[openstack-dev] [Neutron][FWaaS]Firewall Web Services Research Thesis Applicability to the OpenStack Project
Mohammad Banikazemi
mb at us.ibm.com
Fri May 23 13:08:02 UTC 2014
Hi Mike. I think we still owe you a response to your earlier email as we
recover from the summit but let me address your current questions below.
> On May 22, 2014, at 6:55 PM, "Mike Grima" <mike.r.grima at gmail.com> wrote:
>
> Hello,
>
> Just to make sure I understand:
>
> 1.) I’m assuming that you can dilettante which policies apply to specific
VM’s within a group (Is this correct?). With regards to DENY permissions,
they are handled specially. In such a case, all other VM’s are provided
with ALLOW permissions for that rule, while the destined VM for the DENY
policy is provided with a DENY.
Let's start from the question about Deny. There are no Deny actions. By
default there is no connectivity. If you want to establish that you do it
with Allow or other actions; otherwise no connectivity. Hence no need to
have Deny.
The policies generally apply to the whole group. The idea is to simplify
the use of contract and policy rules by applying them to a group of like
minded :) endpoints.
> — Would you necessarily want to automatically provide all other VM’s with
an ALLOW privilege? Not all VM’s in that group may need access to that
port...
>
So you may reconsider how you group your endpoints into groups so you can
apply policies to groups of endpoints with similar characteristics/roles.
> 2.) Group Policy does support a Hierarchy. (Is this correct?)
>
Yes. A contract can have another as a child contract.
> 3.) On a separate note: Is the Group Policy feature exposed via a RESTful
API akin to FWaaS?
>
Yes, That's the plan for the group policy extension similar to other
extensions.
> Thank you,
>
> Mike Grima, RHCE
>
>
> On May 22, 2014, at 2:08 AM, A, Keshava <keshava.a at hp.com> wrote:
>
> > Hi,
> >
> > 1. When the group policy is applied ( across to all the VMs ) say deny
for specific TCP port = 80, however because some special reason one of that
VM needs to 'ALLOW TCP port' how to handle this ?
> > When deny is applied to any one of VM in that group , this framework
takes care of
> > individually breaking that and apply ALLOW for other VM
automatically ?
> > and apply Deny for that specific VM ?
> >
> > 2. Can there be 'Hierarchy of Group Policy " ?
> >
> >
> >
> > Thanks & regards,
> > Keshava.A
> >
> > -----Original Message-----
> > From: Michael Grima [mailto:mike.r.grima at gmail.com]
> > Sent: Wednesday, May 21, 2014 5:00 PM
> > To: openstack-dev at lists.openstack.org
> > Subject: Re: [openstack-dev] [Neutron][FWaaS]Firewall Web Services
Research Thesis Applicability to the OpenStack Project
> >
> > Sumit,
> >
> > Unfortunately, I missed the IRC meeting on FWaaS (got the timezones
screwed up...).
> >
> > However, in the meantime, please review this section of my thesis on
the OpenStack project:
> >
https://docs.google.com/document/d/1DGhgtTY4FxYxOqhKvMSV20cIw5WWR-gXbaBoMMMA-f0/edit?usp=sharing
> >
> > Please let me know if it is missing anything, or contains any wrong
information. Also, if you have some time, please review the questions I
have asked in the previous messages.
> >
> > Thank you,
> >
> > --
> > Mike Grima, RHCE
> >
> > _______________________________________________
> > OpenStack-dev mailing list
> > OpenStack-dev at lists.openstack.org
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140523/110e50ef/attachment.html>
More information about the OpenStack-dev
mailing list