Quantum Security Groups API

Registered by dan wendlandt on 2012-04-28

So far with openstack, security groups where implemented by Nova using an iptables + libvirt nwfilers (also based on iptables).

With Quantum, we want to have plugins implement security groups, as packet filtering is high specific to the type of networking technology being used (e.g., iptables based filtering is not compatible with SR-IOV nics).

From Folsom Summit:

  - Dave's slide:
  http://www.slideshare.net/delapsley1/20120417-osdesignsummitsecuritygroupsdlapsleyfinal
  - nova has a flag to enable default group or not. should we have that as well?
  - need to add option for Amazon compat mode for the default rule. Some want default deny vs allow network ingress if no rules defined (Amazon way)

Note: This blueprint may be broken into multiple blueprints
- basic extension (already complete?)
- implementations for various plugins.

Blueprint information

Status:
Complete
Approver:
dan wendlandt
Priority:
High
Drafter:
dan wendlandt
Direction:
Approved
Assignee:
Aaron Rosen
Definition:
New
Series goal:
Accepted for grizzly
Implementation:
Implemented
Milestone target:
milestone icon 2013.1
Started by
dan wendlandt on 2012-05-01
Completed by
dan wendlandt on 2012-10-29

Related branches

Sprints

Whiteboard

We still have a mostly working prototype for this, but getting it working with OVS + LB plugins would be significant additional work. Instead, the focus for Folsom will be making sure Quantum works with Nova security groups. This will be an optional extension that some plugins can choose to implement.

--------

this got bumped out of folsom all together, but we should get it in ASAP for grizzly

Gerrit topic: https://review.openstack.org/#q,topic:bp/quantum-security-groups,n,z

Addressed by: https://review.openstack.org/14262
    Quantum Security Groups API

Addressed by: https://review.openstack.org/14274
    Adds security groups in NVP Plugin

openstack-manual (work in progress) https://review.openstack.org/#/c/14723/

Can we add a new blueprint for nachi's separate work with iptables?

Gerrit topic: https://review.openstack.org/#q,topic:bp/security-groups-nvp,n,z

Addressed by: https://review.openstack.org/15074
    _validate_security_groups_on_port was not validating external_ids

Gerrit topic: https://review.openstack.org/#q,topic:master,n,z

(?)

Work Items

Dependency tree

* Blueprints in grey have been implemented.

This blueprint contains Public information 
Everyone can see this information.