openstack-manuals/doc/user-guide-admin/section_dashboard_admin_manage_projects_security.xml
Chandan kumar b1b61b700a Added Complete Doc conventions to user-guide-admin.
Change-Id: I1c9a4d1a20a0dacf88fab705a0226ed1f7a39a8f
Closes-Bug: #1121866
2013-12-11 10:09:38 +05:30

288 lines
14 KiB
XML

<?xml version="1.0" encoding="UTF-8"?>
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
xml:id="dashboard_manage_projects_security">
<?dbhtml stop-chunking?>
<title>Manage project security</title>
<para>Security groups are sets of IP filter rules that are applied
to all project instances, and which define networking access
to the instance. Group rules are project specific; project
members can edit the default rules for their group and add new
rule sets.</para>
<para>All projects have a <firstterm>default</firstterm> security
group that is applied to any instance that has no other
defined security group. Unless you change the default, this
security group denies all incoming traffic and allows only
outgoing traffic to your instance.</para>
<note>
<para>For information about updating global controls on the
command line, see <xref
linkend="nova_cli_manage_projects_security"/>.</para>
</note>
<section xml:id="create_security_group">
<title>Create a security group</title>
<procedure>
<step>
<para>Log in to the dashboard as a project
member.</para>
</step>
<step>
<para>On the <guilabel>Project</guilabel> tab, select
the appropriate project from the <guimenu>CURRENT
PROJECT</guimenu> drop-down list, and click
the <guimenuitem>Access &amp;
Security</guimenuitem> category.</para>
</step>
<step>
<para>On the <guilabel>Security Groups</guilabel> tab,
click <guibutton>Create Security
Group</guibutton>.</para>
</step>
<step>
<para>Provide a name and appropriate description for
the group, and click <guibutton>Create Security
Group</guibutton>. By default, the new rule
provides outgoing access rules for the
group.</para>
</step>
</procedure>
</section>
<section xml:id="add_security_group_rules">
<title>Add a security group rule</title>
<procedure>
<step>
<para>Log in to the dashboard as a project
member.</para>
</step>
<step>
<para>On the <guilabel>Project</guilabel> tab, select
the appropriate project from the <guimenu>CURRENT
PROJECT</guimenu> drop-down list, and click
the <guimenuitem>Access &amp;
Security</guimenuitem> category.</para>
</step>
<step>
<para>On the <guilabel>Security Groups</guilabel> tab,
click <guibutton>Edit rules</guibutton> for the
appropriate security group.</para>
</step>
<step>
<para>To add a rule, click <guibutton>Add
Rule</guibutton>. Set the attributes for the rule,
and click <guibutton>Add</guibutton>:</para>
<variablelist wordsize="10">
<!-- this doesn't match the UI -->
<!-- <varlistentry>
<term>Rule</term>
<listitem>
<para>The rule protocol type .
Valid types are:<itemizedlist>
<listitem>
<para><guilabel>Custom TCP
Rule</guilabel>.Typically used to
exchange data between systems, and
for end-user communication.</para>
</listitem>
<listitem>
<para><guilabel>Custom UDP
Rule</guilabel>. Typically used to
exchange data between systems,
particularly at the application
level.</para>
</listitem>
<listitem>
<para><guilabel>Custom ICMP
Rule</guilabel>. Typically used by
network devices (for example,
routers) to send error or
monitoring messages.</para>
</listitem>
<listitem>
<para><guilabel>Other
Protocol</guilabel>. Other protocol
type (for example, SCTP, which can
be used to handle application data
at the SCTP level). Only available
for OpenStack Networking security
groups.</para>
</listitem>
</itemizedlist></para>
</listitem>
</varlistentry> -->
<varlistentry>
<term><guilabel>IP Protocol</guilabel></term>
<listitem>
<para>The IP protocol to which
the rule applies:</para>
<itemizedlist>
<listitem>
<para><guilabel>TCP</guilabel>.Typically
used to exchange data between
systems, and for end-user
communication.</para>
</listitem>
<listitem>
<para><guilabel>UDP</guilabel>.
