document port security behavior when updating network

I believe this was by design:

    The attribute of network affects only at port creation. The already created ports aren’t affected when the value of network is changed.

from http://specs.openstack.org/openstack/neutron-specs/specs/kilo/ml2-ovs-portsecurity.html

The RFE in bugzilla doesn't directly map to the feature here.

Yes, I think that at port creation the port_security flag is copied to the port.

Opposed to the qos implementation, where a change to the network will affect the port,
unless the port has an specific setting for it.

There is one minor issue. When user does "neutron port-show <id>", the default value will show "port_security_enabled | True", even when this is not the case since "Port does not have port security binding". Should this be fixed?

I suppose port_security_enabled is True, there will be restrictions in the iptables to limit the traffic come in/out the port. If port_security_enabled is False, any traffic could come in/out.
What do you mean "Port does not have port security binding"? Do i misunderstand "port_security"?

That is actually the message from the exception that is thrown if one tries to modify the port_security of a port that was created before port_security extension was enabled.

Related bug 1509312

I believe this works as intended in that the port security flag is inherited by a port when a port is created. The flag on the network is simply a marker to determine the default security policy to apply on the port, but once that happens, the port flag is sticky. Forcing the flag to change for all ports on a network based on a net-update may have interesting performance effects, and I advice for changing the current behavior. That said, let's raise this for discussion at the neutron drivers level.

Status update:

http://eavesdrop.openstack.org/meetings/neutron_drivers/2016/neutron_drivers.2016-03-24-22.01.log.html#l-10

We should document the expected behavior of this feature: Changing the attribute on the network won't cascade to ports belonging to the network, but it's simply changing the default value to be associated at port creation, if the user doesn't specify one.

Armando - I imagine the update for this would now be in the networking guide, which belongs in the neutron repo?

Yes. I'll refresh.

Fix proposed to branch: master
Review: https://review.openstack.org/510224

There isn't much in our admin guide today in regards to port security and moreover we don't have a complete API reference for port security or allowed address pairs. That said, I've proposed to add the api-ref for these to close out this bug. This should be one of the first places consumers look when understanding how our APIs work. The other option would be to add some new documentation on allowed addr pairs and psec to the admin guide, but that could be a substantial piece of work.

Feel free to comment on the patch in regards to this approach/solution.

Reviewed: https://review.openstack.org/510224
Committed: https://git.openstack.org/cgit/openstack/neutron-lib/commit/?id=cb9db6037d560e719de912234e078a10f0510b3f
Submitter: Zuul
Branch: master

commit cb9db6037d560e719de912234e078a10f0510b3f
Author: Boden R <email address hidden>
Date: Fri Oct 6 13:44:14 2017 -0600

    complete api-ref for addr pairs and port security

    The API reference for the allowed address pairs and port security
    extensions were only partially implemented. This patch finishes up
    the API ref for them and makes some additional clean-ups in the existing
    api-ref that was in place for them.

    Change-Id: If0d56e848fd45fc5b7d6665cf423985ffde71129
    Closes-Bug: #1453667

This issue was fixed in the openstack/neutron-lib 1.12.0 release.