OpenStack Searchlight

Add neutron security group plugin

Registered by Steve McLellan on 2016-03-23

Add neutron security group support; this didn't make it into mitaka for scheduling reasons. Neutron provides notifications for security groups though it would be good to get created_at/updated_at added to them.

It's difficult to link security group names to ports since there's no hierarchical relationship. To denormalize or not to denormalize, that is the question.

Blueprint information

Status:: Complete

Approver:: Travis Tripp

Priority:: High

Drafter:: Steve McLellan

Direction:: Approved

Assignee:: Rick Aulino

Definition:: Approved

Series goal:: Accepted for newton

Implementation:: Implemented

Milestone target:: newton-2

Started by: Travis Tripp on 2016-06-15

Completed by: Travis Tripp on 2016-07-13

Related branches

Related bugs

Sprints

Whiteboard

Notifications are reasonably complete but don't include dates. Neutron treats security group rules as an entity apart from groups; it would make things simpler for SL to do that but is a bit weird logically.

API (after creating group and adding a rule):
{'security_groups': [{u'description': u'A test security group',
   u'id': u'223c7074-e593-43f2-a0e6-f6d87ee8fb36',
   u'name': u'test-group',
   u'security_group_rules': [{u'description': u'',
     u'direction': u'ingress',
     u'ethertype': u'IPv4',
     u'id': u'8452586b-38b0-46c4-bf55-a6953887d8d5',
     u'port_range_max': 8081,
     u'port_range_min': 8080,
     u'protocol': u'tcp',
     u'remote_group_id': None,
     u'remote_ip_prefix': u'0.0.0.0/0',
     u'security_group_id': u'223c7074-e593-43f2-a0e6-f6d87ee8fb36',
     u'tenant_id': u'3307049f95b7408c95d6e84483fc995a'},
    {u'description': u'',
     u'direction': u'egress',
     u'ethertype': u'IPv4',
     u'id': u'c36445af-953d-47e4-85d2-2a6ac8fcba14',
     u'port_range_max': None,
     u'port_range_min': None,
     u'protocol': None,
     u'remote_group_id': None,
     u'remote_ip_prefix': None,
     u'security_group_id': u'223c7074-e593-43f2-a0e6-f6d87ee8fb36',
     u'tenant_id': u'3307049f95b7408c95d6e84483fc995a'},
    {u'description': u'',
     u'direction': u'egress',
     u'ethertype': u'IPv6',
     u'id': u'e230cd58-38ad-497d-8601-90e7c2745dbd',
     u'port_range_max': None,
     u'port_range_min': None,
     u'protocol': None,
     u'remote_group_id': None,
     u'remote_ip_prefix': None,
     u'security_group_id': u'223c7074-e593-43f2-a0e6-f6d87ee8fb36',
     u'tenant_id': u'3307049f95b7408c95d6e84483fc995a'}],
   u'tenant_id': u'3307049f95b7408c95d6e84483fc995a'}
}]}

CREATE GROUP
{
  "event_type": "security_group.create.end",
  "payload": {
    "security_group": {
      "tenant_id": "3307049f95b7408c95d6e84483fc995a",
      "name": "test-group",
      "description": "A test security group",
      "security_group_rules": [
        {
          "remote_group_id": null,
          "direction": "egress",
          "protocol": null,
          "description": "",
          "ethertype": "IPv4",
          "remote_ip_prefix": null,
          "port_range_max": null,
          "security_group_id": "223c7074-e593-43f2-a0e6-f6d87ee8fb36",
          "port_range_min": null,
          "tenant_id": "3307049f95b7408c95d6e84483fc995a",
          "id": "c36445af-953d-47e4-85d2-2a6ac8fcba14"
        },
        {
          "remote_group_id": null,
          "direction": "egress",
          "protocol": null,
          "description": "",
          "ethertype": "IPv6",
          "remote_ip_prefix": null,
          "port_range_max": null,
          "security_group_id": "223c7074-e593-43f2-a0e6-f6d87ee8fb36",
          "port_range_min": null,
          "tenant_id": "3307049f95b7408c95d6e84483fc995a",
          "id": "e230cd58-38ad-497d-8601-90e7c2745dbd"
        }
      ],
      "id": "223c7074-e593-43f2-a0e6-f6d87ee8fb36"
    }
  },

ADD RULE
{
  "event_type": "security_group_rule.create.end",
  "payload": {
    "security_group_rule": {
      "remote_group_id": null,
      "direction": "ingress",
      "protocol": "tcp",
      "description": "",
      "ethertype": "IPv4",
      "remote_ip_prefix": "0.0.0.0/0",
      "port_range_max": 8081,
      "security_group_id": "223c7074-e593-43f2-a0e6-f6d87ee8fb36",
      "port_range_min": 8080,
      "tenant_id": "3307049f95b7408c95d6e84483fc995a",
      "id": "8452586b-38b0-46c4-bf55-a6953887d8d5"
    }
  },

DELETE RULE (note no sec group id)
{
  "event_type": "security_group_rule.delete.end",
  "payload": {
    "security_group_rule_id": "8452586b-38b0-46c4-bf55-a6953887d8d5"
  },

DELETE GROUP
{
  "event_type": "security_group.delete.end",
  "payload": {
    "security_group_id": "223c7074-e593-43f2-a0e6-f6d87ee8fb36"
  },

https://review.openstack.org/#/c/326767/

Gerrit topic: https://review.openstack.org/#q,topic:bp/neutron-security-group-plugin,n,z

Addressed by: https://review.openstack.org/326767
Add Neutron security group plugin

(?)

Work Items

This blueprint contains Public information

Everyone can see this information.

Subscribers

No subscribers.