servers for compliance reporting. Each vm/ironic instance
is required to have this software installed and up to date. Security audit team actually audits each and every server to ensure it is running, patched and up to date. These auditing tools source from a narrow set of internal IPs/ports and each instance must
allow access to these auditing tools.</span></div>
<div id="gmail-m_-806543532683939605magicdomid21" style="margin:0px;padding:0px;font-family:"helvetica neue",arial,sans-serif;font-size:12px;font-variant-ligatures:normal">
<br style="margin:0px;padding:0px">
</div>
<div id="gmail-m_-806543532683939605magicdomid2032" class="gmail-m_-806543532683939605ace-line" style="margin:0px;padding:0px;font-family:"helvetica neue",arial,sans-serif;font-size:12px;font-variant-ligatures:normal">
<span style="margin:0px;padding:1px 0px">--- What we do today to hack a "cloud-provider" flow in a private cloud ---</span></div>
<div id="gmail-m_-806543532683939605magicdomid1802" class="gmail-m_-806543532683939605ace-line" style="margin:0px;padding:0px;font-family:"helvetica neue",arial,sans-serif;font-size:12px;font-variant-ligatures:normal">
<span style="margin:0px;padding:1px 0px">1) We've locked down the default rules (only admins can modify which makes effectively kills a lot of canned neutron tools).</span></div>
<div id="gmail-m_-806543532683939605magicdomid1803" class="gmail-m_-806543532683939605ace-line" style="margin:0px;padding:0px;font-family:"helvetica neue",arial,sans-serif;font-size:12px;font-variant-ligatures:normal">
<span style="margin:0px;padding:1px 0px">2) We've written an external script that iterates over all projects in our private cloud (~10k projects)</span></div>
<div id="gmail-m_-806543532683939605magicdomid1804" class="gmail-m_-806543532683939605ace-line" style="margin:0px;padding:0px;font-family:"helvetica neue",arial,sans-serif;font-size:12px;font-variant-ligatures:normal">
<span style="margin:0px;padding:1px 0px">3) For each project:</span></div>
<div id="gmail-m_-806543532683939605magicdomid1805" class="gmail-m_-806543532683939605ace-line" style="margin:0px;padding:0px;font-family:"helvetica neue",arial,sans-serif;font-size:12px;font-variant-ligatures:normal">
<span style="margin:0px;padding:1px 0px">3a) Fetch default SGs for that project and do a comparison of its default rules against *target* default rules</span></div>
<div id="gmail-m_-806543532683939605magicdomid1806" class="gmail-m_-806543532683939605ace-line" style="margin:0px;padding:0px;font-family:"helvetica neue",arial,sans-serif;font-size:12px;font-variant-ligatures:normal">
<span style="margin:0px;padding:1px 0px">3b) Create any new missing rules, delete any removed rules</span></div>
<div id="gmail-m_-806543532683939605magicdomid1807" class="gmail-m_-806543532683939605ace-line" style="margin:0px;padding:0px;font-family:"helvetica neue",arial,sans-serif;font-size:12px;font-variant-ligatures:normal">
<span style="margin:0px;padding:1px 0px">3c) Next project</span></div>
<div id="gmail-m_-806543532683939605magicdomid1808" class="gmail-m_-806543532683939605ace-line" style="margin:0px;padding:0px;font-family:"helvetica neue",arial,sans-serif;font-size:12px;font-variant-ligatures:normal">
<span style="margin:0px;padding:1px 0px">This process is cumbersome, takes 20+ hours to run (over ~10k projects) and has to be throttled such that it doesn't over-hammer neutron while its still serving production traffic.</span></div>
<div id="gmail-m_-806543532683939605magicdomid30" style="margin:0px;padding:0px;font-family:"helvetica neue",arial,sans-serif;font-size:12px;font-variant-ligatures:normal">
<br style="margin:0px;padding:0px">
</div>
<div id="gmail-m_-806543532683939605magicdomid1809" class="gmail-m_-806543532683939605ace-line" style="margin:0px;padding:0px;font-family:"helvetica neue",arial,sans-serif;font-size:12px;font-variant-ligatures:normal">
<span style="margin:0px;padding:1px 0px">--- What we'd like to do in future ---</span></div>
<div id="gmail-m_-806543532683939605magicdomid1810" class="gmail-m_-806543532683939605ace-line" style="margin:0px;padding:0px;font-family:"helvetica neue",arial,sans-serif;font-size:12px;font-variant-ligatures:normal">
<span style="margin:0px;padding:1px 0px">1) Call Security Group API that would modify a "cloud-provider" ruleset.</span></div>
<div id="gmail-m_-806543532683939605magicdomid1811" class="gmail-m_-806543532683939605ace-line" style="margin:0px;padding:0px;font-family:"helvetica neue",arial,sans-serif;font-size:12px;font-variant-ligatures:normal">
<span style="margin:0px;padding:1px 0px">2) When updated, agents on HVs detect the "cloud-provider" change and then apply the rules across all instances.</span></div>
<div id="gmail-m_-806543532683939605magicdomid1812" class="gmail-m_-806543532683939605ace-line" style="margin:0px;padding:0px;font-family:"helvetica neue",arial,sans-serif;font-size:12px;font-variant-ligatures:normal">
<span style="margin:0px;padding:1px 0px">Naturally there are going to be a lot of technical hurdles to make this happen while a cloud is currently in-flight.</span></div>
