Security groups management in Sahara¶
It is not acceptable for production use to require default security group with all ports open. Sahara need more flexible way to work with security groups.
Now Sahara doesn’t manage security groups and use default security group for instances provisioning.
Solution will consist of several parts:
Allow user to specify list of security groups for each of node groups.
Add support of automatic security group creation. Sahara knows everything to create security group with required ports open. In the first iteration this will be security group with all exposed ports open for all networks.
Creation of security groups by Sahara could be done in several ways. Ideally Sahara should support separation between different networks and configuration on what to allow and what is not.
Data model impact¶
List of security groups need to be saved in each node group.
Flag indicating that one of security groups is created by Sahara
List of ports to be opened. It need to be stored somewhere to provide this information to provisioning engine.
REST API impact¶
Requests to create cluster, nodegroup, cluster template and nodegroup template will be extended to receive security groups to use. Also option for automatic security group creation will be added.
Other end user impact¶
In some cases there will be no need to configure default security group.
Plugin SPI will be extended with method to return required ports for node group.
Sahara-dashboard / Horizon impact¶
New field to select security group in all create screens.
Primary Assignee: Andrew Lazarev (alazarev)
Allow user to specify security groups for node group
Implement ability of security group creation by Sahara
Both items require the following steps:
Implement in both engines (heat and direct engine)
Test for nova network and neutron
Create integration test
Feature need to be covered by integration tests both for engine and UI.
Feature need to be documented.