[Openstack] [Neutron] Additional default security group rules

Craig J craig.jellick at gmail.com
Wed Dec 18 05:36:05 UTC 2013


Hi all,

In the private cloud that we are building out, we'd like to restrict what
users can do with security group rules. We have a solution in mind and
would like to vet it in the mailing list.

Here's what we'd like to achieve:
1. Lock down security group (and rules) so that only admins can make
modifications.
2. Add additional rules to the default security group that every project
gets.
The goal is to have the default rules cover 95% of the use cases so that
per-project modifications by admins are minimal.

#1 is pretty straightforward via additional policy.json rules. (Unless
anyone knows of any gotchas?)

For #2, we think we need something a little more elaborate: we want to
define all the additional rules in a config file (perhaps a yaml file) and
then create them when the default security group is created
here<https://github.com/openstack/neutron/blob/d66163b772a70e8ba438d02100da303363599bd0/neutron/db/securitygroups_db.py#L105>
.

So, a few questions about the solution for #2:
1. Does our solution make sense or is there a better and/or pre-existing
solution?
2. (Maybe this is a question for the dev list) Would this solution be
valuable to the rest of the community or is it too narrow a use case? Is it
something we should blueprint?

Thanks in advance,
Craig
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20131217/ae9decb4/attachment.html>


More information about the Openstack mailing list