<div id="gmail-m_-806543532683939605magicdomid35" style="margin:0px;padding:0px;font-family:"helvetica neue",arial,sans-serif;font-size:12px;font-variant-ligatures:normal">
<br style="margin:0px;padding:0px">
</div>
<div id="gmail-m_-806543532683939605magicdomid1813" class="gmail-m_-806543532683939605ace-line" style="margin:0px;padding:0px;font-family:"helvetica neue",arial,sans-serif;font-size:12px;font-variant-ligatures:normal">
<span style="margin:0px;padding:1px 0px">Other uses for “Provider SGs":</span></div>
<div id="gmail-m_-806543532683939605magicdomid1814" class="gmail-m_-806543532683939605ace-line" style="margin:0px;padding:0px;font-family:"helvetica neue",arial,sans-serif;font-size:12px;font-variant-ligatures:normal">
<span style="margin:0px;padding:1px 0px">* We want to enable new shared features (i.e. monitoring aaS) that all our internal projects can take advantage of. When the monitoring team adds/modifies IPs to scale, we'd apply these cloud-provider
rules on behalf of all projects in the private cloud without users having concern themselves about the monitoring team's changes.</span></div>
<div id="gmail-m_-806543532683939605magicdomid1815" class="gmail-m_-806543532683939605ace-line" style="margin:0px;padding:0px;font-family:"helvetica neue",arial,sans-serif;font-size:12px;font-variant-ligatures:normal">
<span style="margin:0px;padding:1px 0px">* We want to allow access to some internal sites to our VPN users on specific ports. These VPN ranges are dynamically changed by the VPN team. Our teams should not need to go into individual
projects to add a new rule when VPN team changes ranges.</span></div>
<div id="gmail-m_-806543532683939605magicdomid1816" class="gmail-m_-806543532683939605ace-line" style="margin:0px;padding:0px;font-family:"helvetica neue",arial,sans-serif;font-size:12px;font-variant-ligatures:normal">
<span style="margin:0px;padding:1px 0px">* This list could go on and on and naturally makes much more sense in a *private cloud* scenario, but there may be cases for public providers.</span></div>
<div id="gmail-m_-806543532683939605magicdomid1534" class="gmail-m_-806543532683939605ace-line" style="margin:0px;padding:0px;font-family:"helvetica neue",arial,sans-serif;font-size:12px;font-variant-ligatures:normal">
<br style="margin:0px;padding:0px">
</div>
<div id="gmail-m_-806543532683939605magicdomid1534" class="gmail-m_-806543532683939605ace-line" style="margin:0px;padding:0px;font-family:"helvetica neue",arial,sans-serif;font-size:12px;font-variant-ligatures:normal">
I’d be happy to create a spec.</div>
<div id="gmail-m_-806543532683939605magicdomid1534" class="gmail-m_-806543532683939605ace-line" style="margin:0px;padding:0px;font-family:"helvetica neue",arial,sans-serif;font-size:12px;font-variant-ligatures:normal">
<br>
</div>
<div id="gmail-m_-806543532683939605magicdomid1817" class="gmail-m_-806543532683939605ace-line" style="margin:0px;padding:0px;font-family:"helvetica neue",arial,sans-serif;font-size:12px;font-variant-ligatures:normal">
<span style="margin:0px;padding:1px 0px">Seen this before? Thoughts? Good, Bad or Ugly? :-)</span></div></div></div></blockquote><div><br></div><div>I think this has come up before [1]. The use case is legitimate, but there is a couple of ways in which this can be accomplished. As pointed out by others, FWaaS is the solution we suggested to address this particular need.</div><div><br></div><div>[1] <a href="https://bugs.launchpad.net/neutron/+bug/1592000">https://bugs.launchpad.net/neutron/+bug/1592000</a></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div style="word-wrap:break-word;color:rgb(0,0,0);font-size:14px;font-family:calibri,sans-serif"><div>
<div id="gmail-m_-806543532683939605magicdomid1553" class="gmail-m_-806543532683939605ace-line" style="margin:0px;padding:0px;font-family:"helvetica neue",arial,sans-serif;font-size:12px;font-variant-ligatures:normal">
<br style="margin:0px;padding:0px">
</div>
<div id="gmail-m_-806543532683939605magicdomid1818" class="gmail-m_-806543532683939605ace-line" style="margin:0px;padding:0px;font-family:"helvetica neue",arial,sans-serif;font-size:12px;font-variant-ligatures:normal">
<span style="margin:0px;padding:1px 0px">Thanks,</span></div>
<div id="gmail-m_-806543532683939605magicdomid1819" class="gmail-m_-806543532683939605ace-line" style="margin:0px;padding:0px;font-family:"helvetica neue",arial,sans-serif;font-size:12px;font-variant-ligatures:normal">
<span style="margin:0px;padding:1px 0px">David Bingham (wwriverrat on irc)</span></div>
<div id="gmail-m_-806543532683939605magicdomid1820" class="gmail-m_-806543532683939605ace-line" style="margin:0px;padding:0px;font-family:"helvetica neue",arial,sans-serif;font-size:12px;font-variant-ligatures:normal">
<span style="margin:0px;padding:1px 0px">GoDaddy</span></div>
</div>
<div>
<div id="gmail-m_-806543532683939605MAC_OUTLOOK_SIGNATURE"></div>
</div>
</div>
<br>______________________________<wbr>______________________________<wbr>______________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.<wbr>openstack.org?subject:<wbr>unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/<wbr>cgi-bin/mailman/listinfo/<wbr>openstack-dev</a><br>
<br></blockquote></div><br></div></div>