Security groups management in Sahara
It is not acceptable for production use to require default security group with
all ports open. Sahara need more flexible way to work with security groups.
Now Sahara doesn’t manage security groups and use default security group for
Solution will consist of several parts:
- Allow user to specify list of security groups for each of node groups.
- Add support of automatic security group creation. Sahara knows everything
to create security group with required ports open. In the first iteration
this will be security group with all exposed ports open for all networks.
Creation of security groups by Sahara could be done in several ways. Ideally
Sahara should support separation between different networks and configuration
on what to allow and what is not.
Data model impact
- List of security groups need to be saved in each node group.
- Flag indicating that one of security groups is created by Sahara
- List of ports to be opened. It need to be stored somewhere to provide this
information to provisioning engine.
REST API impact
Requests to create cluster, nodegroup, cluster template and nodegroup template
will be extended to receive security groups to use. Also option for
automatic security group creation will be added.
Other end user impact
In some cases there will be no need to configure default security group.
Plugin SPI will be extended with method to return required ports for node
Sahara-dashboard / Horizon impact
New field to select security group in all create screens.
Andrew Lazarev (alazarev)
- Allow user to specify security groups for node group
- Implement ability of security group creation by Sahara
Both items require the following steps:
- Implement in both engines (heat and direct engine)
- Test for nova network and neutron
- Update documentation
- Update UI
- Create integration test
Feature need to be covered by integration tests both for engine and UI.
Feature need to be documented.