+1. This sounds like a bug. FYI there are some issues related to adding source group rules that specify ports that need to be fixed. We have also discussed whether or not the same group should be allow all by default. In ec2 it does. I personally like having it explicit like this, but I don't know if it is confusing to people coming from other clouds.
Vish On Nov 28, 2011, at 8:32 PM, Hookway, Ray wrote: > I would like to be able to create a security group rule which allows > communication between VMs within the group. Using the EC2 API this can be > done as follows: > > rjh@cloud1:~$ euca-describe-groups > GROUP rjhproject default default > PERMISSION rjhproject default ALLOWS tcp 22 22 FROM CIDR > 0.0.0.0/0 > PERMISSION rjhproject default ALLOWS icmp -1 -1 FROM CIDR > 0.0.0.0/0 > PERMISSION rjhproject default ALLOWS tcp 80 80 GRPNAME > default > rjh@cloud1:~$ euca-add-group -d 'permissive group' rjhgroup > GROUP rjhgroup permissive group > rjh@cloud1:~$ euca-authorize -o rjhgroup rjhgroup > rjhgroup rjhgroup None tcp None None 0.0.0.0/0 > GROUP rjhgroup > PERMISSION rjhgroup ALLOWS tcp GRPNAME rjhgroup FROM CIDR > 0.0.0.0/0 > rjh@cloud1:~$ euca-describe-groups > GROUP rjhproject default default > PERMISSION rjhproject default ALLOWS tcp 22 22 FROM CIDR > 0.0.0.0/0 > PERMISSION rjhproject default ALLOWS icmp -1 -1 FROM CIDR > 0.0.0.0/0 > PERMISSION rjhproject default ALLOWS tcp 80 80 GRPNAME > default > GROUP rjhproject rjhgroup permissive group > PERMISSION rjhproject rjhgroup ALLOWS icmp -1 -1 GRPNAME > rjhgroup > PERMISSION rjhproject rjhgroup ALLOWS tcp 1 65535 GRPNAME > rjhgroup > PERMISSION rjhproject rjhgroup ALLOWS udp 1 65536 GRPNAME > rjhgroup > > So, it looks like security groups support the notion of a group with rules > that mention the group containing the rule as a source. However, the > security_groups.py extension contains an explicit check that the source group > id is not the same as the parent group id. Why is this done? I would like to > remove this restriction allowing rules to be created similar to the one > created above using EC2. Any objections? > > -Ray Hookway (rjh) > > _______________________________________________ > Mailing list: https://launchpad.net/~openstack > Post to : openstack@lists.launchpad.net > Unsubscribe : https://launchpad.net/~openstack > More help : https://help.launchpad.net/ListHelp
_______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
