openstack/openstack-manuals
Code Issues Proposed changes

Merge "Added project security groups/rules information."

Browse Source
This commit is contained in:
Jenkins 2013-10-02 06:42:54 +00:00 committed by Gerrit Code Review
commit 7f07cf00e3
4 changed files with 364 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

181
doc/user-guide-admin/section_dashboard_admin_manage_projects_security.xml Normal file
View File

@ -0,0 +1,181 @@
<?xml version="1.0" encoding="UTF-8"?>
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
xml:id="dashboard_manage_projects_security">
<?dbhtml stop-chunking?>
<title>Manage project security</title>
<para>Security groups are sets of IP filter rules that are applied to all project instances, and
which define networking access to the instance. Group rules are project specific; project
members can edit the default rules for their group and add new rule sets.</para>
<para>All projects have a "default" security group which is applied to any instance that has no
other defined security group. Unless you change the default, this security group denies all
incoming traffic and allows only outgoing traffic to your instance.</para>
<note><para>For information about updating global controls on the command line, see
<xref linkend="nova_cli_manage_projects_security"/>.</para></note>
<procedure>
<title>Create a Security Group</title>
<step>
<para>Log in to the OpenStack dashboard as a project member.</para>
</step>
<step><para>On the <guilabel>Project</guilabel> tab, select the appropriate
project from the <guilabel>CURRENT PROJECT</guilabel> drop-down
list, and click the <guilabel>Access &amp; Security</guilabel>
category.</para>
</step>
<step>
<para>On the <guilabel>Security Groups</guilabel> tab, click the <guibutton>Create
Security Group</guibutton> button.</para>
</step>
<step><para>Provide the group with a name and a relevant description, click <guibutton>Create
Security Group</guibutton>. By default, the new rule provides outgoing access
rules for the group.</para>
</step>
</procedure>
<procedure>
<title>Update Security Group Rules</title>
<step>
<para>Log in to the OpenStack dashboard as a project member.</para>
</step>
<step>
<para>On the <guilabel>Project</guilabel> tab, select the appropriate project from the
<guilabel>CURRENT PROJECT</guilabel> drop-down list, and click the
<guilabel>Access &amp; Security</guilabel> category.</para>
</step>
<step>
<para>On the <guilabel>Security Groups</guilabel> tab, click the relevant group's
<guibutton>Edit rules</guibutton> button: <itemizedlist>
<listitem>
<para>To delete a rule, select the rule's check box, and click
<guilabel>Delete Rule</guilabel>.</para>
</listitem>
<listitem>
<para>To add a new rule, click <guibutton>Add Rule</guibutton>. Update the rule fields
using the following rule descriptions, and click <guilabel>Add</guilabel>.</para>
<para>
<table frame="void">
<caption>Rule Fields</caption>
<col width="14%"/>
<col width="76%"/>
<col width="10%"/>
<thead>
<tr>
<th>Field Name</th>
<th>Description</th>
<th>Network</th>
</tr>
</thead>
<tbody>
<tr>
<td>Rule</td>
<td><para>Rule protocol type. Valid types are:<itemizedlist>
<listitem>
<para>Custom TCP Rule - Typically used to exchange data
