[openstack-dev] [Neutron] Behavior of default security group

Ihar Hrachyshka ihrachys at redhat.com
Mon Feb 23 17:00:55 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/20/2015 11:45 AM, Hirofumi Ichihara wrote:
> Neutron experts,
> 
> I caught a bug report[1].
> 
> Currently, Neutron enable admin to delete default security group.
> But Neutron doesn’t allow default security group to keep deleted.
> Neutron regenerates default security group as security group api is
> called next.

I actually believe the design is unfortunate, and instead of this,
keystone would better notify services about new tenant, and services
would create resources like default security groups for them. AFAIK
keystone does not notify at the moment, so we had few options.
Speaking of current design, ...

> I have two questions about the behavior.
> 
> 1. Why does Neutron regenerate default security group? If default 
> security group is essential, we shouldn’t enable admin to delete
> it.

That's a fair point. But I think it's because you're not expected to
run as admin, and having a way to drop the group as admin can be of
value for e.g. debugging or cleaning up after some bugs [1].

> 2. Why is security group named “default" essential? Users may want
> to change its name.
> 

This is because original neutron/nova authors thought that following
the AWS way [2] is essential for project success.

Since [3], neutron allows default group to be renamed. Though nova
still assumes 'default' is the only way the group can be named [4].

[1]: https://bugs.launchpad.net/neutron/+bug/1194579
[2]:
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html#default-security-group
[3]:
http://git.openstack.org/cgit/openstack/neutron/commit/?id=79c97120de9cff4d0992b5d41ff4bbf05e890f89
[4]:
https://git.openstack.org/cgit/openstack/nova/tree/nova/compute/api.py#n1074

/Ihar
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJU61zHAAoJEC5aWaUY1u57UE4H/30jKnhrQthzuw0xuKJ3VDu7
Fi+eqbhis7/ntGSQLlDFEPzsHjCxjkwXVN7kdPPaftp6RsnpwJNko+Zbvv2gWEMj
qS3dxsCYiQVAjmbDIXrlz1K/za+QYJL3FvD9hP/ixA90ZeL0l6VFs2KwKAr35AEP
EmkBK237tlHBJfqVh9H81cMn36iPKMd/g+4cAuysxajEFiWSqBBegngGpCiUJ6Vm
51AeOBR4bwR585XvIRyDQIfQD/rLSYHzTZSn+ChLy6It14x7WHs/xgTn5V3EqNKB
VIHhiU6j2QuW07wDa1/HEGaTao8Np1OcL7IuEdDb6ioCZRMaC3cpuTOE3OoVeW4=
=8BCo
-----END PGP SIGNATURE-----



More information about the OpenStack-dev mailing list