Bug 1763942

Summary: [RFE] Change default admin security group rules that applied to new projects
Product: Red Hat OpenStack Reporter: Brendan Shephard <bshephar>
Component: openstack-neutronAssignee: OSP Team <rhos-maint>
Status: CLOSED DUPLICATE QA Contact: Eran Kuris <ekuris>
Severity: low Docs Contact:
Priority: unspecified    
Version: 13.0 (Queens)CC: chrisw, scohen, skaplons
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: All   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-07-24 10:23:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Brendan Shephard 2019-10-22 02:31:09 UTC 
Description of problem:
When creating a new project, we apply a default security group rule. This RFE is requesting the ability to modify those default rules. It looks like this has been discussed before:
https://bugzilla.redhat.com/show_bug.cgi?id=125845

Version-Release number of selected component (if applicable):
RHOSP13

How the feature would work?
Allow the user to create a security group that will be applied by default to all new projects

Actual Results:
When you create a new project, it gets a default egress any any allow and ingress any any deny

Expected results:
Allow for customization of these defaults. Maybe by allowing a user to create a security group and set it as the default SG to be applied to new projects?

Additional info:
I saw the previous discussion about FWaaS. But would it be easier to just flag a already configured SG as the projects default one and copy it to new projects?

If my research is correct, we create the defaults here: https://github.com/openstack/neutron/blob/stable/queens/neutron/db/securitygroups_db.py#L105-L122

On a scale of 1 to difficult, where would we rate adding a check for a new field - lets call it project_default_sg?

project_default_sg = check_each_sg_for_project_default_sg

if project_default_sg:
  sg_defaults = read_sg_rules_from_default
  sg.rules.append(sg_defaults)
  

Happy for some feedback on this one. We can make it an RFE for Train or something if that makes more sense and I'll submit it upstream as well.
Comment 5 Slawek Kaplonski 2023-07-24 10:23:19 UTC 

*** This bug has been marked as a duplicate of bug 1258455 ***