between systems, and for end-user communication.</para>
</listitem>
<listitem>
<para>Custom UDP Rule - Typically used to exchange data
between systems, particularly at the application
level.</para>
</listitem>
<listitem>
<para>Custom ICMP Rule - Typically used by network devices
(for example, routers) to send error or monitoring
messages.</para>
</listitem>
<listitem>
<para>Other Protocol - Other protocol type (for
example, SCTP, which can be used to handle
application data at the SCTP level). Only
available for OpenStack Networking security
groups.</para>
</listitem>
</itemizedlist></para></td>
<td>Compute / OpenStack Networking</td>
</tr>
<tr>
<td>Direction</td>
<td>Direction of network traffic to which the rule applies: 'Ingress'
(inbound) or 'Egress' (outbound).</td>
<td>OpenStack Networking</td>
</tr>
<tr>
<td>Open Port</td>
<td>For TCP or UDP rules, specifies the <guilabel>Port</guilabel> or
<guilabel>Port Range</guilabel> to be opened for the rule.</td>
<td>Compute / OpenStack Networking</td>
</tr>
<tr>
<td>Port / From Port / To Port</td>
<td>For TCP or UDP rules, specifies the specific local port,
or a range of local ports, for incoming or outgoing
traffic.</td>
<td>Compute / OpenStack Networking</td>
</tr>
<tr>
<td>Type</td>
<td>For ICMP rules, specifies the ICMP message that is being passed.</td>
<td>Compute / OpenStack Networking</td>
</tr>
<tr>
<td>Code</td>
<td>For ICMP rules, specifies the ICMP subtype code, which provides
further information about the <guilabel>Type</guilabel>
message.</td>
<td>Compute / OpenStack Networking</td>
</tr>
<tr>
<td>IP Protocol</td>
<td>For 'Other Protocol' rules, specifies the IP protocol to
be used for the rule. The protocol must be specified as
an integer (see <link
xlink:href="http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml"
>http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml</link>).</td>
<td>OpenStack Networking</td>
</tr>
<tr>
<td>Remote</td>
<td><para>Traffic source for the rule:
<itemizedlist>
<listitem>
<para><guilabel>CIDR</guilabel> (Classless Inter-Domain
Routing) - IP address block, which limits access to IPs
within the block.</para>
</listitem>
<listitem>
<para><guilabel>Security Group</guilabel> - Source Group
which allows any instance in the group to access any
other group instance.</para>
</listitem>
</itemizedlist></para></td>
<td>Compute / OpenStack Networking</td>
</tr>
<tr>
<td>Ether Type</td>
<td>Traffic protocol to be used for the rule ('IPv4' or 'IPv6').</td>
<td>OpenStack Networking</td>
</tr>
</tbody>
</table>
</para>
</listitem>
</itemizedlist></para>
</step>
</procedure>
<procedure>
<title>Delete a Security Group</title>
<step>
<para>Log in to the OpenStack dashboard as a project member.</para>
</step>
<step>
<para>On the <guilabel>Project</guilabel> tab, select the appropriate project from the
<guilabel>CURRENT PROJECT</guilabel> drop-down list, and click the
<guilabel>Access &amp; Security</guilabel> category.</para>
</step>
<step>
<para>On the <guilabel>Security Groups</guilabel> tab, select the
relevant group's check box, and click the <guibutton>Delete
Security Group</guibutton> button.</para>
</step>
</procedure>
</section>

