[RFE] Security groups resources are not extendable

Bug #1529109 reported by Roey Chen on 2015-12-24
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Kevin Benton

Bug Description

The Security Groups extension enables tenant/project to secure its
instances, and covers fairly common use cases where tenant may require to use this feature, however, there are some use-cases which can't be expressed by the current API:
e.g - Allow ingress multicast traffic for a specific set of multicast

Some of these use cases are naturally fitting to the security-group flow of use, without impairing its simplicity.
Sure, such enhancements to the security-group API may lack support in some implementations or might not be even relevant - this is why such additions to the API should be introduced by a separate extension.
For example, The "l3" extension defines the 'routers' resource, which is being further extended by "router_availability_zone".

To support the option of extending security-group/-rules resources, for the reasons described above, the Securitygroup class in neutron/extensions/securitygroup should override the base method "update_attributes_map" so that the resources it defines ("security-group" and "security-group-rules") may be extended by other extensions.

For example, the "l3" extension descriptor object overrides the same base method, this allows other extensions like "router_availability_zone" to extend the "routers" resource.

Roey Chen (roeyc) on 2015-12-24
description: updated
Changed in neutron:
assignee: nobody → Roey Chen (roeyc)

Fix proposed to branch: master
Review: https://review.openstack.org/261338

Changed in neutron:
status: New → In Progress
Roey Chen (roeyc) on 2015-12-25
description: updated

What multicast addresses are you looking to create in your security group rules? If you want specific multicast addresses, couldn't you make rules for each one? Maybe some examples could help me follow the use case and how the current security group API isn't letting you do what you're looking to do.

My main concern on the patch itself was that implications of the change introduced and the fact that I felt it wasn't 'trivial' enough to be allowed to go in as a simple fix. Perhaps we need to gather more input and the drivers meeting forum may be the right one.

tags: added: rfe
Changed in neutron:
importance: Undecided → Wishlist
summary: - Secuirty groups resources are not extendable
+ [RFE] Secuirty groups resources are not extendable
Changed in neutron:
status: In Progress → Triaged
summary: - [RFE] Secuirty groups resources are not extendable
+ [RFE] Security groups resources are not extendable

I believe there should be no difference in extensibility for all resource types. If we support that for routers or ports, same should be true for secgroups.

I am not a fan of extensions, but since we already have them, I guess it's worth being consistent.

In a nutshell: let's ponder on this some more and give people the opportunity to comment.

I strongly believe extensions should die in a fire.
However, extensions are probably also the drug that keeps neutron alive.

So at least let's be consistent in they way they work.
Either we enable extensions on extensions (cough!!!) on every resource or on no resource.
Since there are already many extensions extending the l3 resource, why should security groups be different?

Is that because that's an API that have to stay as close as possible to AWS' because it originated from there?

In that case, I'd like to note that humans evolved from monkeys in a quite remarkable way.
Now I need to go and have a banana folks.

To be more precise... human and monkeys evolved from a common, now-extinct common primate ancestor.

tags: added: rfe-approved
removed: rfe
Changed in neutron:
status: Triaged → In Progress
milestone: none → mitaka-3
Changed in neutron:
assignee: Roey Chen (roeyc) → Kevin Benton (kevinbenton)

Reviewed: https://review.openstack.org/261338
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=18bc556bd44c5f73e37dbc9687c7792065440722
Submitter: Jenkins
Branch: master

commit 18bc556bd44c5f73e37dbc9687c7792065440722
Author: Roey Chen <email address hidden>
Date: Thu Dec 24 06:50:00 2015 -0800

    Allow other extensions to extend Securitygroup resources

    The Neutron Securitygroup extension defines two resources:

    So that other extensions could extend one or both of this resources, the
    security-group extension descriptor must override the base class method,

    Change-Id: I8c462a4ee6f60ef716bf9e4d7f83a35c7e1dead0
    Closes-Bug: #1529109

Changed in neutron:
status: In Progress → Fix Released

This issue was fixed in the openstack/neutron development milestone.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers