[openstack-dev] [Openstack][Neutron]Why we use secuirity group which only support dispatching whiltelist rules?

Monty Taylor mordred at inaugust.com
Thu Apr 27 22:03:35 UTC 2017


On 04/25/2017 10:32 AM, Gary Kotton wrote:
> Hi,
> I would like us to think of considering enabling an API that would allow ‘deny’, for example an admin could overwrite a tenant’s security groups. For example, and admin may not want a specific source range to access the tenants VM’s. The guys working on FWaaS say that this may happen in V2, but that looks very far away. Making this change in Neutron would be pretty simple and give us a nice feature add.
> If you would like to work on this I would be happy to develop this with you. It could be added an extension.
> Thanks
> Gary
>
> On 4/24/17, 6:37 AM, "Ihar Hrachyshka" <ihrachys at redhat.com> wrote:
>
>     All traffic is denied by default. OpenStack security groups API is
>     modeled to reflect what AWS does. You may find your needs better
>     served by fwaas plugin for neutron that is not constrained by AWS
>     compatibility.

OpenStack does not claim to have or strive for AWS compatibility.

It is not a goal. It may have been one for someone during the writing of 
the security-groups code, and thus may be a good description of why the 
security-groups are structured and behave the way they do. Moving 
forward, AWS compatibility should really never be a reason we do or 
don't do something if that thing is beneficial to our users.

>     On Sun, Apr 23, 2017 at 8:33 PM, 田明明 <tianming20052004 at 163.com> wrote:
>     > Can we add an "action" to security group rule api, so that we could dispatch
>     > rules with "deny" action? Until now, security group only supports add
>     > white-list rules but this couldn't satisfy many people's needs.
>     >
>     >
>     >
>     >
>     >
>     >
>     >
>     >
>     >
>     >
>     >
>     >
>     >
>     >
>     >
>     >
>     >
>     > __________________________________________________________________________
>     > OpenStack Development Mailing List (not for usage questions)
>     > Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>     > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>     >
>
>     __________________________________________________________________________
>     OpenStack Development Mailing List (not for usage questions)
>     Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>     http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>




More information about the OpenStack-dev mailing list