[RFE] Support security-group-rule creation with address-groups

Bug #1592028 reported by Roey Chen
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
Wishlist
Miguel Lavalle

Bug Description

Currently, security-group rules can be created with the remote-ip-prefix attribute to specify origin (if ingress) or destination (if egress) address filter, this RFE suggests the use of address-groups (group of IP CIDR blocks, as defined for FWaaS v2) to support multiple remote address/es in one security-group rule.

[Problem description]
An Openstack cloud may require connectivity between instances and external services which are not provisioned by Openstack, each service may also have multiple endpoints. in order for tenant instances to be able to access these external hosts (and only them), it is required to define a security-group with rules that allow traffic to these specific services, one rule per service endpoint (Assuming endpoints addresses aren't contiguous).
This process can easily become cumbersome - for each new service endpoint it is required to create a specific rule for each tenant.

To overcome this usability issue, it is suggested that Neutron will support an API to group IP CIDR blocks in an object which could be later referenced when creating a security-group-rule - the user will pass the AddressGroup object id as the ‘remote-ip-prefix’ attribute or as other new attribute.
Whenever it's required to add a service endpoint, the new IP address will be added to the relevant AddressGroup - as a side effect, changes will be reflected in the underlying security-group rules.

NOTE: For the purpose of the use-case above, the default allow-egress rules are removed ("zero trust" model) once the default sg is created.

A possible example of use in the CLI:

$ neutron address-group-create --cidrs 1.1.1.1,2.2.2.2 "External Services"
$ neutron security-group-rule-create --direction egress --remote-address-group <AG_ID>

Changed in neutron:
importance: Undecided → Wishlist
tags: added: rfe sg-fw
Changed in neutron:
status: New → Confirmed
Roey Chen (roeyc)
Changed in neutron:
assignee: nobody → Roey Chen (roeyc)
Revision history for this message
Armando Migliaccio (armando-migliaccio) wrote :

Let's bring this for discussion.

Changed in neutron:
status: Confirmed → Triaged
Revision history for this message
Armando Migliaccio (armando-migliaccio) wrote :
Revision history for this message
Armando Migliaccio (armando-migliaccio) wrote :

This needs a full spec. Can't be approved unless a capable approver volunteers to follow through the pipeline.

tags: added: rfe-postponed
removed: rfe
Revision history for this message
Armando Migliaccio (armando-migliaccio) wrote :

Best effort.

Revision history for this message
Roey Chen (roeyc) wrote :
tags: added: rfe-triaged
removed: rfe-postponed
Revision history for this message
YAMAMOTO Takashi (yamamoto) wrote :

can address groups be modified after referenced by security groups?
it might be a bit complex to implement correctly.

Miguel Lavalle (minsel)
Changed in neutron:
assignee: Roey Chen (roeyc) → Miguel Lavalle (minsel)
Revision history for this message
Slawek Kaplonski (slaweq) wrote :

We were discussing this RFE on last drivers meeting: http://eavesdrop.openstack.org/meetings/neutron_drivers/2020/neutron_drivers.2020-04-03-14.00.log.html#l-19 and it is now accepted.
Please now provide spec with new API definitions for review.

Please also keep in mind that note:

NOTE: For the purpose of the use-case above, the default allow-egress rules are removed ("zero trust" model) once the default sg is created.

Is not going to be implemented as part of this RFE.

tags: added: rfe-approved
removed: rfe-triaged
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron-specs (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/721737

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to neutron-specs (master)

Reviewed: https://review.opendev.org/721737
Committed: https://git.openstack.org/cgit/openstack/neutron-specs/commit/?id=35fe0e3b0d12521d63ad36df11000311b2beaa02
Submitter: Zuul
Branch: master

commit 35fe0e3b0d12521d63ad36df11000311b2beaa02
Author: Hang Yang <email address hidden>
Date: Mon Apr 20 13:57:07 2020 -0500

    Support address groups in security group rules

    This specification describes how to support address groups in
    security group rules.

    Change-Id: Ib58afde9ed58092ffbc94f7d522d5f5d034b832b
    Related-Bug: #1592028

Revision history for this message
Slawek Kaplonski (slaweq) wrote :
Changed in neutron:
milestone: none → victoria-2
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron-lib (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/741784

Changed in neutron:
milestone: victoria-2 → none
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to neutron-lib (master)

Reviewed: https://review.opendev.org/741784
Committed: https://git.openstack.org/cgit/openstack/neutron-lib/commit/?id=750141e6cedcc0d91973f7532a5dc150b66dcce6
Submitter: Zuul
Branch: master

commit 750141e6cedcc0d91973f7532a5dc150b66dcce6
Author: Miguel Lavalle <email address hidden>
Date: Fri Jul 17 17:53:48 2020 -0500

    API definition for SG group rules address groups.

    This change adds the API definition for address groups.

    Change-Id: Ib478520fbc596554139aa1bee27fc76db4cf6c42
    Related-Bug: #1592028

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/759117

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to neutron (master)

Reviewed: https://review.opendev.org/757653
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=4937928652e91e8e14c2c96d3ed8a46201068ac4
Submitter: Zuul
Branch: master

commit 4937928652e91e8e14c2c96d3ed8a46201068ac4
Author: Miguel Lavalle <email address hidden>
Date: Mon Oct 12 16:39:08 2020 -0500

    Server-side push notifications for address groups

    Adds server side code to enable the ML2 plugin to push notifications for
    address groups. A follow up patch adds the corresponding code for the
    OVS agent to process the notifications.

    Change-Id: I49fc6e41a69f849a14da2ae67d1e4bff561dd4ec
    Related-Bug: #1592028

Changed in neutron:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.opendev.org/759117
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=25a694c0984a472cab988e34062a0bce92100a60
Submitter: Zuul
Branch: master

commit 25a694c0984a472cab988e34062a0bce92100a60
Author: Miguel Lavalle <email address hidden>
Date: Tue Oct 20 17:37:22 2020 -0500

    Agent side push notifications for address groups

    Adds agent side code to enable the OVS agent to receive address groups
    from the push notifications cache.

    Change-Id: I1f27eccb2a69c553631fdc12d34e9025925844c5
    Partial-Bug: #1592028

Changed in neutron:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers