Hi, > When firewall_driver is set to NoopFirwallDriver in Neutron agent, > uses can create security group and its rules, but no packet filtering > is enforced. > If neutron security group is enabled, users should expect packet > filtering is enabled > I think this behavior is confusing from Neutron API perspective, > and if no packet filtering is enforced, we cannot say security group > feature is provided. > This is the background of the change.
In my thoughts there are three players here, the developer, the administrator and the users (close to what is the API perspective in your terms). If the administrator decides to use the noop implementation of an API and he does not tell his users this is the case, that's definitely confusing for the users. If the administrator wants to use the noop implementation and instead of getting a noop behaviour the whole extension disappears that's also confusing, but for the administrator. I also get that an API user typically does not know the configuration against his code will run. The noop implementation cannot be turned on accidentally. The administrator has to do it for whatever reason - likely debugging as you mentioned. I believe it's not the developer's responsibility to protect the users from the administrator's intentional configuration decision. Anyway I can live with the other proposed alternatives too. I just wanted to point out that for me the current behavior was the surprising one. And also wanted to connect the discussion to its origins. Thanks, Bence _______________________________________________ OpenStack-dev mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
