Bug 1635892

Summary: loadbalancer listener requires security group customization
Product: Red Hat OpenStack Reporter: Jeremy <jmelvin>
Component: openstack-octaviaAssignee: Luis Tomas Bolivar <ltomasbo>
Status: CLOSED CURRENTRELEASE QA Contact: Alexander Stafeyev <astafeye>
Severity: high Docs Contact:
Priority: high    
Version: 13.0 (Queens)CC: amuller, astafeye, bcafarel, cgoncalves, ihrachys, jmelvin, jschluet, lpeer, ltomasbo, majopela, mariel, nyechiel, ojanas
Target Milestone: z4Keywords: RFE, TestOnly, Triaged, ZStream
Target Release: 13.0 (Queens)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-octavia-2.0.2-4.el7ost Doc Type: Enhancement
Doc Text:
Octavia previously assigned the Octavia project-id to the security group associated with the VIP and VRRP Amphora ports. This prevented the user from restricting access to the load-balancer. This fix adds the option to change SG ownership to belong to the user project (for certain whitelisted projects), which enables the user to refine access policies for the load-balancers.
 Story Points: ---
Clone Of: 1626377 Environment:
Last Closed: 2019-01-17 11:34:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1626377    
Bug Blocks: 1623855, 1629573    

Description Jeremy 2018-10-03 20:40:12 UTC 
+++ This bug was initially created as a clone of Bug #1626377 +++

When creating a listener for an octavia loadbalancer, for example opening port 80, it opens that port for accessing from everywhere by creating a security group that allows that traffic from 0.0.0.0/0.

However, it may be needed to just enable access to that port from a given subnet or from pods with a given security group, similarly how it is done with VMs. Currently it is not possible to do so, as the security group generated for the listener/loadbalancer does not belong to the tenant that created the loadbalancer but to the admin.

There are several ways in which this could be fix:
- Creating loadbalancer resources within the tenant instead (perhaps only the VIP port and the associated security group will be enough).
- Extending listener creation API to include extra options similar to what security groups has.
- Add the option in Octavia to add extra security groups to the amphora by the tenant who created it, that will allow extra customization on the access to the loadbalancer.
Comment 30 Lon Hohberger 2019-01-17 11:34:05 UTC 
According to our records, this should be resolved by openstack-octavia-2.0.2-4.el7ost.  This build is available now.
Comment 31 Carlos Goncalves 2019-06-17 10:07:36 UTC 
*** Bug 1720214 has been marked as a duplicate of this bug. ***