From d55ea74e5991dddc50212241376fb51516733873 Mon Sep 17 00:00:00 2001 From: Slawek Kaplonski Date: Thu, 15 Sep 2022 11:50:50 +0200 Subject: [PATCH] Add spec for the Default SG rules API Related-Bug: #1983053 Change-Id: Ie93c87608191366928b9e37182bc6220cbbd9d7c --- .../2023.1/configurable-default-sg-rules.rst | 336 ++++++++++++++++++ 1 file changed, 336 insertions(+) create mode 100644 specs/2023.1/configurable-default-sg-rules.rst diff --git a/specs/2023.1/configurable-default-sg-rules.rst b/specs/2023.1/configurable-default-sg-rules.rst new file mode 100644 index 000000000..4cf18c4d3 --- /dev/null +++ b/specs/2023.1/configurable-default-sg-rules.rst @@ -0,0 +1,336 @@ +.. + This work is licensed under a Creative Commons Attribution 3.0 Unported + License. + + http://creativecommons.org/licenses/by/3.0/legalcode + +============================================================================= +Configurable Security Group rules added by default to the new Security Groups +============================================================================= + +https://bugs.launchpad.net/neutron/+bug/1983053 + +Problem Description +=================== + +For every project, Neutron always creates security group called ``default``. It +is created always when first time security groups are going to be used or +requested to be listed via API. For each of such ``default`` security group +Neutron automatically creates 4 hardcoded rules. Those rules allow: + +#. all ``IPv4`` egress traffic from the port, +#. all ``IPv6`` egress traffic from the port, +#. all ``IPv4`` ingress traffic to the port incoming from other ports which are + using the same security group, +#. all ``IPv6`` ingress traffic to the port incoming from other ports which are + using the same security group. + +For any other security group created by user, Neutron automatically creates 2 +rules which allows: + +#. all ``IPv4`` egress traffic from the port, +#. all ``IPv6`` egress traffic from the port, + +There is at least couple of issues with such approach: + +* it is a known fact that the security group rules with remote_group_id (rule 3. + and 4. above) don't scale well e.g. with neutron-openvswitch-agent [1]_, +* some operators would like to define different rules to be created by + default for each new project. + +Of course, those rules created by default by Neutron can be easily removed by +the security group owner, but having possibility to define different set of +rules added automatically to each security group could make it easier for users +and administrators of the cloud. + +Proposed Change +=============== + +To solve the problem described above, proposal is to introduce new API to create +``security group rules template`` used to create new security group rules for +each new security group. +To keep backward compatibility with the existing hardcoded rules, by default +Neutron will have configured the same 4 rules as are hardcoded today (see above +for defails). Cloud admin will be able to delete those rules and create new ones +which will be then used by Neutron for every new security group. +In case when list of the ``default_security_group_rule`` is empty, new security +groups will be created without any rules created by default. + +REST API Impact +--------------- + +New API resource called ``default_security_group_rule`` will be introduced. +Details of the API are below: + +* ``GET /v2.0/default-security-group-rules`` + + List default security group rules used to create rules for every new + Security Group + + Response:: + + { + "default_security_group_rules": [ + { + "direction": "egress", + "ethertype": "IPv6", + "id": "3c0e45ff-adaf-4124-b083-bf390e5482ff", + "port_range_max": null, + "port_range_min": null, + "protocol": null, + "remote_group_id": null, + "remote_ip_prefix": null, + "used_in_default_security_group": True + "revision_number": 1, + "created_at": "2022-09-15T19:16:56Z", + "updated_at": "2022-09-15T19:16:56Z", + "description": "" + }, + { + "direction": "egress", + "ethertype": "IPv4", + "id": "93aa42e5-80db-4581-9391-3a608bd0e448", + "port_range_max": null, + "port_range_min": null, + "protocol": null, + "remote_group_id": null, + "remote_ip_prefix": null, + "used_in_default_security_group": True + "revision_number": 1, + "created_at": "2022-09-15T19:16:56Z", + "updated_at": "2022-09-15T19:16:56Z", + "description": "" + }, + { + "direction": "ingress", + "ethertype": "IPv6", + "id": "3c0e45ff-adaf-4124-b083-bf390e5482ff", + "port_range_max": null, + "port_range_min": null, + "protocol": null, + "remote_group_id": "PARENT", + "remote_ip_prefix": null, + "used_in_default_security_group": True + "revision_number": 1, + "created_at": "2022-09-15T19:16:56Z", + "updated_at": "2022-09-15T19:16:56Z", + "description": "" + }, + { + "direction": "ingress", + "ethertype": "IPv4", + "id": "93aa42e5-80db-4581-9391-3a608bd0e448", + "port_range_max": null, + "port_range_min": null, + "protocol": null, + "remote_group_id": "PARENT", + "remote_ip_prefix": null, + "used_in_default_security_group": True + "revision_number": 1, + "created_at": "2022-09-15T19:16:56Z", + "updated_at": "2022-09-15T19:16:56Z", + "description": "" + }, + { + "direction": "ingress", + "ethertype": "IPv6", + "id": "3c0e45ff-adaf-4124-b083-bf390e5482ff", + "port_range_max": 22, + "port_range_min": 22, + "protocol": null, + "remote_group_id": null, + "remote_ip_prefix": null, + "used_in_default_security_group": False + "revision_number": 