Typically used to exchange data
between systems, particularly at
the application level.</para>
</listitem>
<listitem>
<para><guilabel>ICMP</guilabel>.
Typically used by network devices,
such as routers, to send error or
monitoring messages.</para>
</listitem>
</itemizedlist>
</listitem>
</varlistentry>
<!-- not in the GUI -->
<!--<varlistentry>
<term>Direction</term>
<listitem>
<para>For OpenStack Networking. The
direction of network traffic to which
the rule applies:
<guilabel>Ingress</guilabel>
(inbound) or
<guilabel>Egress</guilabel>
(outbound).</para>
</listitem>
</varlistentry> -->
<varlistentry>
<term><guilabel>Open</guilabel></term>
<listitem>
<para>For TCP or UDP rules, the
<guilabel>Port</guilabel> or
<guilabel>Port Range</guilabel> to
open for the rule. Choose to open a
single port or range of ports.</para>
<para>For a range of ports, enter port
values in the <guilabel>From
Port</guilabel> and <guilabel>To
Port</guilabel> fields.</para>
<para>For a single port, enter the port
value in the <guilabel>Port</guilabel>
field.</para>
</listitem>
</varlistentry>
<!-- not in the GUI -->
<!--<varlistentry>
<term>Type</term>
<listitem>
<para>For ICMP rules, specifies
the ICMP message that is being
passed.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Code</term>
<listitem>
<para>For ICMP rules, specifies
the ICMP subtype code, which provides
further information about the
<guilabel>Type</guilabel>
message.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>IP Protocol</term>
<listitem>
<para>For OpenStack Networking. For
<guilabel>Other Protocol</guilabel>
rules, specifies the IP protocol to be
used for the rule. Specify the
protocol as an integer. See <link
xlink:href="http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml"
>http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml</link>.</para>
</listitem>
</varlistentry> -->
<varlistentry>
<term><guilabel>Source</guilabel></term>
<listitem>
<para>The source of the traffic
for this rule:</para>
<itemizedlist>
<listitem>
<para><guilabel>CIDR</guilabel>
(Classless Inter-Domain Routing).
IP address block, which limits
access to IPs within the block.
Enter the CIDR in the
<guilabel>Source</guilabel>
field.</para>
</listitem>
<listitem>
<para><guilabel>Security
Group</guilabel>. Source group that
enables any instance in the group
to access any other group
instance.</para>
</listitem>
</itemizedlist>
</listitem>
</varlistentry>
<!-- not in gui -->
<!--<varlistentry>
<term>Ether Type</term>
<listitem>
<para>For OpenStack Networking. The
traffic protocol for the rule. Either
<guilabel>IPv4</guilabel> or
<guilabel>IPv6</guilabel>.</para>
</listitem>
</varlistentry> -->
</variablelist>
</step>
</procedure>
</section>
<section xml:id="delete_security_group_rule">
<title>Delete a security group rule</title>
<procedure>
<step>
<para>Log in to the dashboard as a project
member.</para>
</step>
<step>
<para>On the <guilabel>Project</guilabel> tab, select
the appropriate project from the <guimenu>CURRENT
PROJECT</guimenu> drop-down list, and click
the <guimenuitem>Access &amp;
Security</guimenuitem> category.</para>
</step>
<step>
<para>On the <guilabel>Security Groups</guilabel> tab,
click <guibutton>Edit rules</guibutton> for the
appropriate security group.</para>
</step>
<step>
<para>To delete a rule, select the rule and click
<guibutton>Delete Rule</guibutton>.</para>
</step>
</procedure>
</section>
<section xml:id="delete_security_group">
<title>Delete a security group</title>
<procedure>
<step>
<para>Log in to the dashboard as a project
member.</para>
</step>
<step>
<para>On the <guilabel>Project</guilabel> tab, select
the appropriate project from the <guilabel>CURRENT
PROJECT</guilabel> drop-down list, and click
the <guilabel>Access &amp; Security</guilabel>
category.</para>
</step>
<step>
<para>On the <guilabel>Security Groups</guilabel> tab,
select the appropriate group, and click
<guibutton>Delete Security
Group</guibutton>.</para>
</step>
</procedure>
</section>
</section>