OpenStack Dashboard (Horizon)

Security Group Rules can only be specified in one direction

Bug #1325736 reported by Matt on 2014-06-02

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Compute (nova)	Won't Fix	Wishlist	Unassigned
	OpenStack Dashboard (Horizon)	Invalid	Wishlist	Unassigned

Bug Description

It might save users potentially a lot of time if instead of only offering an INGRESS and an EGRESS direction, if they could specify a BOTH direction. Whenever someone needs to enter both an ingress and egress rule for the same port they have to enter it twice, remembering all of the information they need (since it can't be cloned). If they forget to flip the direction the second time from the default value, it'll error out as a duplicate and they'll have to try a third time. If they messed up the second rule, there's no edit, so they would have to delete it if they got a value wrong and do it all over again.

It would be awesome if the UI allowed for specifying both an ingress and egress rule at the same time, even if all it did was create the ingress and egress rows and put them in the table, at least they'd be guaranteed to have the same configuration.

Tags:

Revision history for this message

Matt (mreid) wrote on 2014-06-02:

Can't create a rule that opens up a port in both directions at once Edit (62.9 KiB, image/png)

Revision history for this message

Matt (mreid) wrote on 2014-06-04:

Adding in neutron and nova since this seems like a similar issue to https://bugs.launchpad.net/horizon/+bug/1326124 and that's how my other bug was labelled.

tags:

removed: low-hanging-fruit

Eugene Nikanorov (enikanorov) on 2014-07-07

tags:	added: api
Changed in neutron:
importance:	Undecided → Wishlist
status:	New → Confirmed
tags:	added: sg-fw

Christopher Yeoh (cyeoh-0) on 2014-07-14

Changed in nova:
status:	New → Confirmed
importance:	Undecided → Wishlist

Gary W. Smith (gary-w-smith) on 2014-08-21

Changed in horizon:
importance:	Undecided → Wishlist

Nikunj Aggarwal (nikunj2512) on 2014-10-22

Changed in horizon:
assignee:	nobody → Nikunj Aggarwal (nikunj2512)

Nikunj Aggarwal (nikunj2512) on 2014-10-22

Changed in horizon:
assignee:	Nikunj Aggarwal (nikunj2512) → nobody

Elena Ezhova (eezhova) on 2014-12-09

Changed in neutron:
assignee:	nobody → Elena Ezhova (eezhova)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-12-10: Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/140676

Changed in neutron:
status:	Confirmed → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-12-11: Fix proposed to python-neutronclient (master)

Fix proposed to branch: master
Review: https://review.openstack.org/141039

Changed in python-neutronclient:
assignee:	nobody → Elena Ezhova (eezhova)
status:	New → In Progress

Revision history for this message

Elena Ezhova (eezhova) wrote on 2014-12-15:

Hi Matt, could you please provide an example of a probable use case when a user might need to specify a BOTH direction when creating a security group rule?

Revision history for this message

Matt (mreid) wrote on 2015-01-06:

Elena: Back when I filed this, that was how the documentation was written for setting up CloudForms on OpenStack, if you wanted to ensure the proper ports were opened. Looking at the documentation now, it doesn't mention direction anymore, but at the time, there were many that were specified as BOTH, and I had to create two rules for each one, as I could only do INGRESS and EGRESS through the Horzion UI, and I couldn't find a way to specify direction through the nova network CLI command.

https://access.redhat.com/documentation/en-US/CloudForms/3.1/html/Installing_CloudForms_on_Red_Hat_OpenStack_Platform/sect-Security.html

Vivek (viveks-singh) on 2015-01-12

Changed in horizon:
assignee:	nobody → Vivek (viveks-singh)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-01-13: Change abandoned on neutron (master)

Change abandoned by Elena Ezhova (<email address hidden>) on branch: master
Review: https://review.openstack.org/140676
Reason: There is no really important usecase for this change.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-01-13: Change abandoned on python-neutronclient (master)

Change abandoned by Elena Ezhova (<email address hidden>) on branch: master
Review: https://review.openstack.org/141039
Reason: There is no really important usecase for this change.

Elena Ezhova (eezhova) on 2015-01-13

Changed in python-neutronclient:
status:	In Progress → Opinion
Changed in neutron:
status:	In Progress → Opinion

Armando Migliaccio (armando-migliaccio) on 2015-10-09

no longer affects:	neutron
no longer affects:	python-neutronclient

Revision history for this message

Sean Dague (sdague) wrote on 2016-02-12:

Closing an a possible, though unlikely future feature

Changed in nova:
status:	Confirmed → Opinion

Revision history for this message

Akihiro Motoki (amotoki) wrote on 2017-10-10:

#10

Nova API drops security group support, so I mark the status of Nova as Won't Fix.

Changed in nova:
status:	Opinion → Won't Fix

Revision history for this message

Akihiro Motoki (amotoki) wrote on 2017-10-10:

#11

[comments as my neutron hat]
The demand is still not clear. Security Group behavior is stateful, so the ingress rule and egress rule are completely different.
There is no other feedback like this so far. This is the only one. Use case is not clear. So I don't add neutron to the affected project.

[comments as my horizon hat]
The feature completely depends on the backend service, i.e., neutron now, so there is nothing to do in horizon. Thus this is invalid as horizon.