[openstack-dev] [Neutron] Behavior of default security group
Hirofumi Ichihara
ichihara.hirofumi at lab.ntt.co.jp
Thu Mar 5 02:33:34 UTC 2015
Thank you for your response.
> That's a fair point. But I think it's because you're not expected to
> run as admin, and having a way to drop the group as admin can be of
> value for e.g. debugging or cleaning up after some bugs [1].
You’re right.
Regenerate logic seems strange to me. But I’m not sure the logic must be fixed.
> This is because original neutron/nova authors thought that following
> the AWS way [2] is essential for project success.
>
> Since [3], neutron allows default group to be renamed. Though nova
> still assumes 'default' is the only way the group can be named [4].
I got it. It may be worth fixing.
Thanks,
Hirofumi
2015/02/24 2:00、Ihar Hrachyshka <ihrachys at redhat.com> :
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 02/20/2015 11:45 AM, Hirofumi Ichihara wrote:
>> Neutron experts,
>>
>> I caught a bug report[1].
>>
>> Currently, Neutron enable admin to delete default security group.
>> But Neutron doesn’t allow default security group to keep deleted.
>> Neutron regenerates default security group as security group api is
>> called next.
>
> I actually believe the design is unfortunate, and instead of this,
> keystone would better notify services about new tenant, and services
> would create resources like default security groups for them. AFAIK
> keystone does not notify at the moment, so we had few options.
> Speaking of current design, ...
>
>> I have two questions about the behavior.
>>
>> 1. Why does Neutron regenerate default security group? If default
>> security group is essential, we shouldn’t enable admin to delete
>> it.
>
> That's a fair point. But I think it's because you're not expected to
> run as admin, and having a way to drop the group as admin can be of
> value for e.g. debugging or cleaning up after some bugs [1].
>
>> 2. Why is security group named “default" essential? Users may want
>> to change its name.
>>
>
> This is because original neutron/nova authors thought that following
> the AWS way [2] is essential for project success.
>
> Since [3], neutron allows default group to be renamed. Though nova
> still assumes 'default' is the only way the group can be named [4].
>
> [1]: https://bugs.launchpad.net/neutron/+bug/1194579
> [2]:
> http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html#default-security-group
> [3]:
> http://git.openstack.org/cgit/openstack/neutron/commit/?id=79c97120de9cff4d0992b5d41ff4bbf05e890f89
> [4]:
> https://git.openstack.org/cgit/openstack/nova/tree/nova/compute/api.py#n1074
>
> /Ihar
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
>
> iQEcBAEBAgAGBQJU61zHAAoJEC5aWaUY1u57UE4H/30jKnhrQthzuw0xuKJ3VDu7
> Fi+eqbhis7/ntGSQLlDFEPzsHjCxjkwXVN7kdPPaftp6RsnpwJNko+Zbvv2gWEMj
> qS3dxsCYiQVAjmbDIXrlz1K/za+QYJL3FvD9hP/ixA90ZeL0l6VFs2KwKAr35AEP
> EmkBK237tlHBJfqVh9H81cMn36iPKMd/g+4cAuysxajEFiWSqBBegngGpCiUJ6Vm
> 51AeOBR4bwR585XvIRyDQIfQD/rLSYHzTZSn+ChLy6It14x7WHs/xgTn5V3EqNKB
> VIHhiU6j2QuW07wDa1/HEGaTao8Np1OcL7IuEdDb6ioCZRMaC3cpuTOE3OoVeW4=
> =8BCo
> -----END PGP SIGNATURE-----
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
More information about the OpenStack-dev
mailing list