openstack/neutron-specs
Code Issues Proposed changes

Add "remote_address_group_id" attribute to the default SG rules API

Browse Source 
This patch adds new parameter to the API of the default SG rules
templates API. New parameter is called
"remote_address_group_id" and can be used to define uuid of the remote
address group which will be referenced in default rule(s) created for
each new SG.

Additionally this patch updates type of the "remote_ip_prefix" field in
the database. It was set by mistake to "Integer" but should be "String".

Related-bug: #1983053
Change-Id: Ieccd6e70bce6be9a16d38b25efc2774ffefe1699
This commit is contained in:
Slawek Kaplonski 2023-05-16 16:12:47 +02:00
parent 73f68a1fda
commit 7600a542f7
1 changed files with 60 additions and 48 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

108
specs/2023.2/configurable-default-sg-rules.rst
View File

@ -79,6 +79,7 @@ Details of the API are below:
"port_range_min": null,
"protocol": null,
"remote_group_id": null,
"remote_address_group_id": null,
"remote_ip_prefix": null,
"used_in_default_security_group": True
"used_in_non_default_security_group": True
@ -95,6 +96,7 @@ Details of the API are below:
"port_range_min": null,
"protocol": null,
"remote_group_id": null,
"remote_address_group_id": null,
"remote_ip_prefix": null,
"used_in_default_security_group": True
"used_in_non_default_security_group": True
@ -111,6 +113,7 @@ Details of the API are below:
"port_range_min": null,
"protocol": null,
"remote_group_id": "PARENT",
"remote_address_group_id": null,
"remote_ip_prefix": null,
"used_in_default_security_group": True
"used_in_non_default_security_group": False
@ -127,6 +130,7 @@ Details of the API are below:
"port_range_min": null,
"protocol": null,
"remote_group_id": "PARENT",
"remote_address_group_id": null,
"remote_ip_prefix": null,
"used_in_default_security_group": True
"used_in_non_default_security_group": False
@ -143,6 +147,7 @@ Details of the API are below:
"port_range_min": 22,
"protocol": null,
"remote_group_id": null,
"remote_address_group_id": null,
"remote_ip_prefix": null,
"used_in_default_security_group": False
"used_in_non_default_security_group": True
@ -159,6 +164,7 @@ Details of the API are below:
"port_range_min": 22,
"protocol": null,
"remote_group_id": null,
"remote_address_group_id": null,
"remote_ip_prefix": null,
"used_in_default_security_group": False
"used_in_non_default_security_group": True
@ -197,6 +203,7 @@ Details of the API are below:
"port_range_min": 80,
"protocol": "tcp",
"remote_group_id": null,
"remote_address_group_id": null,
"remote_ip_prefix": null,
"used_in_default_security_group": False
"used_in_non_default_security_group": True
@ -223,6 +230,7 @@ Details of the API are below:
"port_range_min": null,
"protocol": null,
"remote_group_id": null,
"remote_address_group_id": null,
"remote_ip_prefix": null,
"used_in_default_security_group": False
"used_in_non_default_security_group": True
@ -242,54 +250,58 @@ DB Impact
Default security group rule DB table:
+------------------------+---------+------+------+---------------------------------------+
| Attribute | Type | Req | CRUD | Description |
+========================+=========+======+======+=======================================+
| id | uuid-str| No | R | Id of default security group rule. |
+------------------------+---------+------+------+---------------------------------------+
| direction | String | Yes | CR | Direction in which the security group |
| | | | | rule is applied. |
+------------------------+---------+------+------+---------------------------------------+
| ethertype | String | No | CR | Must be IPv4 or IPv6. |
+------------------------+---------+------+------+---------------------------------------+
| remote_group_id | String | No | CR | The remote group UUID to associate |
| | | | | with this security group rule. |
| | | | | Special value ``PARENT`` can be also |
| | | | | used and it means to always use |
| | | | | id of the security group in which |
| | | | | will be created with such rule. |
+------------------------+---------+------+------+---------------------------------------+
| protocol | String | No | CR | The IP protocol can be represented by |
| | | | | a string, an integer, or null. |
| | | | | Valid strings or integers are the |
| | | | | same as for the |
| | | | | ``security group rule``. |
+------------------------+---------+------+------+---------------------------------------+
| port_range_min | String | No | CR | The minimum port number in the |
| | | | | range that is matched by the security |
| | | | | group rule. |
