)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":11737,"name":"David Pineau","email":"dav.pineau@gmail.com","username":"Joachim"},"change_message_id":"4c134aede674bf714ba1cd2a5743a6fe8820cca6","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":1,"id":"f7e4de97_8f95ffee","updated":"2024-08-29 15:37:38.000000000","message":"Hello,\n\nI\u0027ve added as reviewers the contributors that showed interest in the proposal during the august 23rd neutron drivers meeting on IRC.","commit_id":"415bc2f89095b0d6d3a106a41a187c1bfa9c0caf"},{"author":{"_account_id":11737,"name":"David Pineau","email":"dav.pineau@gmail.com","username":"Joachim"},"change_message_id":"ced71a1431c37f99c0e1de2e1accfc7649be457e","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"f4847e32_c03aa5f0","in_reply_to":"f7e4de97_8f95ffee","updated":"2024-09-02 08:47:18.000000000","message":"Done","commit_id":"415bc2f89095b0d6d3a106a41a187c1bfa9c0caf"},{"author":{"_account_id":11737,"name":"David Pineau","email":"dav.pineau@gmail.com","username":"Joachim"},"change_message_id":"ced71a1431c37f99c0e1de2e1accfc7649be457e","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"a54784e4_c1a0e16e","updated":"2024-09-02 08:47:18.000000000","message":"I\u0027ll act on the comments, and answered on them to provide additional context/questions accordingly.\n\nIf anything mentioned in these comments should make it into the spec, please feel free to mention it.","commit_id":"63c029d4cb11d14cbe2a1edc2efd6803877ab823"},{"author":{"_account_id":16688,"name":"Rodolfo Alonso","email":"ralonsoh@redhat.com","username":"rodolfo-alonso-hernandez"},"change_message_id":"03ba7b0c64ab0958e26ad52fd22a1454b79be102","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"d17f91e8_d7ac009c","updated":"2024-09-02 10:19:07.000000000","message":"Before continuing with this spec, I would like to discuss what is the expected goal or the scope of the RFE. Reading the LP bug, the context is:\n* An external network (always created by an admin).\n* Some VMs on this network (the ports will be hosted by this network). These ports will belong to non-admin users.\n\nThe goal is to prevent the VMs to communicate each other. In order to achieve that, the admin wants to define a set of SG rules that should apply to all ports attached to this network.\n\nAt this point, this is something doable right now by:\n* The admin can disallow a non-admin user from modifying the SG attached to a port. That means the port will be created with a default SG that cannot be deleted nor changed by the non-admin user. This user cannot either add a new SG to this port. All of this just using a RBAC policy.\n* Add a RBAC policy to the external network to be accessible as shared (to allow a non-admin user to create a port on this network)\n* By default, when a port is created, the project default SG group is assigned. The admin can block a non-admin user from modifying any SG rule in a project.\n* The default SG rules can be modified since [1]. That means any time a new project is created and then its default SG, the rules created inside will follow the templated defined by the admin.\n\nNext Friday I\u0027ll present this comment into the drivers meeting, recommending not to implement this feature.\n\n[1]https://review.opendev.org/c/openstack/neutron/+/883246","commit_id":"6ad4b8019a9fe1a5300178d1a6137c3fd1db7c6b"},{"author":{"_account_id":11737,"name":"David Pineau","email":"dav.pineau@gmail.com","username":"Joachim"},"change_message_id":"3a68fcd539e082f68ef8a7c616fb0a4f57d77d81","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"f5673901_9b086c7e","updated":"2024-10-30 15:48:58.000000000","message":"Note that on our side, the project as been paused to prioritize other matters, though I should get back to this subject in the next few months.","commit_id":"6ad4b8019a9fe1a5300178d1a6137c3fd1db7c6b"},{"author":{"_account_id":1131,"name":"Brian