openstack/neutron-specs
Code Issues Proposed changes
3811187f55
neutron-specs/specs/victoria/share-security-groups-readonly.rst
Slawek Kaplonski 6efe473ccf Move share SG as read only spec to Victoria 
It was merged recently in [1] but by mistake we merged it to the
Ussuri branch.

[1] https://review.opendev.org/#/c/724207/

Change-Id: I604956217d2370b72cd6825289fac9e79fafeda3
2020-05-15 08:08:49 +00:00

71 lines
2.2 KiB
ReStructuredText
Raw Blame History

..
This work is licensed under a Creative Commons Attribution 3.0 Unported
License.
http://creativecommons.org/licenses/by/3.0/legalcode
==========================================
Allow sharing security groups as read-only
==========================================
https://bugs.launchpad.net/neutron/+bug/1875516
Allow sharing security groups as read-only.
Problem Description
===================
Currently, security groups can be shared with the rbac system, but the only
valid action is `access_as_shared`, which allows the target tenant to
create/delete (only) new rules on the security group. This works fine for
use-cases where the group should be shared in a nearly equal way.
However, some users/services may want a security group to be visible, but
read-only. A prime example of this would be to enable ProjectB to add a
security group owned by ProjectA as a remotely trusted group on their own
security group.
The immediate need for this is found in an existing Octavia patch [1]_.
Octavia would like to share the security group it creates for each
load-balancer with the load-balancer's owner, so they can open access to their
backend members for only a specific load-balancer.
Proposed Change
===============
Add a new action type for security group RBAC: `access_as_readonly`. This
action would allow the target tenant to see the shared security group with
show/list, but not create/delete new rules for it or change it in any way.
Documentation Impact
====================
Neutron documentation about sharing security groups will need to be modified to
add the action type `access_as_readonly`.
Implementation
==============
Assignee(s)
-----------
* Adam Harwell
Work Items
----------
* Add new action type `access_as_readonly`
* Documentation update in config-rbac.rst [2]_ as seen in [3]_
* Create additional tempest tests in RbacSharedSecurityGroupTest class [4]_
References
==========
.. [1] https://review.opendev.org/723735
.. [2] https://github.com/openstack/neutron/blob/master/doc/source/admin/config-rbac.rst
.. [3] https://docs.openstack.org/neutron/train/admin/config-rbac.html#sharing-a-security-group-with-specific-projects
.. [4] https://github.com/openstack/neutron-tempest-plugin/blob/master/neutron_tempest_plugin/api/test_security_groups.py
View Git Blame Copy Permalink