Murano

Only ingress rules are supported in security groups

Bug #1532317 reported by Serg Melikyan on 2016-01-08

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
Murano	Fix Released	Wishlist	Dmytro Dovbii	Murano mitaka-3 "m3"
Kilo	Fix Released	Undecided	Unassigned
Liberty	Fix Released	Undecided	Unassigned
Mitaka	Fix Released	Wishlist	Dmytro Dovbii	Murano mitaka-3 "m3"

Bug Description

There is no way to specify in which direction security rule should be applied, only ingress is supported. Also there should be an optional key in existing parameter specifying rule IP protocol version (IPv4/IPv6)

https://github.com/openstack/murano/blob/master/meta/io.murano/Classes/system/NeutronSecurityGroupManager.yaml#L56
https://github.com/openstack/heat/blob/stable/kilo/heat/engine/resources/openstack/neutron/security_group.py#L50

See original description

Tags:

Serg Melikyan (smelikyan) on 2016-01-08

summary:

- Can't specify security rule direction
+ Can't specify security rule with egress direction

Stan Lagun (slagun) on 2016-01-08

summary:

- Can't specify security rule with egress direction
+ Only ingress rules are supported in security groups

Serg Melikyan (smelikyan) on 2016-01-08

Changed in murano:
milestone:	mitaka-3 → mitaka-2

Revision history for this message

Stan Lagun (slagun) wrote on 2016-01-08:

There should be a separate function for egress rules. Also there should be an optional key in existing parameter specifying rule IP protocol version (IPv4/IPv6). Optimal implementation should make use of it only when it IPv6 so that it will still be possible to use the class with older versions of OpenStack that do not support IPv6 in cases when IPv4 rules are added (IPv4 is the default but older versions of Heat will complain on unknown resource property when if IPv4 is specified explicitly)

Changed in murano:
importance:	High → Wishlist

Serg Melikyan (smelikyan) on 2016-01-08

description:

updated

Stan Lagun (slagun) on 2016-01-10

tags:

added: core-library kilo-backport-potential liberty-backport-potential

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-01-19: Fix proposed to murano (master)

Fix proposed to branch: master
Review: https://review.openstack.org/269517

Changed in murano:
status:	Confirmed → In Progress

Kirill Zaitsev (kzaitsev) on 2016-01-21

Changed in murano:
milestone:	mitaka-2 → mitaka-3

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-01-22: Fix merged to murano (master)

Reviewed: https://review.openstack.org/269517
Committed: https://git.openstack.org/cgit/openstack/murano/commit/?id=186612daf708b0ad3199bbf77ea8d3ed0f5eb48e
Submitter: Jenkins
Branch: master

commit 186612daf708b0ad3199bbf77ea8d3ed0f5eb48e
Author: Dmytro Dovbii <email address hidden>
Date: Tue Jan 19 11:36:37 2016 +0200

[Core-Library] Add ability to specify direction and ethetype for groups

    Previously there was no way to specify in which direction security rule
    should be applied, only ingress was supported. Also it was impossible
    to create IPv6 rules.
    This patch added ability to specify direction and ethertype for
    Neutron security groups and direction - for AWS security groups

Change-Id: Iba5be7a8a94c34eab3e0e06f95e5358a84a5dd7b
Closes-Bug: #1532317

Changed in murano:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-01-25: Fix proposed to murano (stable/liberty)

Fix proposed to branch: stable/liberty
Review: https://review.openstack.org/271971

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-01-25: Fix proposed to murano (stable/kilo)

Fix proposed to branch: stable/kilo
Review: https://review.openstack.org/271972

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-01-25: Fix merged to murano (stable/liberty)

Reviewed: https://review.openstack.org/271971
Committed: https://git.openstack.org/cgit/openstack/murano/commit/?id=667189d62e5091e88b70e7a77cc7d31eda1f1c6c
Submitter: Jenkins
Branch: stable/liberty

commit 667189d62e5091e88b70e7a77cc7d31eda1f1c6c
Author: Dmytro Dovbii <email address hidden>
Date: Tue Jan 19 11:36:37 2016 +0200

[Core-Library] Add ability to specify direction and ethetype for groups

    Change-Id: Iba5be7a8a94c34eab3e0e06f95e5358a84a5dd7b
    Closes-Bug: #1532317
    (cherry picked from commit 186612daf708b0ad3199bbf77ea8d3ed0f5eb48e)

tags:

added: in-stable-liberty

Kirill Zaitsev (kzaitsev) on 2016-01-26

tags:

added: security

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-02-09: Fix merged to murano (stable/kilo)

Reviewed: https://review.openstack.org/271972
Committed: https://git.openstack.org/cgit/openstack/murano/commit/?id=ec5a5af3df1c046618f15d71e7d60db43ddb90f9
Submitter: Jenkins
Branch: stable/kilo

commit ec5a5af3df1c046618f15d71e7d60db43ddb90f9
Author: Dmytro Dovbii <email address hidden>
Date: Tue Jan 19 11:36:37 2016 +0200

[Core-Library] Add ability to specify direction and ethetype for groups

    Change-Id: Iba5be7a8a94c34eab3e0e06f95e5358a84a5dd7b
    Closes-Bug: #1532317
    (cherry picked from commit 186612daf708b0ad3199bbf77ea8d3ed0f5eb48e)