[Openstack] OpenStack Security Group Extension Prohibits same group source in rules
Hookway, Ray
Ray.Hookway at hp.com
Tue Nov 29 04:32:29 UTC 2011
I would like to be able to create a security group rule which allows communication between VMs within the group. Using the EC2 API this can be done as follows:
rjh at cloud1:~$ euca-describe-groups
GROUP rjhproject default default
PERMISSION rjhproject default ALLOWS tcp 22 22 FROM CIDR 0.0.0.0/0
PERMISSION rjhproject default ALLOWS icmp -1 -1 FROM CIDR 0.0.0.0/0
PERMISSION rjhproject default ALLOWS tcp 80 80 GRPNAME default
rjh at cloud1:~$ euca-add-group -d 'permissive group' rjhgroup
GROUP rjhgroup permissive group
rjh at cloud1:~$ euca-authorize -o rjhgroup rjhgroup
rjhgroup rjhgroup None tcp None None 0.0.0.0/0
GROUP rjhgroup
PERMISSION rjhgroup ALLOWS tcp GRPNAME rjhgroup FROM CIDR 0.0.0.0/0
rjh at cloud1:~$ euca-describe-groups
GROUP rjhproject default default
PERMISSION rjhproject default ALLOWS tcp 22 22 FROM CIDR 0.0.0.0/0
PERMISSION rjhproject default ALLOWS icmp -1 -1 FROM CIDR 0.0.0.0/0
PERMISSION rjhproject default ALLOWS tcp 80 80 GRPNAME default
GROUP rjhproject rjhgroup permissive group
PERMISSION rjhproject rjhgroup ALLOWS icmp -1 -1 GRPNAME rjhgroup
PERMISSION rjhproject rjhgroup ALLOWS tcp 1 65535 GRPNAME rjhgroup
PERMISSION rjhproject rjhgroup ALLOWS udp 1 65536 GRPNAME rjhgroup
So, it looks like security groups support the notion of a group with rules that mention the group containing the rule as a source. However, the security_groups.py extension contains an explicit check that the source group id is not the same as the parent group id. Why is this done? I would like to remove this restriction allowing rules to be created similar to the one created above using EC2. Any objections?
-Ray Hookway (rjh)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20111129/f46bd078/attachment.html>
More information about the Openstack
mailing list