[Openstack] CLI command to figure out security-group's association to particular tenant/user

Aaron Rosen arosen at nicira.com
Fri Jun 28 07:15:54 UTC 2013


On Thu, Jun 27, 2013 at 10:51 PM, Rahul Sharma <rahulsharmaait at gmail.com>wrote:

> Hi Aaron,
>
> Thanks for the CLI. I have a query related to that. I have a multinode
> openstack-deployment. To allow all the ports of VM accessible from outside,
> I need to add a rule "*TCP port-range 1-65535 Allow*" using Horizon
> dashboard. Now this rule is pushed to Quantum database as well as Nova
> database.
>

This is only stored in the quantum database. When querying nova for this
information it will query quantum.


> root at controller1:~# quantum security-group-rule-list --
> --tenant-id=40a7cd193a794161bfefd62364e64d03
>
> +--------------------------------------+----------------+-----------+----------+------------------+--------------+
> | id                                   | security_group | direction |
> protocol | remote_ip_prefix | remote_group |
>
> +--------------------------------------+----------------+-----------+----------+------------------+--------------+
> | 24cd1f88-8b50-45da-822c-e932178aeffd | default        | egress
> |          |                  |              |
> | 54e72726-61d5-4253-a92f-47a84d0ec882 | default        | ingress
> |          |                  | default      |
> | 977c7aff-9649-4037-af03-086d5db4955a | default        | egress
> |          |                  |              |
> *| d3e0d85c-b9c7-4fc3-9009-d14ed085876a | default        | ingress   |
> tcp      | 0.0.0.0/0        |              |*
> | e0887d63-bee2-4848-acce-c193aa03ef02 | default        | ingress
> |          |                  | default      |
>
> +--------------------------------------+----------------+-----------+----------+------------------+--------------+
>
> root at controller1:~# nova --os-username test --os-password test
> --os-tenant-name "test" secgroup-list-rules default
> +-------------+-----------+---------+-----------+--------------+
> | IP Protocol | From Port | To Port | IP Range  | Source Group |
> +-------------+-----------+---------+-----------+--------------+
> |             | -1        | -1      |           | default      |
> |             | -1        | -1      |           | default      |
> *| tcp         | 1         | 65535   | 0.0.0.0/0 |              |*
> +-------------+-----------+---------+-----------+--------------+
>
> How can I do the same using CLI? Is there any single command which will do
> this task or I need to manually do this from UI? I tried adding rule using
> nova and quantum commands but its giving me error in taking parameters like
> 0.0.0.0/0 or due to something else which is not evident from the error
> message. I am using Grizzly release.
>
>
quantum security-group-rule-create --protocol tcp --ethertype IPv4
--port-range-min 1 --port-range-max 65535  --remote-ip-prefix 0.0.0.0/0
 default

or

nova secgroup-add-rule default tcp 1 65355 0.0.0.0/0


> Thanks and Regards
> Rahul Sharma
>
>
> On Thu, Jun 27, 2013 at 10:25 PM, Aaron Rosen <arosen at nicira.com> wrote:
>
>> Hi Rahul,
>>
>> The issue is that you are running as an admin user so it shows all the
>> security groups for every tenant. If you want to list the security groups
>> for just one particular tenant you can do this:
>>
>>
>>  quantum security-group-list  -- --tenant-id=<tenant_id>
>>
>>
>> Aaron
>>
>>
>>
>> On Thu, Jun 27, 2013 at 5:54 AM, Rahul Sharma <rahulsharmaait at gmail.com>wrote:
>>
>>> Hi All,
>>>
>>> I have a query regarding the security-groups. Whenever I create a new
>>> tenant, a default security-group is created for that tenant. Now I want to
>>> find out which security-group is for which tenant? If I run "quantum
>>> security-group-list", then it shows me the security-groups is below format:-
>>> root at controller1:~# quantum security-group-list
>>>
>>> +--------------------------------------+-----------------+-------------------------------------+
>>> | id                                   | name            |
>>> description                         |
>>>
>>> +--------------------------------------+-----------------+-------------------------------------+
>>> | 429f8e9e-edfc-4173-b599-9d91d9f7cb7d | default         |
>>> default                             |
>>> | 47cbba23-6a73-44dc-b7c4-46794ed7aa5a | default         |
>>> default                             |
>>> | 5ea93a09-6d96-4688-8005-99f8de4f20d7 | default         |
>>> default                             |
>>> | 81cb819c-ffc2-4c26-b390-8e24b11f3443 | default         |
>>> default                             |
>>> | 83778bc4-bbd2-4e02-9131-c5d4cf8a9e9b | default         |
>>> default                             |
>>> | 9ca14384-00f0-4597-acd4-00bdec10ab5c | default         |
>>> default                             |
>>> | a0e42478-ff76-4513-a698-7d7b0450a878 | default         |
>>> default                             |
>>> | da2cb126-520e-475b-81f3-5d0d2f053333 | default         |
>>> default                             |
>>>
>>> +--------------------------------------+-----------------+-------------------------------------+
>>>
>>> How can I figure out the default security-group to a particular
>>> tenant/user? There is no option to show security-groups bound to particular
>>> tenant. Is there any CLI command to figure out the same?
>>>
>>> Thanks and Regards
>>> Rahul Sharma
>>>
>>> _______________________________________________
>>> Mailing list: https://launchpad.net/~openstack
>>> Post to     : openstack at lists.launchpad.net
>>> Unsubscribe : https://launchpad.net/~openstack
>>> More help   : https://help.launchpad.net/ListHelp
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20130628/c2189c68/attachment.html>


More information about the Openstack mailing list