Allow sharing security groups as read-only

Allow sharing security groups as read-only.

Problem Description

Currently, security groups can be shared with the rbac system, but the only valid action is access_as_shared, which allows the target tenant to create/delete (only) new rules on the security group. This works fine for use-cases where the group should be shared in a nearly equal way.

However, some users/services may want a security group to be visible, but read-only. A prime example of this would be to enable ProjectB to add a security group owned by ProjectA as a remotely trusted group on their own security group.

The immediate need for this is found in an existing Octavia patch 1. Octavia would like to share the security group it creates for each load-balancer with the load-balancer’s owner, so they can open access to their backend members for only a specific load-balancer.

Proposed Change

Add a new action type for security group RBAC: access_as_readonly. This action would allow the target tenant to see the shared security group with show/list, but not create/delete new rules for it or change it in any way.

Documentation Impact

Neutron documentation about sharing security groups will need to be modified to add the action type access_as_readonly.



  • Adam Harwell

Work Items

  • Add new action type access_as_readonly

  • Documentation update in config-rbac.rst 2 as seen in 3

  • Create additional tempest tests in RbacSharedSecurityGroupTest class 4