[Openstack] modify policy for security group on neutron
Giuseppa Muscianisi
g.muscianisi at cineca.it
Mon May 25 12:08:45 UTC 2015
Hi Salvatore,
as you wrote, it works. Thanks a lot.
Regarding to my second question "Add additional rules to the default
security group", I would add rules in the "default" of the "default
security group". In other words, I'm able to modify each security
group named "default" of each tenant, but I would add rules to the
default rules of the default security group (at the moment they are only
4), so that I don't have to modify the rules of the default security
group every time for each tenant.
Do you have any suggestion?
Thanks. Giusy
Il 17/05/2015 20:36, Mike Dorman ha scritto:
> Yup. This is exactly what we do, with Neutron policy.json. I can
> confirm that this works and achieves what you need.
>
> Mike
>
>
> From: Salvatore Orlando
> Date: Saturday, May 16, 2015 at 12:54 AM
> To: Giuseppa Muscianisi
> Cc: "openstack at lists.openstack.org <mailto:openstack at lists.openstack.org>"
> Subject: Re: [Openstack] modify policy for security group on neutron
>
> Perhaps you can achieve this by editing policy.json (located by
> default in /etc/neutron).
>
> For instance you can allow only admin users to add security group
> rules to any security group by specifying the following:
>
> "create_security_group_rule": "admin_only"
>
> Similar rules for update and deletion of security group rules will
> prevent you from modifying existing rules.
> This same set of rules will anyway allow admin users to add rules to
> the default security group.
>
> Salvatore
>
>
>
>
> On 15 May 2015 at 09:31, Giuseppa Muscianisi <g.muscianisi at cineca.it
> <mailto:g.muscianisi at cineca.it>> wrote:
>
> Dear all,
>
> in our openstack cluster, we would restrict the actions that users
> can do with security group and security group rules.
>
> Here's what we'd like to achieve: 1. Lock down security group (and
> rules) so that only admin (or tenant admin?) can modify them. 2.
> Add additional rules to the default security group.
>
> Can you please give me some advices on how to achieve these goals?
>
> Thanks in advance, Giusy
>
> --
> ---------------------------------------------------------------
> " Considerate la vostra semenza:
> fatti non foste a viver come bruti,
> ma per seguir virtute e canoscenza "
>
> Dante Alighieri
> Divina Commedia - Inferno - Canto XXVI
> ---------------------------------------------------------------
>
> Giuseppa Muscianisi, Ph.D.
> CINECA - SuperComputing, Applications and Innovation Department
> Via Magnanelli 6/3, 40033 Casalecchio di Reno (BO) - Italy
> Phone: +39 051 6171 775
> www.cineca.it <http://www.cineca.it>
>
>
> _______________________________________________
> Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack at lists.openstack.org
> <mailto:openstack at lists.openstack.org>
> Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
>
>
>
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20150525/1c77e638/attachment.html>
More information about the Openstack
mailing list