neutron

  1. Bug #2019960
  2. Comment #4

Comment 4 for bug 2019960

Revision history for this message
Rodolfo Alonso (rodolfo-alonso-hernandez) wrote : Re: Can't protect the "default" security group from regular users

Hello:

The SG rule object only have the SG ID reference. In order to create a rule to prevent the deletion of a SG rule depending on the SG, that could be something like this:
  "delete_security_group_rule":
    "not rule:field:security_group_rules:security_group_id=<SG ID>"

Of course this is not practical because that implies adding to the policies file a random UUID.

In order to implement this feature, it could be needed a standardized field in the SG rule object. For example, a read only flag like "default_security_group". This field will be populated by the Neutron server during the SG rule creation and will be accessible via API (as commented, read only). This field could be used by the policier with a rule like:
  "delete_security_group_rule":
    "rule:field:security_group_rules:default_security_group=False"

I'm marking this bug as RFE.

Regards.