Allow sharing security groups as read-only¶
Allow sharing security groups as read-only.
Currently, security groups can be shared with the rbac system, but the only valid action is access_as_shared, which allows the target tenant to create/delete (only) new rules on the security group. This works fine for use-cases where the group should be shared in a nearly equal way.
However, some users/services may want a security group to be visible, but read-only. A prime example of this would be to enable ProjectB to add a security group owned by ProjectA as a remotely trusted group on their own security group.
The immediate need for this is found in an existing Octavia patch 1. Octavia would like to share the security group it creates for each load-balancer with the load-balancer’s owner, so they can open access to their backend members for only a specific load-balancer.
Add a new action type for security group RBAC: access_as_readonly. This action would allow the target tenant to see the shared security group with show/list, but not create/delete new rules for it or change it in any way.
Neutron documentation about sharing security groups will need to be modified to add the action type access_as_readonly.