The SG rule object only have the SG ID reference. In order to create a rule to prevent the deletion of a SG rule depending on the SG, that could be something like this:
"delete_security_group_rule":
"not rule:field:security_group_rules:security_group_id=<SG ID>"
Of course this is not practical because that implies adding to the policies file a random UUID.
In order to implement this feature, it could be needed a standardized field in the SG rule object. For example, a read only flag like "default_security_group". This field will be populated by the Neutron server during the SG rule creation and will be accessible via API (as commented, read only). This field could be used by the policier with a rule like:
"delete_security_group_rule":
"rule:field:security_group_rules:default_security_group=False"
Hello:
The SG rule object only have the SG ID reference. In order to create a rule to prevent the deletion of a SG rule depending on the SG, that could be something like this: security_ group_rule" : security_ group_rules: security_ group_id= <SG ID>"
"delete_
"not rule:field:
Of course this is not practical because that implies adding to the policies file a random UUID.
In order to implement this feature, it could be needed a standardized field in the SG rule object. For example, a read only flag like "default_ security_ group". This field will be populated by the Neutron server during the SG rule creation and will be accessible via API (as commented, read only). This field could be used by the policier with a rule like: security_ group_rule" : field:security_ group_rules: default_ security_ group=False"
"delete_
"rule:
I'm marking this bug as RFE.
Regards.