1
doc/user-guide-admin/section_dashboard_admin_manage_projects_users.xml
View File

@ -295,4 +295,5 @@
</step>
</procedure>
</section>
<xi:include href="section_dashboard_admin_manage_projects_security.xml"/>
</section>

3
doc/user-guide-admin/section_keystone_cli_manage_projects_users_roles.xml
View File

@ -98,7 +98,7 @@ keystone service-delete 08741d8ed88242ca88d1f61484a0fe3b</userinput>
<title>Create a tenant (project)</title>
<para>A tenant is a group of zero or more users. In nova, a
tenant owns virtual machines. In swift, a tenant owns
containers. In the Dashboard, tenants are represented as projects.
containers. In the Dashboard, tenants are represented as projects.
Users can be associated with more than one tenant.
Each tenant and user pairing can have a role associated with
it.</para>
@ -380,4 +380,5 @@ keystone service-delete 08741d8ed88242ca88d1f61484a0fe3b</userinput>
</procedure>
</section>
</section>
<xi:include href="section_nova_cli_manage_projects_security.xml"/>
</section>

180
doc/user-guide-admin/section_nova_cli_manage_projects_security.xml Normal file
View File

@ -0,0 +1,180 @@
<?xml version="1.0" encoding="UTF-8"?>
<section xmlns="http://docbook.org/ns/docbook" xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
xml:id="nova_cli_manage_projects_security">
<?dbhtml stop-chunking?>
<title>Manage project security</title>
<para>Security groups are sets of IP filter rules that are applied to all project instances, and
which define networking access to the instance. Group rules are project specific; project
members can edit the default rules for their group and add new rule sets.</para>
<para>All projects have a "default" security group which is applied to any instance that has no
other defined security group. Unless you change the default, this security group denies all
incoming traffic and allows only outgoing traffic to your instance.</para>
<para>
<note>
<para>For information about updating rules using the dashboard, see <xref
linkend="dashboard_manage_projects_security"/>.</para>
</note>
</para>
<para>You can use the <code>allow_same_net_traffic</code> option in the
<filename>/etc/nova/nova.conf</filename> file to globally control whether the rules
applies to hosts which share a network.</para>
<para>If set to:</para>
<para>
<itemizedlist>
<listitem>
<para><code>True</code> (default), hosts on the same subnet are not filtered and are allowed to
pass all types of traffic between them. On a flat network, this allows all
instances from all projects unfiltered communication. With VLAN networking, this
allows access between instances within the same project. You can also simulate
this setting by configuring the default security group to allow all traffic from
the subnet.</para>
</listitem>
<listitem>
<para><code>False</code>, security groups are enforced for all connections.</para>
</listitem>
</itemizedlist>
</para>
<para>Additionally, the number of maximum rules per security group is controlled by the
<code>security_group_rules</code> and the number of allowed security groups
per project is controlled by the <code>security_groups</code> quota (see <xref
linkend="cli_set_quotas"/>).</para>
<procedure>
<title>List and view current security groups</title>
<para>From the command line you can get a list of security groups for the project you're
acting in using the nova command:</para>
<step>
<para>Ensure your system variables are set for the user and tenant for which you are
checking security group rules. For example:
<programlisting>export OS_USERNAME=demo00
export OS_TENANT_NAME=tenant01</programlisting></para>
</step>
<step>
<para>Output security groups, as follows:</para>
<screen><prompt>$</prompt> <userinput>nova secgroup-list</userinput>
<computeroutput>+---------+-------------+
| Name | Description |
+---------+-------------+
| default | default |
| open | all ports |
+---------+-------------+</computeroutput></screen>
</step>
<step>
<para>View the details of a group, as follows:</para>
<para>
<screen><prompt>$</prompt> <userinput>nova secgroup-list-rules <replaceable>groupName</replaceable></userinput></screen>
</para>
<para>For example:</para>
<screen><prompt>$</prompt> <userinput>nova secgroup-list-rules open</userinput>
<computeroutput>+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range | Source Group |
+-------------+-----------+---------+-----------+--------------+
| icmp | -1 | 255 | 0.0.0.0/0 | |
| tcp | 1 | 65535 | 0.0.0.0/0 | |
| udp | 1 | 65535 | 0.0.0.0/0 | |
+-------------+-----------+---------+-----------+--------------+ </computeroutput></screen>
<para>These rules are all "allow" type rules as the default is deny. The first column is
the IP protocol (one of icmp, tcp, or udp) the second and third columns specify the
affected port range. The third column specifies the IP range in CIDR format. This
example shows the full port range for all protocols allowed from all IPs.</para>
</step>
</procedure>
<procedure>
<title>Create a security group</title>
<para>When adding a new security group, you should pick a descriptive but brief name. This
name shows up in brief descriptions of the instances that use it where the longer
description field often does not. For example, seeing that an instance is using security
group "http" is much easier to understand than "bobs_group" or "secgrp1".</para>
<step>
<para>Ensure your system variables are set for the user and tenant for which you are
checking security group rules.</para>
</step>
<step>
<para>Add the new security group, as follows:</para>
<para>
<screen><prompt>$</prompt> <userinput>nova secgroup-create <replaceable>GroupName Description</replaceable></userinput></screen>
</para>
<para>For example:</para>
<para>
<screen><prompt>$</prompt> <userinput>nova secgroup-create global_http "Allows Web traffic anywhere on the Internet."</userinput>
<computeroutput>+--------------------------------------+-------------+----------------------------------------------+
| Id | Name | Description |
+--------------------------------------+-------------+----------------------------------------------+
| 1578a08c-5139-4f3e-9012-86bd9dd9f23b | global_http | Allows Web traffic anywhere on the Internet. |
+--------------------------------------+-------------+----------------------------------------------+</computeroutput></screen>
</para>
</step>
<step>
<para>Add a new group rule, as follows:</para>
<para>
<screen><prompt>$</prompt> <userinput>nova secgroup-add-rule <replaceable>secGroupName ip-protocol from-port to-port CIDR</replaceable></userinput></screen>
</para>
<para>The arguments are positional, and the "from-port" and "to-port" arguments specify
the local port range connections are allowed to access, not the source and
destination ports of the connection. For example:</para>
<para>
<screen><prompt>$</prompt> <userinput>nova secgroup-add-rule global_http tcp 80 80 0.0.0.0/0</userinput>
<computeroutput>+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range | Source Group |
+-------------+-----------+---------+-----------+--------------+
| tcp | 80 | 80 | 0.0.0.0/0 | |
+-------------+-----------+---------+-----------+--------------+</computeroutput></screen>
</para>
<para>You can create complex rule sets by creating additional rules. For example, if you
want to pass both http and https traffic, run:</para>
<screen><prompt>$</prompt> <userinput>nova secgroup-add-rule global_http tcp 443 443 0.0.0.0/0</userinput>
<computeroutput>+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range | Source Group |
+-------------+-----------+---------+-----------+--------------+
| tcp | 443 | 443 | 0.0.0.0/0 | |
+-------------+-----------+---------+-----------+--------------+</computeroutput></screen>
<para>Despite only outputting the newly added rule, this operation is additive (both
rules are created and enforced).</para>
</step>
<step>
<para>View all rules for the new security group, as follows:</para>
<screen><prompt>$</prompt> <userinput>nova secgroup-list-rules global_http</userinput>
<computeroutput>+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range | Source Group |
+-------------+-----------+---------+-----------+--------------+
| tcp | 80 | 80 | 0.0.0.0/0 | |
| tcp | 443 | 443 | 0.0.0.0/0 | |
+-------------+-----------+---------+-----------+--------------+</computeroutput></screen>
</step>
</procedure>
<procedure>
<title>Delete a Security Group</title>
<step>
<para>Ensure your system variables are set for the user and tenant for which you are
deleting a security group.</para>
</step>
<step>
<para>Delete the new security group, as follows:</para>
<para>
<screen><prompt>$</prompt> <userinput>nova secgroup-delete <replaceable>GroupName</replaceable></userinput></screen>
</para>
<para>For example:</para>
<para>
<screen><prompt>$</prompt> <userinput>nova secgroup-create global_http</userinput></screen>
</para>
</step>
</procedure>
<procedure>
<title>Create security group rules for a cluster of instances</title>
<para>SourceGroups are a special, dynamic way of defining the CIDR of allowed sources. The user
specifies a SourceGroup (Security Group name), and all the users' other Instances using the
specified SourceGroup are selected dynamically. This alleviates the need for individual
rules to allow each new member of the cluster.</para>
<step><para>Ensure your system variables are set for the user and tenant for which you are
deleting a security group.</para></step>
<step><para>Add a source group, as follows:</para>
<para>
<screen><prompt>$</prompt> <userinput>nova secgroup-add-group-rule <replaceable>secGroupName source-group ip-protocol from-port to-port</replaceable></userinput></screen>
</para>
<para>For example:</para>
<programlisting><prompt>$</prompt> nova secgroup-add-group-rule cluster global-http tcp 22 22</programlisting>
<para>The <code>cluster</code> rule allows ssh access from any other
instance that uses the <code>global-http</code> group.</para>
</step>
</procedure>
</section>