openstack
/
neutron-specs
Code Issues Proposed changes

Add "remote_address_group_id" attribute to the default SG rules API 

This patch adds new parameter to the API of the default SG rules
templates API. New parameter is called
"remote_address_group_id" and can be used to define uuid of the remote
address group which will be referenced in default rule(s) created for
each new SG.

Additionally this patch updates type of the "remote_ip_prefix" field in
the database. It was set by mistake to "Integer" but should be "String".

Related-bug: #1983053
Change-Id: Ieccd6e70bce6be9a16d38b25efc2774ffefe1699
This commit is contained in:
Slawek Kaplonski 2023-05-16 16:12:47 +02:00
parent 73f68a1fda
commit 7600a542f7
1 changed files with 60 additions and 48 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

108
specs/2023.2/configurable-default-sg-rules.rst
View File

@ -79,6 +79,7 @@ Details of the API are below:
"port_range_min": null, "port_range_min": null,
"protocol": null, "protocol": null,
"remote_group_id": null, "remote_group_id": null,
"remote_address_group_id": null,
"remote_ip_prefix": null, "remote_ip_prefix": null,
"used_in_default_security_group": True "used_in_default_security_group": True
"used_in_non_default_security_group": True "used_in_non_default_security_group": True
@ -95,6 +96,7 @@ Details of the API are below:
"port_range_min": null, "port_range_min": null,
"protocol": null, "protocol": null,
"remote_group_id": null, "remote_group_id": null,
"remote_address_group_id": null,
"remote_ip_prefix": null, "remote_ip_prefix": null,
"used_in_default_security_group": True "used_in_default_security_group": True
"used_in_non_default_security_group": True "used_in_non_default_security_group": True
@ -111,6 +113,7 @@ Details of the API are below:
"port_range_min": null, "port_range_min": null,
"protocol": null, "protocol": null,
"remote_group_id": "PARENT", "remote_group_id": "PARENT",
"remote_address_group_id": null,
"remote_ip_prefix": null, "remote_ip_prefix": null,
"used_in_default_security_group": True "used_in_default_security_group": True
"used_in_non_default_security_group": False "used_in_non_default_security_group": False
@ -127,6 +130,7 @@ Details of the API are below:
"port_range_min": null, "port_range_min": null,
"protocol": null, "protocol": null,
"remote_group_id": "PARENT", "remote_group_id": "PARENT",
"remote_address_group_id": null,
"remote_ip_prefix": null, "remote_ip_prefix": null,
"used_in_default_security_group": True "used_in_default_security_group": True
"used_in_non_default_security_group": False "used_in_non_default_security_group": False
@ -143,6 +147,7 @@ Details of the API are below:
"port_range_min": 22, "port_range_min": 22,
"protocol": null, "protocol": null,
"remote_group_id": null, "remote_group_id": null,
"remote_address_group_id": null,
"remote_ip_prefix": null, "remote_ip_prefix": null,
"used_in_default_security_group": False "used_in_default_security_group": False
"used_in_non_default_security_group": True "used_in_non_default_security_group": True
@ -159,6 +164,7 @@ Details of the API are below:
"port_range_min": 22, "port_range_min": 22,
"protocol": null, "protocol": null,
"remote_group_id": null, "remote_group_id": null,
"remote_address_group_id": null,
"remote_ip_prefix": null, "remote_ip_prefix": null,
"used_in_default_security_group": False "used_in_default_security_group": False
"used_in_non_default_security_group": True "used_in_non_default_security_group": True
@ -197,6 +203,7 @@ Details of the API are below:
"port_range_min": 80, "port_range_min": 80,
"protocol": "tcp", "protocol": "tcp",
"remote_group_id": null, "remote_group_id": null,
"remote_address_group_id": null,
"remote_ip_prefix": null, "remote_ip_prefix": null,
"used_in_default_security_group": False "used_in_default_security_group": False
"used_in_non_default_security_group": True "used_in_non_default_security_group": True
@ -223,6 +230,7 @@ Details of the API are below:
"port_range_min": null, "port_range_min": null,
"protocol": null, "protocol": null,
"remote_group_id": null, "remote_group_id": null,
"remote_address_group_id": null,
"remote_ip_prefix": null, "remote_ip_prefix": null,
"used_in_default_security_group": False "used_in_default_security_group": False
"used_in_non_default_security_group": True "used_in_non_default_security_group": True
@ -242,54 +250,58 @@ DB Impact
Default security group rule DB table: Default security group rule DB table:
+------------------------+---------+------+------+---------------------------------------+ +-------------------------+---------+------+------+---------------------------------------+
| Attribute | Type | Req | CRUD | Description | | Attribute | Type | Req | CRUD | Description |
+========================+=========+======+======+=======================================+ +=========================+=========+======+======+=======================================+
| id | uuid-str| No | R | Id of default security group rule. | | id | uuid-str| No | R | Id of default security group rule. |
+------------------------+---------+------+------+---------------------------------------+ +-------------------------+---------+------+------+---------------------------------------+
| direction | String | Yes | CR | Direction in which the security group | | direction | String | Yes | CR | Direction in which the security group |
