RFE: extend security group rules to support logging
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Won't Fix
|
Wishlist
|
Unassigned |
Bug Description
It is important for operators to have visibility for security rule enforcements, as described in [1]. A specific requirement is to be able to control logging behaviour at rule level.
A typical use case is, when defining rules for a new application, or when an application has new clients, the user wants to observe/learn what are the active flows in "monitoring" phase, to avoid missing rules. During this phase, a "allow any" rule can be added to the security group for that application, and packets hitting that rule can be logged (with rate limiting).
For this purpose, rule level logging enabling/disabling is required. Instead of a generic logging API, this RFE propose a simple extension to security rule resource, to add a "log" property. It will be each plugin's choice whether and how to support it. Take networking-ovn as an example, it will be straightforward to translate this into the "log" keyword in OVN ACL.
Changed in neutron: | |
importance: | Undecided → Wishlist |
status: | New → Confirmed |
status: | Confirmed → Won't Fix |
Is this an alternate approach to [1], or is the idea to supplement [1]?
If we're considering supplementing [1], I would've expected the proposal herein to leverage the constructs set forth there. For example, perhaps the 'resource_type' (see [1]) here could be 'security_ group_rule' .
[1] https:/ /review. openstack. org/#/c/ 203509/