+------------------------+---------+------+------+---------------------------------------+
| port_range_max | Integer | No | CR | The maximum port number in the |
| | | | | range that is matched by the security |
| | | | | group rule. |
+------------------------+---------+------+------+---------------------------------------+
| remote_ip_prefix | Integer | No | CR | The remote IP prefix that is matched |
| | | | | by this security group rule. |
+------------------------+---------+------+------+---------------------------------------+
| standard_attr_id | Ingeger | Yes | R | Id of the associated standard |
| | | | | attribute record. |
+------------------------+---------+------+------+---------------------------------------+
| used_in_default_sg | Boolean | No | CR | If it is set to ``True`` such rule |
| | | | | will be used in a template for the |
| | | | | ``default`` security group which is |
| | | | | created automatically for every |
| | | | | project. Default value is ``False`` |
+------------------------+---------+------+------+---------------------------------------+
| used_in_non_default_sg | Boolean | No | CR | If it is set to ``True`` such rule |
| | | | | will be used in a template for the |
| | | | | every ``non default`` security group. |
| | | | | Default value is ``False`` |
+------------------------+---------+------+------+---------------------------------------+
+-------------------------+---------+------+------+---------------------------------------+
| Attribute | Type | Req | CRUD | Description |
+=========================+=========+======+======+=======================================+
| id | uuid-str| No | R | Id of default security group rule. |
+-------------------------+---------+------+------+---------------------------------------+
| direction | String | Yes | CR | Direction in which the security group |
| | | | | rule is applied. |
+-------------------------+---------+------+------+---------------------------------------+
| ethertype | String | No | CR | Must be IPv4 or IPv6. |
+-------------------------+---------+------+------+---------------------------------------+
| remote_group_id | String | No | CR | The remote group UUID to associate |
| | | | | with this security group rule. |
| | | | | Special value ``PARENT`` can be also |
| | | | | used and it means to always use |
| | | | | id of the security group in which |
| | | | | will be created with such rule. |
+-------------------------+---------+------+------+---------------------------------------+
| remote_address_group_id | String | No | CR | The remote address group UUID to |
| | | | | associate with this security group |
| | | | | rule. |
+-------------------------+---------+------+------+---------------------------------------+
| protocol | String | No | CR | The IP protocol can be represented by |
| | | | | a string, an integer, or null. |
| | | | | Valid strings or integers are the |
| | | | | same as for the |
| | | | | ``security group rule``. |
+-------------------------+---------+------+------+---------------------------------------+
| port_range_min | String | No | CR | The minimum port number in the |
| | | | | range that is matched by the security |
| | | | | group rule. |
+-------------------------+---------+------+------+---------------------------------------+
| port_range_max | Integer | No | CR | The maximum port number in the |
| | | | | range that is matched by the security |
| | | | | group rule. |
+-------------------------+---------+------+------+---------------------------------------+
| remote_ip_prefix | String | No | CR | The remote IP prefix that is matched |
| | | | | by this security group rule. |
+-------------------------+---------+------+------+---------------------------------------+
| standard_attr_id | Ingeger | Yes | R | Id of the associated standard |
| | | | | attribute record. |
+-------------------------+---------+------+------+---------------------------------------+
| used_in_default_sg | Boolean | No | CR | If it is set to ``True`` such rule |
| | | | | will be used in a template for the |
| | | | | ``default`` security group which is |
| | | | | created automatically for every |
| | | | | project. Default value is ``False`` |
+-------------------------+---------+------+------+---------------------------------------+
| used_in_non_default_sg | Boolean | No | CR | If it is set to ``True`` such rule |
| | | | | will be used in a template for the |
| | | | | every ``non default`` security group. |
| | | | | Default value is ``False`` |
+-------------------------+---------+------+------+---------------------------------------+
Security Impact
---------------