[RFE] Allow sharing security groups as read-only

Bug #1875516 reported by Adam Harwell
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Wishlist
Unassigned

Bug Description

Currently, security groups can be shared with the rbac system, but the only valid action is `access_as_shared`, which allows the target tenant to create/delete (only) new rules on the security group. This works fine for use-cases where the group should be shared in a nearly equal way.

[Problem description]
Some users/services may want a security group to be visible, but read-only. A prime example of this would be to enable ProjectB to add a security group owned by ProjectA as a remotely trusted group on their own security group.
The immediate need for this is found in the following Octavia patch:
https://review.opendev.org/723735

Octavia would like to share the security group it creates for each load-balancer with the load-balancer's owner, so they can open access to their backend members for only a specific load-balancer.

[Proposed solution]
Add a new action type for security group RBAC: `access_as_readonly` (or similar, name up for debate). This action would allow the target tenant to see the shared security group with Show/List, but not create/delete new rules for it or change it in any way.

[Alternatives]
Overload `access_as_external` to be valid for security groups as well, and define it to mean the same as above (entirely read-only access). This makes some sense, but it is probably cleaner to simply add a new action.

Revision history for this message
Slawek Kaplonski (slaweq) wrote :

I think that this rfe makes sense. Lets discuss it on our next drivers meeting.

tags: added: rfe-triaged
Revision history for this message
Miguel Lavalle (minsel) wrote :

Yes, I also think it makes sense. Looking forward to discuss it in the drivers meeting

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron-specs (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/724207

Akihiro Motoki (amotoki)
Changed in neutron:
importance: Undecided → Wishlist
Revision history for this message
Slawek Kaplonski (slaweq) wrote :

Hi,

We were discussing this on our last drivers meeting and we all agreed that this RFE makes sense. So it's now accepted. Feel free to start working on implementation.

tags: added: rfe-accepted
removed: rfe-triaged
tags: added: rfe-approved
removed: rfe-accepted
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to neutron-specs (master)

Reviewed: https://review.opendev.org/724207
Committed: https://git.openstack.org/cgit/openstack/neutron-specs/commit/?id=ac38aaaf98022ca7448e10c2bd125fa6b7b26e96
Submitter: Zuul
Branch: master

commit ac38aaaf98022ca7448e10c2bd125fa6b7b26e96
Author: Adam Harwell <email address hidden>
Date: Tue Apr 28 18:36:51 2020 -0700

    Allow sharing security groups as read-only

    This specification describes how to allow sharing security groups as
    read-only.

    Change-Id: If2dcec379d4c874df97af12da44aec7060f0abc2
    Related-Bug: #1875516

Changed in neutron:
assignee: nobody → Adam Harwell (adam-harwell)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron-lib (master)

Fix proposed to branch: master
Review: https://review.opendev.org/730736

Changed in neutron:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.opendev.org/730737

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron-tempest-plugin (master)

Fix proposed to branch: master
Review: https://review.opendev.org/730784

Changed in neutron:
assignee: Adam Harwell (adam-harwell) → Brian Haley (brian-haley)
Revision history for this message
Slawek Kaplonski (slaweq) wrote : auto-abandon-script

This bug has had a related patch abandoned and has been automatically un-assigned due to inactivity. Please re-assign yourself if you are continuing work or adjust the state as appropriate if it is no longer valid.

Changed in neutron:
assignee: Brian Haley (brian-haley) → nobody
status: In Progress → New
tags: added: timeout-abandon
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on neutron-tempest-plugin (master)

Change abandoned by Slawek Kaplonski (<email address hidden>) on branch: master
Review: https://review.opendev.org/730784
Reason: This review is > 4 weeks without comment, and failed Zuul jobs the last time it was checked. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and leaving a 'recheck' comment to get fresh test results.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers