Security groups for RedDwarf

Registered by Michael Basnight on 2013-02-05

Brief Overview:
‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾
End users don't currently have a way to configure Security Groups and Security Group Rules on RedDwarf guest instances. We propose creating a simple implementation of Security Group Rules on the basis of the following guidelines:

1. This functionality will be implemented as an extension to RedDwarf (paralleling the Security Groups implementation as an extension in Nova).

2. We will create a new security group for every guest instance created, such that there is a 1-1 mapping between the security group and the guest instance.

3. Users will not be able to manage these security groups directly, but we will extend the RedDwarf API so that they will be able to add and delete rules from this security group.

This design allows for a simple starting implementation that is extensible to provide further advanced functionality as deemed necessary.

Extension to RedDwarf API:
‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾
The extended RedDwarf API would look like:

1. GET /security-groups:
    List all of the security Groups, with details of which instances they are attached to.

2. GET /security-groups-rules/{secgroup-id}:
     List details of the specific security group with id {secgroup_id} including which instance it is attached to and details of the security group rules that it contains.

3. POST /security-group-rules:
    This would take information about the security group, and the rule in the POST body and would create a security group rule within the specified security group.

4. DELETE /security-group-rules/{sec-group-rule-id}:
    Deletes a security group rule corresponding to {sec-group-rule-id}

Future Scenarios:
‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾
Note that the initial avatar of the implementation that this blueprint calls for is but the simple implementation mentioned above but one can extend this further to provide for the following:

a. A separate API for end users to be able to create, delete and manage their own security groups so that it is possible for instances to share security groups.

b. An API for a default set of rules (per tenant) so that any security groups that we create are pre-populated with these intelligent defaults.

c. With some further work, group security group rules can also be implemented (similar to nova's implementation).

Blueprint information

Status:
Complete
Approver:
Nikhil Manchanda
Priority:
High
Drafter:
Nikhil Manchanda
Direction:
Approved
Assignee:
Nikhil Manchanda
Definition:
Approved
Series goal:
Accepted for grizzly
Implementation:
Implemented
Milestone target:
None
Started by
Nikhil Manchanda on 2013-03-15
Completed by
Nikhil Manchanda on 2013-04-08

Related branches

Sprints

Whiteboard

Gerrit topic: https://review.openstack.org/#q,topic:bp/security-groups,n,z

Addressed by: https://review.openstack.org/23161
    Added support for Security Groups via a new extension.

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.

Subscribers

No subscribers.