| | | | | rule is applied. | | | | | | rule is applied. |
+------------------------+---------+------+------+---------------------------------------+ +-------------------------+---------+------+------+---------------------------------------+
| ethertype | String | No | CR | Must be IPv4 or IPv6. | | ethertype | String | No | CR | Must be IPv4 or IPv6. |
+------------------------+---------+------+------+---------------------------------------+ +-------------------------+---------+------+------+---------------------------------------+
| remote_group_id | String | No | CR | The remote group UUID to associate | | remote_group_id | String | No | CR | The remote group UUID to associate |
| | | | | with this security group rule. | | | | | | with this security group rule. |
| | | | | Special value ``PARENT`` can be also | | | | | | Special value ``PARENT`` can be also |
| | | | | used and it means to always use | | | | | | used and it means to always use |
| | | | | id of the security group in which | | | | | | id of the security group in which |
| | | | | will be created with such rule. | | | | | | will be created with such rule. |
+------------------------+---------+------+------+---------------------------------------+ +-------------------------+---------+------+------+---------------------------------------+
| protocol | String | No | CR | The IP protocol can be represented by | | remote_address_group_id | String | No | CR | The remote address group UUID to |
| | | | | a string, an integer, or null. | | | | | | associate with this security group |
| | | | | Valid strings or integers are the | | | | | | rule. |
| | | | | same as for the | +-------------------------+---------+------+------+---------------------------------------+
| | | | | ``security group rule``. | | protocol | String | No | CR | The IP protocol can be represented by |
+------------------------+---------+------+------+---------------------------------------+ | | | | | a string, an integer, or null. |
| port_range_min | String | No | CR | The minimum port number in the | | | | | | Valid strings or integers are the |
| | | | | range that is matched by the security | | | | | | same as for the |
| | | | | group rule. | | | | | | ``security group rule``. |
+------------------------+---------+------+------+---------------------------------------+ +-------------------------+---------+------+------+---------------------------------------+
| port_range_max | Integer | No | CR | The maximum port number in the | | port_range_min | String | No | CR | The minimum port number in the |
| | | | | range that is matched by the security | | | | | | range that is matched by the security |
| | | | | group rule. | | | | | | group rule. |
+------------------------+---------+------+------+---------------------------------------+ +-------------------------+---------+------+------+---------------------------------------+
| remote_ip_prefix | Integer | No | CR | The remote IP prefix that is matched | | port_range_max | Integer | No | CR | The maximum port number in the |
| | | | | by this security group rule. | | | | | | range that is matched by the security |
+------------------------+---------+------+------+---------------------------------------+ | | | | | group rule. |
| standard_attr_id | Ingeger | Yes | R | Id of the associated standard | +-------------------------+---------+------+------+---------------------------------------+
| | | | | attribute record. | | remote_ip_prefix | String | No | CR | The remote IP prefix that is matched |
+------------------------+---------+------+------+---------------------------------------+ | | | | | by this security group rule. |
| used_in_default_sg | Boolean | No | CR | If it is set to ``True`` such rule | +-------------------------+---------+------+------+---------------------------------------+
| | | | | will be used in a template for the | | standard_attr_id | Ingeger | Yes | R | Id of the associated standard |
| | | | | ``default`` security group which is | | | | | | attribute record. |
| | | | | created automatically for every | +-------------------------+---------+------+------+---------------------------------------+
| | | | | project. Default value is ``False`` | | used_in_default_sg | Boolean | No | CR | If it is set to ``True`` such rule |
+------------------------+---------+------+------+---------------------------------------+ | | | | | will be used in a template for the |
| used_in_non_default_sg | Boolean | No | CR | If it is set to ``True`` such rule | | | | | | ``default`` security group which is |
| | | | | will be used in a template for the | | | | | | created automatically for every |
| | | | | every ``non default`` security group. | | | | | | project. Default value is ``False`` |
| | | | | Default value is ``False`` | +-------------------------+---------+------+------+---------------------------------------+
+------------------------+---------+------+------+---------------------------------------+ | used_in_non_default_sg | Boolean | No | CR | If it is set to ``True`` such rule |
| | | | | will be used in a template for the |
| | | | | every ``non default`` security group. |
| | | | | Default value is ``False`` |
+-------------------------+---------+------+------+---------------------------------------+
Security Impact Security Impact
--------------- ---------------