Haley","email":"haleyb.dev@gmail.com","username":"brian-haley"},"change_message_id":"bdfad2b39e8e1527762406b33b1ab52b7f65a4a9","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"c276da1e_9e20ba1c","updated":"2024-10-28 13:19:58.000000000","message":"This should be in specs/2025.1 directory not train.","commit_id":"6ad4b8019a9fe1a5300178d1a6137c3fd1db7c6b"},{"author":{"_account_id":8313,"name":"Lajos Katona","display_name":"lajoskatona","email":"katonalala@gmail.com","username":"elajkat","status":"Ericsson Software Technology"},"change_message_id":"680517adda6ef082ffd7736073124bad76510b0f","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"c634cddb_8f768edb","updated":"2024-11-04 14:42:30.000000000","message":"recheck\nlet\u0027s have freshly generated doc","commit_id":"6ad4b8019a9fe1a5300178d1a6137c3fd1db7c6b"},{"author":{"_account_id":11737,"name":"David Pineau","email":"dav.pineau@gmail.com","username":"Joachim"},"change_message_id":"f82ffe33a3e784c862e5cdb202e6ace19818a21e","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":3,"id":"f6f593b3_4e8f1986","in_reply_to":"d17f91e8_d7ac009c","updated":"2024-09-02 16:46:14.000000000","message":"As I understand, this implies the following constraints:\n - default SG must be edited to fit one specific network\u0027s needs\n - Policies on SG association to a port does not exist at the moment, and must be added (one liner, granted, but still unavailable as is, and was subject to become another contribution)\n\nThe limitations I\u0027ve originally encountered that led me towards this approach:\n - A port cannot be pre-provisionned by the admin, and used by a non-admin user in a non-admin project.\n - I did not want to change the default security group, as I only wanted to affect this one specific network, and did not know whether changing the default SG was doable on a per-network basis.\n\nWhat I do not know at the moment, having not checked it, but seems to go against your counter-proposal:\n - Whether the default SG of a network can be different from the default SG of another network. From the CLI, I\u0027m under the impression that this cannot be a per-network setting, but a global one instead (which has no meaning in any usecase, nor in our original context).\n - How an admin is supposed to prevent SG edits via RBAC\n\nI will be available on Friday for further discussion with the Neutron Driver team if it is necessary, but I\u0027m also available to discuss this proposal at length, should you be available and interested.","commit_id":"6ad4b8019a9fe1a5300178d1a6137c3fd1db7c6b"},{"author":{"_account_id":11737,"name":"David Pineau","email":"dav.pineau@gmail.com","username":"Joachim"},"change_message_id":"d06aa836dc9014beac980846168a5caac5fa73ab","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":3,"id":"afd03025_5ed86f5b","in_reply_to":"f6f593b3_4e8f1986","updated":"2024-09-06 15:07:46.000000000","message":"Proposal clarified in the Meeting.\n\nWe\u0027ll be testing that, and act accordingly here, resuming work, or cancelling the proposal.","commit_id":"6ad4b8019a9fe1a5300178d1a6137c3fd1db7c6b"}],"specs/train/network-security-groups.rst":[{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"f1d277a40173a6267e8e7c39ec7835c9a8dc778d","unresolved":true,"context_lines":[{"line_number":126,"context_line":"* Update of the SecurityGroup extension:"},{"line_number":127,"context_line":""},{"line_number":128,"context_line":"   * extend the API to include the ``security_groups`` field into the"},{"line_number":129,"context_line":"     ``Network`` input schemas"},{"line_number":130,"context_line":""},{"line_number":131,"context_line":"* Update of the ``Network`` object:"},{"line_number":132,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"82c17e17_e3933f34","line":129,"updated":"2024-09-02 07:34:44.000000000","message":"this needs to be done via new API extension, not by updating existing one","commit_id":"63c029d4cb11d14cbe2a1edc2efd6803877ab823"},{"author":{"_account_id":8313,"name":"Lajos Katona","display_name":"lajoskatona","email":"katonalala@gmail.com","username":"elajkat","status":"Ericsson