Re: [openstack-dev] [Openstack][Neutron]Why we use secuirity group which only support dispatching whiltelist rules?

[Akihiro Motoki]

2017-04-28 7:03 GMT+09:00 Monty Taylor :
> On 04/25/2017 10:32 AM, Gary Kotton wrote:
>>
>> Hi,
>> I would like us to think of considering enabling an API that would allow
>> ‘deny’, for example an admin could overwrite a tenant’s security groups. For
>> example, and admin may not want a specific source range to access the
>> tenants VM’s. The guys working on FWaaS say that this may happen in V2, but
>> that looks very far away. Making this change in Neutron would be pretty
>> simple and give us a nice feature add.
>> If you would like to work on this I would be happy to develop this with
>> you. It could be added an extension.
>> Thanks
>> Gary
>>
>> On 4/24/17, 6:37 AM, "Ihar Hrachyshka"  wrote:
>>
>> All traffic is denied by default. OpenStack security groups API is
>> modeled to reflect what AWS does. You may find your needs better
>> served by fwaas plugin for neutron that is not constrained by AWS
>> compatibility.
>
>
> OpenStack does not claim to have or strive for AWS compatibility.
>
> It is not a goal. It may have been one for someone during the writing of the
> security-groups code, and thus may be a good description of why the
> security-groups are structured and behave the way they do. Moving forward,
> AWS compatibility should really never be a reason we do or don't do
> something if that thing is beneficial to our users.

I think one good reason that neutron security group only supports
whitelist rules
is to keep rule management simple.
If we support black list rules (i.e., deny/reject rules), users need
to consider the order of rules.
If blacklist rules and whitelist rules have overlapped areas, we need
priority of rules.
Supporting whitelist rules only makes rule management really simple and
I believe this is what is the security group API.

The rough consensus of the neutron community is that more complicated rules
like blacklist rules or rule priorities should go to FWaaS.

This topic was discussed several times in the neutron history and as of now
the above and what Gary and Ihar commented is our consensus.
The main background of the consensus is not just because of AWS compatibility.
In my understanding it is because what current users expect on the
security group.
Isn't it confusing that blacklist or rule priority is introduced at
some point from user perspective?

There are still gray zones. For example, a request we received multiple times
is "can neutron provide a way to define a set of default rules for a
new security group?".
It happened several months ago and at that time the proposal was rejected
because it changes what users have even though a feature is discoverable.


>
>
>> On Sun, Apr 23, 2017 at 8:33 PM, 田明明  wrote:
>> > Can we add an "action" to security group rule api, so that we could
>> dispatch
>> > rules with "deny" action? Until now， security group only supports
>> add
>> > white-list rules but this couldn't satisfy many people's needs.
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> __
>> > OpenStack Development Mailing List (not for usage questions)
>> > Unsubscribe:
>> openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
>> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>> >
>>
>>
>> __
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe:
>> openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>> __
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [Openstack][Neutron]Why we use secuirity group which only support dispatching whiltelist rules?

[Monty Taylor]

On 04/25/2017 10:32 AM, Gary Kotton wrote:

Hi,
I would like us to think of considering enabling an API that would allow 
‘deny’, for example an admin could overwrite a tenant’s security groups. For 
example, and admin may not want a specific source range to access the tenants 
VM’s. The guys working on FWaaS say that this may happen in V2, but that looks 
very far away. Making this change in Neutron would be pretty simple and give us 
a nice feature add.
If you would like to work on this I would be happy to develop this with you. It 
could be added an extension.
Thanks
Gary

On 4/24/17, 6:37 AM, "Ihar Hrachyshka"  wrote:

All traffic is denied by default. OpenStack security groups API is
modeled to reflect what AWS does. You may find your needs better
served by fwaas plugin for neutron that is not constrained by AWS
compatibility.


OpenStack does not claim to have or strive for AWS compatibility.

It is not a goal. It may have been one for someone during the writing of 
the security-groups code, and thus may be a good description of why the 
security-groups are structured and behave the way they do. Moving 
forward, AWS compatibility should really never be a reason we do or 
don't do something if that thing is beneficial to our users.



On Sun, Apr 23, 2017 at 8:33 PM, 田明明  wrote:
> Can we add an "action" to security group rule api, so that we could 
dispatch
> rules with "deny" action? Until now， security group only supports add
> white-list rules but this couldn't satisfy many people's needs.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev




__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [Openstack][Neutron]Why we use secuirity group which only support dispatching whiltelist rules?

[Gary Kotton]

Hi,
I would like us to think of considering enabling an API that would allow 
‘deny’, for example an admin could overwrite a tenant’s security groups. For 
example, and admin may not want a specific source range to access the tenants 
VM’s. The guys working on FWaaS say that this may happen in V2, but that looks 
very far away. Making this change in Neutron would be pretty simple and give us 
a nice feature add. 
If you would like to work on this I would be happy to develop this with you. It 
could be added an extension.
Thanks
Gary

On 4/24/17, 6:37 AM, "Ihar Hrachyshka"  wrote:

All traffic is denied by default. OpenStack security groups API is
modeled to reflect what AWS does. You may find your needs better
served by fwaas plugin for neutron that is not constrained by AWS
compatibility.

Ihar

On Sun, Apr 23, 2017 at 8:33 PM, 田明明  wrote:
> Can we add an "action" to security group rule api, so that we could 
dispatch
> rules with "deny" action? Until now， security group only supports add
> white-list rules but this couldn't satisfy many people's needs.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [Openstack][Neutron]Why we use secuirity group which only support dispatching whiltelist rules?

[Ihar Hrachyshka]

All traffic is denied by default. OpenStack security groups API is
modeled to reflect what AWS does. You may find your needs better
served by fwaas plugin for neutron that is not constrained by AWS
compatibility.

Ihar

On Sun, Apr 23, 2017 at 8:33 PM, 田明明  wrote:
> Can we add an "action" to security group rule api, so that we could dispatch
> rules with "deny" action? Until now， security group only supports add
> white-list rules but this couldn't satisfy many people's needs.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

[openstack-dev] [Openstack][Neutron]Why we use secuirity group which only support dispatching whiltelist rules?

[田明明]

Can we add an "action" to security group rule api, so that we could dispatch 
rules with "deny" action? Until now， security group only supports add 
white-list rules but this couldn't satisfy many people's needs.




 





 





 __
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev