c961797ac0
Ensure that for each firstterm, we have a proper entry in the glossary: * Use <firstterm baseform="xxx"> if the first term is spelled differently than the glossary entry. * Remove some firstterm markups where no entry is in the glossary and adding one not useful. Change-Id: Id7093a53f9d466db774b548749116288425af581
288 lines
14 KiB
XML
288 lines
14 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<section xmlns="http://docbook.org/ns/docbook"
|
|
xmlns:xi="http://www.w3.org/2001/XInclude"
|
|
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
|
|
xml:id="dashboard_manage_projects_security">
|
|
<?dbhtml stop-chunking?>
|
|
<title>Manage project security</title>
|
|
<para>Security groups are sets of IP filter rules that are applied
|
|
to all project instances, and which define networking access
|
|
to the instance. Group rules are project specific; project
|
|
members can edit the default rules for their group and add new
|
|
rule sets.</para>
|
|
<para>All projects have a default security
|
|
group that is applied to any instance that has no other
|
|
defined security group. Unless you change the default, this
|
|
security group denies all incoming traffic and allows only
|
|
outgoing traffic to your instance.</para>
|
|
<note>
|
|
<para>For information about updating global controls on the
|
|
command line, see <xref
|
|
linkend="nova_cli_manage_projects_security"/>.</para>
|
|
</note>
|
|
<section xml:id="create_security_group">
|
|
<title>Create a security group</title>
|
|
<procedure>
|
|
<step>
|
|
<para>Log in to the dashboard as a project
|
|
member.</para>
|
|
</step>
|
|
<step>
|
|
<para>On the <guilabel>Project</guilabel> tab, select
|
|
the appropriate project from the <guimenu>CURRENT
|
|
PROJECT</guimenu> drop-down list, and click
|
|
the <guimenuitem>Access &
|
|
Security</guimenuitem> category.</para>
|
|
</step>
|
|
<step>
|
|
<para>On the <guilabel>Security Groups</guilabel> tab,
|
|
click <guibutton>Create Security
|
|
Group</guibutton>.</para>
|
|
</step>
|
|
<step>
|
|
<para>Provide a name and appropriate description for
|
|
the group, and click <guibutton>Create Security
|
|
Group</guibutton>. By default, the new rule
|
|
provides outgoing access rules for the
|
|
group.</para>
|
|
</step>
|
|
</procedure>
|
|
</section>
|
|
<section xml:id="add_security_group_rules">
|
|
<title>Add a security group rule</title>
|
|
<procedure>
|
|
<step>
|
|
<para>Log in to the dashboard as a project
|
|
member.</para>
|
|
</step>
|
|
<step>
|
|
<para>On the <guilabel>Project</guilabel> tab, select
|
|
the appropriate project from the <guimenu>CURRENT
|
|
PROJECT</guimenu> drop-down list, and click
|
|
the <guimenuitem>Access &
|
|
Security</guimenuitem> category.</para>
|
|
</step>
|
|
<step>
|
|
<para>On the <guilabel>Security Groups</guilabel> tab,
|
|
click <guibutton>Edit rules</guibutton> for the
|
|
appropriate security group.</para>
|
|
</step>
|
|
<step>
|
|
<para>To add a rule, click <guibutton>Add
|
|
Rule</guibutton>. Set the attributes for the rule,
|
|
and click <guibutton>Add</guibutton>:</para>
|
|
<variablelist wordsize="10">
|
|
<!-- this doesn't match the UI -->
|
|
<!-- <varlistentry>
|
|
<term>Rule</term>
|
|
<listitem>
|
|
<para>The rule protocol type .
|
|
Valid types are:<itemizedlist>
|
|
<listitem>
|
|
<para><guilabel>Custom TCP
|
|
Rule</guilabel>.Typically used to
|
|
exchange data between systems, and
|
|
for end-user communication.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><guilabel>Custom UDP
|
|
Rule</guilabel>. Typically used to
|
|
exchange data between systems,
|
|
particularly at the application
|
|
level.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><guilabel>Custom ICMP
|
|
Rule</guilabel>. Typically used by
|
|
network devices (for example,
|
|
routers) to send error or
|
|
monitoring messages.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><guilabel>Other
|
|
Protocol</guilabel>. Other protocol
|
|
type (for example, SCTP, which can
|
|
be used to handle application data
|
|
at the SCTP level). Only available
|
|
for OpenStack Networking security
|
|
groups.</para>
|
|
</listitem>
|
|
</itemizedlist></para>
|
|
</listitem>
|
|
</varlistentry> -->
|
|
<varlistentry>
|
|
<term><guilabel>IP Protocol</guilabel></term>
|
|
<listitem>
|
|
<para>The IP protocol to which
|
|
the rule applies:</para>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para><guilabel>TCP</guilabel>.Typically
|
|
used to exchange data between
|
|
systems, and for end-user
|
|
communication.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><guilabel>UDP</guilabel>.
|
|
Typically used to exchange data
|
|
between systems, particularly at
|
|
the application level.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><guilabel>ICMP</guilabel>.
|
|
Typically used by network devices,
|
|
such as routers, to send error or
|
|
monitoring messages.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</listitem>
|
|
</varlistentry>
|
|
<!-- not in the GUI -->
|
|
<!--<varlistentry>
|
|
<term>Direction</term>
|
|
<listitem>
|
|
<para>For OpenStack Networking. The
|
|
direction of network traffic to which
|
|
the rule applies:
|
|
<guilabel>Ingress</guilabel>
|
|
(inbound) or
|
|
<guilabel>Egress</guilabel>
|
|
(outbound).</para>
|
|
</listitem>
|
|
</varlistentry> -->
|
|
<varlistentry>
|
|
<term><guilabel>Open</guilabel></term>
|
|
<listitem>
|
|
<para>For TCP or UDP rules, the
|
|
<guilabel>Port</guilabel> or
|
|
<guilabel>Port Range</guilabel> to
|
|
open for the rule. Choose to open a
|
|
single port or range of ports.</para>
|
|
<para>For a range of ports, enter port
|
|
values in the <guilabel>From
|
|
Port</guilabel> and <guilabel>To
|
|
Port</guilabel> fields.</para>
|
|
<para>For a single port, enter the port
|
|
value in the <guilabel>Port</guilabel>
|
|
field.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<!-- not in the GUI -->
|
|
<!--<varlistentry>
|
|
<term>Type</term>
|
|
<listitem>
|
|
<para>For ICMP rules, specifies
|
|
the ICMP message that is being
|
|
passed.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>Code</term>
|
|
<listitem>
|
|
<para>For ICMP rules, specifies
|
|
the ICMP subtype code, which provides
|
|
further information about the
|
|
<guilabel>Type</guilabel>
|
|
message.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>IP Protocol</term>
|
|
<listitem>
|
|
<para>For OpenStack Networking. For
|
|
<guilabel>Other Protocol</guilabel>
|
|
rules, specifies the IP protocol to be
|
|
used for the rule. Specify the
|
|
protocol as an integer. See <link
|
|
xlink:href="http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml"
|
|
>http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml</link>.</para>
|
|
</listitem>
|
|
</varlistentry> -->
|
|
<varlistentry>
|
|
<term><guilabel>Source</guilabel></term>
|
|
<listitem>
|
|
<para>The source of the traffic
|
|
for this rule:</para>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para><guilabel>CIDR</guilabel>
|
|
(Classless Inter-Domain Routing).
|
|
IP address block, which limits
|
|
access to IPs within the block.
|
|
Enter the CIDR in the
|
|
<guilabel>Source</guilabel>
|
|
field.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><guilabel>Security
|
|
Group</guilabel>. Source group that
|
|
enables any instance in the group
|
|
to access any other group
|
|
instance.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</listitem>
|
|
</varlistentry>
|
|
<!-- not in gui -->
|
|
<!--<varlistentry>
|
|
<term>Ether Type</term>
|
|
<listitem>
|
|
<para>For OpenStack Networking. The
|
|
traffic protocol for the rule. Either
|
|
<guilabel>IPv4</guilabel> or
|
|
<guilabel>IPv6</guilabel>.</para>
|
|
</listitem>
|
|
</varlistentry> -->
|
|
</variablelist>
|
|
</step>
|
|
</procedure>
|
|
</section>
|
|
<section xml:id="delete_security_group_rule">
|
|
<title>Delete a security group rule</title>
|
|
<procedure>
|
|
<step>
|
|
<para>Log in to the dashboard as a project
|
|
member.</para>
|
|
</step>
|
|
<step>
|
|
<para>On the <guilabel>Project</guilabel> tab, select
|
|
the appropriate project from the <guimenu>CURRENT
|
|
PROJECT</guimenu> drop-down list, and click
|
|
the <guimenuitem>Access &
|
|
Security</guimenuitem> category.</para>
|
|
</step>
|
|
<step>
|
|
<para>On the <guilabel>Security Groups</guilabel> tab,
|
|
click <guibutton>Edit rules</guibutton> for the
|
|
appropriate security group.</para>
|
|
</step>
|
|
<step>
|
|
<para>To delete a rule, select the rule and click
|
|
<guibutton>Delete Rule</guibutton>.</para>
|
|
</step>
|
|
</procedure>
|
|
</section>
|
|
<section xml:id="delete_security_group">
|
|
<title>Delete a security group</title>
|
|
<procedure>
|
|
<step>
|
|
<para>Log in to the dashboard as a project
|
|
member.</para>
|
|
</step>
|
|
<step>
|
|
<para>On the <guilabel>Project</guilabel> tab, select
|
|
the appropriate project from the <guilabel>CURRENT
|
|
PROJECT</guilabel> drop-down list, and click
|
|
the <guilabel>Access & Security</guilabel>
|
|
category.</para>
|
|
</step>
|
|
<step>
|
|
<para>On the <guilabel>Security Groups</guilabel> tab,
|
|
select the appropriate group, and click
|
|
<guibutton>Delete Security
|
|
Group</guibutton>.</para>
|
|
</step>
|
|
</procedure>
|
|
</section>
|
|
</section>
|