1, + "created_at": "2022-09-15T19:16:56Z", + "updated_at": "2022-09-15T19:16:56Z", + "description": "Allow SSH connections over IPv6" + }, + { + "direction": "ingress", + "ethertype": "IPv4", + "id": "3c0e45ff-adaf-4124-b083-bf390e5482ff", + "port_range_max": 22, + "port_range_min": 22, + "protocol": null, + "remote_group_id": null, + "remote_ip_prefix": null, + "used_in_default_security_group": False + "revision_number": 1, + "created_at": "2022-09-15T19:16:56Z", + "updated_at": "2022-09-15T19:16:56Z", + "description": "Allow SSH connections over IPv4" + }] + } + +* ``POST /v2.0/default-security-group-rules`` + + Create default security group rule used to create rules for every new + Security Group + + Request:: + + { + "default_security_group_rule": { + "direction": "ingress", + "port_range_min": "80", + "ethertype": "IPv4", + "port_range_max": "80", + "protocol": "tcp", + } + } + + Response:: + + { + "default_security_group_rule": { + "direction": "ingress", + "ethertype": "IPv4", + "id": "2bc0accf-312e-429a-956e-e4407625eb62", + "port_range_max": 80, + "port_range_min": 80, + "protocol": "tcp", + "remote_group_id": null, + "remote_ip_prefix": null, + "used_in_default_security_group": False + "revision_number": 1, + "created_at": "2022-09-15T19:16:56Z", + "updated_at": "2022-09-15T19:16:56Z", + "description": "" + } + } + +* ``GET /v2.0/default-security-group-rules/{rule_id}`` + + Show default security group rule used to create rules for every new + Security Group + + Response:: + + { + "security_group_rule": { + "direction": "egress", + "ethertype": "IPv6", + "id": "3c0e45ff-adaf-4124-b083-bf390e5482ff", + "port_range_max": null, + "port_range_min": null, + "protocol": null, + "remote_group_id": null, + "remote_ip_prefix": null, + "used_in_default_security_group": False + "revision_number": 1, + "created_at": "2022-09-15T19:16:56Z", + "updated_at": "2022-09-15T19:16:56Z", + } + } + +* ``DELETE /v2.0/default-security-group-rules/{rule_id}`` + + Delete default security group rule used to create rules for every new + Security Group + +DB Impact +--------- + +Default security group rule DB table: + ++--------------------+---------+------+------+---------------------------------------+ +| Attribute | Type | Req | CRUD | Description | ++====================+=========+======+======+=======================================+ +| id | uuid-str| No | R | Id of default security group rule. | ++--------------------+---------+------+------+---------------------------------------+ +| direction | String | Yes | CR | Direction in which the security group | +| | | | | rule is applied. | ++--------------------+---------+------+------+---------------------------------------+ +| ethertype | String | No | CR | Must be IPv4 or IPv6. | ++--------------------+---------+------+------+---------------------------------------+ +| remote_group_id | String | No | CR | The remote group UUID to associate | +| | | | | with this security group rule. | +| | | | | Special value ``PARENT`` can be also | +| | | | | used and it means to always use | +| | | | | id of the security group in which | +| | | | | will be created with such rule. | ++--------------------+---------+------+------+---------------------------------------+ +| protocol | String | No | CR | The IP protocol can be represented by | +| | | | | a string, an integer, or null. | +| | | | | Valid strings or integers are the | +| | | | | same as for the | +| | | | | ``security group rule``. | ++--------------------+---------+------+------+---------------------------------------+ +| port_range_min | String | No | CR | The minimum port number in the | +| | | | | range that is matched by the security | +| | | | | group rule. | ++--------------------+---------+------+------+---------------------------------------+ +| port_range_max | Integer | No | CR | The maximum port number in the | +| | | | | range that is matched by the security | +| | | | | group rule. | ++--------------------+---------+------+------+---------------------------------------+ +| remote_ip_prefix | Integer | No | CR | The remote IP prefix that is matched | +| | | | | by this security group rule. | ++--------------------+---------+------+------+---------------------------------------+ +| standard_attr_id | Ingeger | Yes | R | Id of the associated standard | +| | | | | attribute record. | ++--------------------+---------+------+------+---------------------------------------+ +| used_in_default_sg | Boolean | No | CR | If it is set to ``True`` such rule | +| | | | | will be used in a template for the | +| | | | | ``default`` security group which is | +| | | | | created automatically for every | +| | | | | project. Default value is ``False`` | ++--------------------+---------+------+------+---------------------------------------+ + +Security Impact +--------------- + +New API will be by default available only for the admin users. + + +Performance Impact +------------------ + +None + + +Implementation +============== + +Assignee(s) +----------- + +Primary assignee: + Slawek Kaplonski (IRC: slaweq) + +Work Items +---------- + +* REST API update. + +* DB schema update. + +* Security Group DB code update. + +* CLI update. + +* Documentation. + +* Tests and CI related changes. + +Testing +======= + +* Unit Test +* API test + + +Documentation Impact +==================== + +User Documentation +------------------ + +New API must be documented in the Neutron API reference document. + + +References +========== + +.. [1] https://etherpad.opendev.org/p/openstack-networking-train-ptg#L348