neutron

[RFE] Security groups resources are not extendable

Bug #1529109 reported by Roey Chen
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
neutron
Fix Released
Wishlist
Kevin Benton
neutron mitaka-3 "m3"

Bug Description

The Security Groups extension enables tenant/project to secure its
instances, and covers fairly common use cases where tenant may require to use this feature, however, there are some use-cases which can't be expressed by the current API:
e.g - Allow ingress multicast traffic for a specific set of multicast
addresses.

Some of these use cases are naturally fitting to the security-group flow of use, without impairing its simplicity.
Sure, such enhancements to the security-group API may lack support in some implementations or might not be even relevant - this is why such additions to the API should be introduced by a separate extension.
For example, The "l3" extension defines the 'routers' resource, which is being further extended by "router_availability_zone".

To support the option of extending security-group/-rules resources, for the reasons described above, the Securitygroup class in neutron/extensions/securitygroup should override the base method "update_attributes_map" so that the resources it defines ("security-group" and "security-group-rules") may be extended by other extensions.

For example, the "l3" extension descriptor object overrides the same base method, this allows other extensions like "router_availability_zone" to extend the "routers" resource.

See original description
Tags: rfe-approved
Roey Chen (roeyc)
description: updated
Changed in neutron:
assignee: nobody → Roey Chen (roeyc)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/261338

Changed in neutron:
status: New → In Progress
Roey Chen (roeyc)
description: updated
Revision history for this message
Sean M. Collins (scollins) wrote : Re: Secuirty groups resources are not extendable

What multicast addresses are you looking to create in your security group rules? If you want specific multicast addresses, couldn't you make rules for each one? Maybe some examples could help me follow the use case and how the current security group API isn't letting you do what you're looking to do.

Revision history for this message
Armando Migliaccio (armando-migliaccio) wrote : Re: [RFE] Secuirty groups resources are not extendable

My main concern on the patch itself was that implications of the change introduced and the fact that I felt it wasn't 'trivial' enough to be allowed to go in as a simple fix. Perhaps we need to gather more input and the drivers meeting forum may be the right one.

tags: added: rfe
Changed in neutron:
importance: Undecided → Wishlist
summary: - Secuirty groups resources are not extendable
+ [RFE] Secuirty groups resources are not extendable
Changed in neutron:
status: In Progress → Triaged
Carl Baldwin (carl-baldwin)
summary: - [RFE] Secuirty groups resources are not extendable
+ [RFE] Security groups resources are not extendable
Revision history for this message
Ihar Hrachyshka (ihar-hrachyshka) wrote :

I believe there should be no difference in extensibility for all resource types. If we support that for routers or ports, same should be true for secgroups.

I am not a fan of extensions, but since we already have them, I guess it's worth being consistent.

Revision history for this message
Armando Migliaccio (armando-migliaccio) wrote :

Status update:

http://eavesdrop.openstack.org/meetings/neutron_drivers/2016/neutron_drivers.2016-02-11-22.00.log.html#l-234

Revision history for this message
Armando Migliaccio (armando-migliaccio) wrote :

In a nutshell: let's ponder on this some more and give people the opportunity to comment.

Revision history for this message
Salvatore Orlando (salvatore-orlando) wrote :

I strongly believe extensions should die in a fire.
However, extensions are probably also the drug that keeps neutron alive.

So at least let's be consistent in they way they work.
Either we enable extensions on extensions (cough!!!) on every resource or on no resource.
Since there are already many extensions extending the l3 resource, why should security groups be different?

Is that because that's an API that have to stay as close as possible to AWS' because it originated from there?

In that case, I'd like to note that humans evolved from monkeys in a quite remarkable way.
Now I need to go and have a banana folks.

Revision history for this message
Salvatore Orlando (salvatore-orlando) wrote :

To be more precise... human and monkeys evolved from a common, now-extinct common primate ancestor.

Revision history for this message
Armando Migliaccio (armando-migliaccio) wrote :

Status update:

http://eavesdrop.openstack.org/meetings/neutron_drivers/2016/neutron_drivers.2016-02-18-22.01.log.html#l-96

tags: added: rfe-approved
removed: rfe
Changed in neutron:
status: Triaged → In Progress
milestone: none → mitaka-3
OpenStack Infra (hudson-openstack)
Changed in neutron:
assignee: Roey Chen (roeyc) → Kevin Benton (kevinbenton)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.openstack.org/261338
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=18bc556bd44c5f73e37dbc9687c7792065440722
Submitter: Jenkins
Branch: master

commit 18bc556bd44c5f73e37dbc9687c7792065440722
Author: Roey Chen <email address hidden>
Date: Thu Dec 24 06:50:00 2015 -0800

    Allow other extensions to extend Securitygroup resources

    The Neutron Securitygroup extension defines two resources:
    security-group
    security-group-rule

    So that other extensions could extend one or both of this resources, the
    security-group extension descriptor must override the base class method,
    "neutron.extensions.ExtensionDescriptor.update_attributes_map".

    Change-Id: I8c462a4ee6f60ef716bf9e4d7f83a35c7e1dead0
    Closes-Bug: #1529109

Changed in neutron:
status: In Progress → Fix Released
Revision history for this message
Thierry Carrez (ttx) wrote : Fix included in openstack/neutron 8.0.0.0b3

This issue was fixed in the openstack/neutron 8.0.0.0b3 development milestone.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.