[RFE] Allow sharing security groups as read-only
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Won't Fix
|
Wishlist
|
Unassigned |
Bug Description
Currently, security groups can be shared with the rbac system, but the only valid action is `access_as_shared`, which allows the target tenant to create/delete (only) new rules on the security group. This works fine for use-cases where the group should be shared in a nearly equal way.
[Problem description]
Some users/services may want a security group to be visible, but read-only. A prime example of this would be to enable ProjectB to add a security group owned by ProjectA as a remotely trusted group on their own security group.
The immediate need for this is found in the following Octavia patch:
https:/
Octavia would like to share the security group it creates for each load-balancer with the load-balancer's owner, so they can open access to their backend members for only a specific load-balancer.
[Proposed solution]
Add a new action type for security group RBAC: `access_
[Alternatives]
Overload `access_
Changed in neutron: | |
importance: | Undecided → Wishlist |
Changed in neutron: | |
assignee: | nobody → Adam Harwell (adam-harwell) |
Changed in neutron: | |
assignee: | Adam Harwell (adam-harwell) → Brian Haley (brian-haley) |
I think that this rfe makes sense. Lets discuss it on our next drivers meeting.