Thank you for your response. > That's a fair point. But I think it's because you're not expected to > run as admin, and having a way to drop the group as admin can be of > value for e.g. debugging or cleaning up after some bugs [1]. You’re right. Regenerate logic seems strange to me. But I’m not sure the logic must be fixed.
> This is because original neutron/nova authors thought that following > the AWS way [2] is essential for project success. > > Since [3], neutron allows default group to be renamed. Though nova > still assumes 'default' is the only way the group can be named [4]. I got it. It may be worth fixing. Thanks, Hirofumi 2015/02/24 2:00、Ihar Hrachyshka <[email protected]> : > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 02/20/2015 11:45 AM, Hirofumi Ichihara wrote: >> Neutron experts, >> >> I caught a bug report[1]. >> >> Currently, Neutron enable admin to delete default security group. >> But Neutron doesn’t allow default security group to keep deleted. >> Neutron regenerates default security group as security group api is >> called next. > > I actually believe the design is unfortunate, and instead of this, > keystone would better notify services about new tenant, and services > would create resources like default security groups for them. AFAIK > keystone does not notify at the moment, so we had few options. > Speaking of current design, ... > >> I have two questions about the behavior. >> >> 1. Why does Neutron regenerate default security group? If default >> security group is essential, we shouldn’t enable admin to delete >> it. > > That's a fair point. But I think it's because you're not expected to > run as admin, and having a way to drop the group as admin can be of > value for e.g. debugging or cleaning up after some bugs [1]. > >> 2. Why is security group named “default" essential? Users may want >> to change its name. >> > > This is because original neutron/nova authors thought that following > the AWS way [2] is essential for project success. > > Since [3], neutron allows default group to be renamed. Though nova > still assumes 'default' is the only way the group can be named [4]. > > [1]: https://bugs.launchpad.net/neutron/+bug/1194579 > [2]: > http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html#default-security-group > [3]: > http://git.openstack.org/cgit/openstack/neutron/commit/?id=79c97120de9cff4d0992b5d41ff4bbf05e890f89 > [4]: > https://git.openstack.org/cgit/openstack/nova/tree/nova/compute/api.py#n1074 > > /Ihar > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > > iQEcBAEBAgAGBQJU61zHAAoJEC5aWaUY1u57UE4H/30jKnhrQthzuw0xuKJ3VDu7 > Fi+eqbhis7/ntGSQLlDFEPzsHjCxjkwXVN7kdPPaftp6RsnpwJNko+Zbvv2gWEMj > qS3dxsCYiQVAjmbDIXrlz1K/za+QYJL3FvD9hP/ixA90ZeL0l6VFs2KwKAr35AEP > EmkBK237tlHBJfqVh9H81cMn36iPKMd/g+4cAuysxajEFiWSqBBegngGpCiUJ6Vm > 51AeOBR4bwR585XvIRyDQIfQD/rLSYHzTZSn+ChLy6It14x7WHs/xgTn5V3EqNKB > VIHhiU6j2QuW07wDa1/HEGaTao8Np1OcL7IuEdDb6ioCZRMaC3cpuTOE3OoVeW4= > =8BCo > -----END PGP SIGNATURE----- > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: [email protected]?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
