neutron

  1. Bug #1942615
  2. Comment #3

Comment 3 for bug 1942615

Revision history for this message
Hang Yang (hangyang) wrote : Re: SG shared through RBAC mechanism can't be used to spawn instances

Hi Slawek,

I'm interested to work on this. I also noticed Horizon faced a similar issue that when filtering by the tenant_id, the shared security groups are excluded. See: https://bugs.launchpad.net/horizon/+bug/1907843

I think Neutron's current API behavior makes sense because anyway we will need a way to know what resources actually owned by the requested tenant. As for the solution for both issues, I'd like to follow the example of how the shared networks are handled currently in Horizon and Nova:

https://opendev.org/openstack/horizon/src/branch/master/openstack_dashboard/api/neutron.py#L1055-L1101
https://github.com/openstack/nova/blob/62406b5728077afa9cd38d5c5d510bba64c43bd7/nova/network/neutron.py#L425-L455

We can implement the 'shared' filter for security groups as well and use that to make additional requests from Horizon and Nova to get the shared security groups and append them to the original lists filtered by the owner id.

I'd like to know your thoughts on this proposal, thank you!