[Openstack] OpenStack Security Group Extension Prohibits same group source in rules

Vishvananda Ishaya vishvananda at gmail.com
Tue Nov 29 18:11:14 UTC 2011 

+1.  This sounds like a bug. FYI there are some issues related to adding source group rules that specify ports that need to be fixed.  We have also discussed whether or not the same group should be allow all by default. In ec2 it does.  I personally like having it explicit like this, but I don't know if it is confusing to people coming from other clouds.

Vish

On Nov 28, 2011, at 8:32 PM, Hookway, Ray wrote:

> I would like to be able to create a security group rule which allows communication between VMs within the group. Using the EC2 API this can be done as follows:
>  
> rjh at cloud1:~$ euca-describe-groups
> GROUP rjhproject  default     default
> PERMISSION  rjhproject  default     ALLOWS      tcp   22    22    FROM  CIDR  0.0.0.0/0
> PERMISSION  rjhproject  default     ALLOWS      icmp  -1    -1    FROM  CIDR  0.0.0.0/0
> PERMISSION  rjhproject  default     ALLOWS      tcp   80    80    GRPNAME     default
> rjh at cloud1:~$ euca-add-group -d 'permissive group' rjhgroup
> GROUP rjhgroup    permissive group
> rjh at cloud1:~$ euca-authorize -o rjhgroup rjhgroup
> rjhgroup rjhgroup None tcp None None 0.0.0.0/0
> GROUP rjhgroup
> PERMISSION  rjhgroup    ALLOWS      tcp   GRPNAME     rjhgroup    FROM  CIDR  0.0.0.0/0
> rjh at cloud1:~$ euca-describe-groups
> GROUP rjhproject  default     default
> PERMISSION  rjhproject  default     ALLOWS      tcp   22    22    FROM  CIDR  0.0.0.0/0
> PERMISSION  rjhproject  default     ALLOWS      icmp  -1    -1    FROM  CIDR  0.0.0.0/0
> PERMISSION  rjhproject  default     ALLOWS      tcp   80    80    GRPNAME     default
> GROUP rjhproject  rjhgroup    permissive group
> PERMISSION  rjhproject  rjhgroup    ALLOWS      icmp  -1    -1    GRPNAME     rjhgroup
> PERMISSION  rjhproject  rjhgroup    ALLOWS      tcp   1     65535 GRPNAME     rjhgroup
> PERMISSION  rjhproject  rjhgroup    ALLOWS      udp   1     65536 GRPNAME     rjhgroup
>  
> So, it looks like security groups support the notion of a group with rules that mention the group containing the rule as a source. However, the security_groups.py extension contains an explicit check that the source group id is not the same as the parent group id. Why is this done? I would like to remove this restriction allowing rules to be created similar to the one created above using EC2. Any objections?
>  
> -Ray Hookway (rjh)
>  
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack at lists.launchpad.net
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20111129/21500f86/attachment.html>

More information about the Openstack mailing list