[
https://issues.apache.org/jira/browse/WHIRR-336?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13529605#comment-13529605
]
Paul Baclace edited comment on WHIRR-336 at 12/12/12 7:04 PM:
--------------------------------------------------------------
The description/discussion is a bit vague. Here are 2 possible interpretations:
1. "fully predefined rules, only make membership changes": specify a
pre-defined security group to use (just allocate host instances as members of
the group, remove added members on shutdown, and don't delete the group when
shutting down); no run-specific sec. group created, specified sec. group must
have all needed rules.
This would be handy for avoiding the possibly slow process of adding rules to
a sec. group, and it enables a member-wide-open rule (like "all members can see
each other on all ports") that is very handy and much like a DMZ LAN behind a
firewall to the rest of the universe. (Rationale: I have seen post-Whirr sec.
group manipulations take 6-10 sec. per port opened.)
2. "additional, default permissions": in addition to the automatic sec. group
(say whirr#<cluster-name>#<role>#<region>), all allocated instances are added
as members to the predefined group, and removed upon shutdown, and the
predefined group would not be deleted.
Of course, the pre-defined sec. group need not be a single group, it could be a
list of groups.
I would be happy with either 1 or 2.
Overall, considering clouds without security groups, a strategy pattern could
be useful here.
was (Author: pbaclace):
The description/discussion is a bit vague. Here are 2 possible
interpretations:
1. "fully predefined rules, only make membership changes": specify a
pre-defined security group to use (just allocate host instances as members of
the group, remove added members on shutdown, and don't delete the group when
shutting down); no run-specific sec. group created, specified sec. group must
have all needed rules.
This would be handy for avoiding the possibly slow process of adding rules to
a sec. group, and it enables a member-wide-open rule (like "all members can see
each other on all ports") that is very handy and much like a DMZ LAN behind a
firewall to the rest of the universe. (Rationale: I have seen post-Whirr sec.
group manipulations take 6-10 sec. per port opened.)
2. "additional, default permissions": in addition to the automatic sec. group
(say whirr#<cluster-name>#<role>#<region>), all allocated instances are added
as members to the predefined group, and removed upon shutdown, and the
predefined group would not be deleted.
Of course, the pre-defined sec. group need not be a single goup, it could be a
list of groups.
I would be happy with either 1 or 2.
Overall, considering clouds without security groups, a strategy pattern could
be useful here.
> Support additional security group option
> ----------------------------------------
>
> Key: WHIRR-336
> URL: https://issues.apache.org/jira/browse/WHIRR-336
> Project: Whirr
> Issue Type: Improvement
> Components: core
> Reporter: Tom White
> Assignee: Andrei Savu
> Fix For: 0.9.0
>
>
> This is WHIRR-9 for the Java version of Whirr.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