Software Technology"},"change_message_id":"ebf70351ae136d71c6dca299da45ef1a50e59b8c","unresolved":true,"context_lines":[{"line_number":126,"context_line":"* Update of the SecurityGroup extension:"},{"line_number":127,"context_line":""},{"line_number":128,"context_line":"   * extend the API to include the ``security_groups`` field into the"},{"line_number":129,"context_line":"     ``Network`` input schemas"},{"line_number":130,"context_line":""},{"line_number":131,"context_line":"* Update of the ``Network`` object:"},{"line_number":132,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"279d7330_6a415f08","line":129,"in_reply_to":"4a8a42b5_c8e0556d","updated":"2024-11-18 09:00:19.000000000","message":"you need a new extension like this one:\nhttps://opendev.org/openstack/neutron-lib/src/branch/master/neutron_lib/api/definitions/project_default_networks.py\n\nand you have to enable it for the give plugin for ml2 forexample: https://opendev.org/openstack/neutron/src/branch/master/neutron/plugins/ml2/plugin.py#L212","commit_id":"63c029d4cb11d14cbe2a1edc2efd6803877ab823"},{"author":{"_account_id":11737,"name":"David Pineau","email":"dav.pineau@gmail.com","username":"Joachim"},"change_message_id":"ced71a1431c37f99c0e1de2e1accfc7649be457e","unresolved":true,"context_lines":[{"line_number":126,"context_line":"* Update of the SecurityGroup extension:"},{"line_number":127,"context_line":""},{"line_number":128,"context_line":"   * extend the API to include the ``security_groups`` field into the"},{"line_number":129,"context_line":"     ``Network`` input schemas"},{"line_number":130,"context_line":""},{"line_number":131,"context_line":"* Update of the ``Network`` object:"},{"line_number":132,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"4a8a42b5_c8e0556d","line":129,"in_reply_to":"82c17e17_e3933f34","updated":"2024-09-02 08:47:18.000000000","message":"I\u0027ll admit that I\u0027m a bit at a loss on the neutron design, relatively to the extensions which are always loaded/activated, such as securitygroups. We can define a dedicated extension for this, though.\n\nNow, as far as I can tell with my ongoing POC (for internal needs, which we\u0027ll adapt when contributing it), there will be a need to edit at least the ml2 plugin.","commit_id":"63c029d4cb11d14cbe2a1edc2efd6803877ab823"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"f1d277a40173a6267e8e7c39ec7835c9a8dc778d","unresolved":true,"context_lines":[{"line_number":145,"context_line":"   * Add notification of network changes to the security group extension"},{"line_number":146,"context_line":""},{"line_number":147,"context_line":"* Update of all the client related utilities, allowing to handle the new"},{"line_number":148,"context_line":"  relationship via the openstack CLI"},{"line_number":149,"context_line":""},{"line_number":150,"context_line":""},{"line_number":151,"context_line":"Example Scenario"}],"source_content_type":"text/x-rst","patch_set":2,"id":"bb93ff1a_bc7ef33d","line":148,"updated":"2024-09-02 07:34:44.000000000","message":"will additionally SG_ids associated with network be visible in the list of SGs assosiated with each port from that network also? IMO that would be easier to implement things if we just could add those SGs to the port\u0027s SGs automatically during runtime (not in the db of course). And that would also be fine from e.g. Nova perspective as nova also knows about SGs associated with port and can display them in the info of the instance.","commit_id":"63c029d4cb11d14cbe2a1edc2efd6803877ab823"},{"author":{"_account_id":11737,"name":"David Pineau","email":"dav.pineau@gmail.com","username":"Joachim"},"change_message_id":"ced71a1431c37f99c0e1de2e1accfc7649be457e","unresolved":true,"context_lines":[{"line_number":145,"context_line":"   * Add notification of network changes to the security group extension"},{"line_number":146,"context_line":""},{"line_number":147,"context_line":"* Update of all the client related utilities, allowing to handle the new"},{"line_number":148,"context_line":"  relationship via the openstack CLI"},{"line_number":149,"context_line":""},{"line_number":150,"context_line":""},{"line_number":151,"context_line":"Example Scenario"}],"source_content_type":"text/x-rst","patch_set":2,"id":"2ec70e82_9da2d0dc","line":148,"in_reply_to":"bb93ff1a_bc7ef33d","updated":"2024-09-02 08:47:18.000000000","message":"I wasn\u0027t sure whether the SGs should be shown in the port\u0027s list, by fear of confusion of what the \"binding source\" is (network/port).