[openstack-dev] [neutron] - Changing the Neutron default security group rules

Jonathan Proulx jon at csail.mit.edu
Thu Mar 3 15:19:00 UTC 2016

On Wed, Mar 02, 2016 at 11:36:17AM -0800, Gregory Haynes wrote:
:Clearly, some operators and users disagree with the opinion that 'by
:default security groups should closed off' given that we have several
:large public providers who have changed these defaults (despite there
:being no documented way to do so), and we have users in this thread
:expressing that opinion. Given that, I am not sure there is any value
:behind us expressing we have different opinions on what defaults should
:be (let alone enforcing them by not allowing them to be configured)
:unless there are some technical reasons beyond 'this is not what my
:policy is, what my customers wants', etc. I also understand the goal of
:trying to make clouds more similar for better interoperability (and I
:think that is extremely important), but the reality is we have created
:a situation where clouds are already not identical here in an even
:worse, undocumented way because we are enforcing a certain set of
:opinions here.

On the topic of 'norms' and interoperability my operational opinion is
that neive users are unlikely to actually use multiple clouds, or at
most swithc between clouds infrequently, and sofisticated users for
wome interoreability is more important will be able to automate
creating their desired security groups so as long as the API is there
the site default policy is irrelevant.

:To me this is an extremely clear indication that at a minimum the
:defaults should be configurable since discussion around them seems to
:devolve into different opinions on security policies, and there is no
:way we should be in the business of dictating that.

Yes that!


:Cheers, Greg

:OpenStack Development Mailing List (not for usage questions)
:Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe


More information about the OpenStack-dev mailing list