Comment 2 for bug 2019960

Revision history for this message
Paolo E. Mazzon (pemazzon) wrote : Re: Can't protect the "default" security group from regular users

Hi, this is, in my opinion, the problem: "if you want to prevent a user from modifying the security group of other user". The default SG is not another user's SG: it's the SG you inherit - and that is 'forced' on your stuff - when you join a project (OK, you can duplicate it and remove the default one from your VMs...). Nothing wrong if this is managed by the project manager which, I think, is responsible for the shared resources but I see a problem when my VMs are working properly and suddenly they stop working because someone else - with no particular privileges - tamper with something they don't own exclusively. Other resources have the concept of "owner" attached (VMs, volumes, networks,...) so they can have their access regulated through policies, why can't security groups? By the way: this bug report stems from this post

https://lists.openstack.org/pipermail/openstack-discuss/2023-May/033719.html

where 2 different neutron developers agreed that the default SG is missing something and/or should be handled differently. (please note: with this I don't mean to force them into solving this :-D )