\nThat being said, I agree with listing them, to avoid implicitness in the rules applied to a port, and it should not be reflected in the DB, indeed.\n\nI\u0027ll try to reformulate this item to make this clear.","commit_id":"63c029d4cb11d14cbe2a1edc2efd6803877ab823"},{"author":{"_account_id":8313,"name":"Lajos Katona","display_name":"lajoskatona","email":"katonalala@gmail.com","username":"elajkat","status":"Ericsson Software Technology"},"change_message_id":"ebf70351ae136d71c6dca299da45ef1a50e59b8c","unresolved":true,"context_lines":[{"line_number":93,"context_line":""},{"line_number":94,"context_line":".. image:: ../../images/sg-network-binding-proposal.png"},{"line_number":95,"context_line":""},{"line_number":96,"context_line":"Note that additionally, is is possible to allow enforcing policies on these new"},{"line_number":97,"context_line":"relationships in order to provide a fine-grained way to control permissions on"},{"line_number":98,"context_line":"these new fields and relationships."},{"line_number":99,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"92dc5358_e87d9d4d","line":96,"range":{"start_line":96,"start_character":24,"end_line":96,"end_character":26},"updated":"2024-11-18 09:00:19.000000000","message":"nit: it is","commit_id":"6ad4b8019a9fe1a5300178d1a6137c3fd1db7c6b"},{"author":{"_account_id":1131,"name":"Brian Haley","email":"haleyb.dev@gmail.com","username":"brian-haley"},"change_message_id":"bdfad2b39e8e1527762406b33b1ab52b7f65a4a9","unresolved":true,"context_lines":[{"line_number":202,"context_line":""},{"line_number":203,"context_line":"With this, any ``Server`` attaching an interface for the ``multimedia-svc-net``"},{"line_number":204,"context_line":"``Network`` would automatically gain a working, and properly configured access"},{"line_number":205,"context_line":"to the multimedia service exposed by the project owner."},{"line_number":206,"context_line":""},{"line_number":207,"context_line":""},{"line_number":208,"context_line":"References"}],"source_content_type":"text/x-rst","patch_set":3,"id":"2df30faf_8b46f192","line":205,"updated":"2024-10-28 13:19:58.000000000","message":"Would this also apply to any router gateway ports on the network?","commit_id":"6ad4b8019a9fe1a5300178d1a6137c3fd1db7c6b"},{"author":{"_account_id":11737,"name":"David Pineau","email":"dav.pineau@gmail.com","username":"Joachim"},"change_message_id":"3a68fcd539e082f68ef8a7c616fb0a4f57d77d81","unresolved":true,"context_lines":[{"line_number":202,"context_line":""},{"line_number":203,"context_line":"With this, any ``Server`` attaching an interface for the ``multimedia-svc-net``"},{"line_number":204,"context_line":"``Network`` would automatically gain a working, and properly configured access"},{"line_number":205,"context_line":"to the multimedia service exposed by the project owner."},{"line_number":206,"context_line":""},{"line_number":207,"context_line":""},{"line_number":208,"context_line":"References"}],"source_content_type":"text/x-rst","patch_set":3,"id":"c78d59d4_31e265d2","line":205,"in_reply_to":"2df30faf_8b46f192","updated":"2024-10-30 15:48:58.000000000","message":"As I do not fully master the subject matter, I\u0027m unsure whether it should or not ?\n\nI\u0027m guessing that router gateways on such a network would be used in a similar manner as a Server\u0027s port ? Would the security group rules even need to be slightly different ?","commit_id":"6ad4b8019a9fe1a5300178d1a6137c3fd1db7c6b"}]}