Jump to: navigation, search


Security Groups for Trove

Brief Overview

End users don't currently have a way to configure Security Groups and Security Group Rules on Trove guest instances. We propose creating a simple implementation of Security Group Rules on the basis of the following guidelines:

  1. This functionality will be implemented as an extension to Trove (paralleling the Security Groups implementation as an extension in Nova).
  2. We will create a new security group for every guest instance created, such that there is a 1-1 mapping between the security group and the guest instance.
  3. Users will not be able to manage these security groups directly, but we will extend the Trove API so that they will be able to add and delete rules from this security group.

This design allows for a simple starting implementation that is extensible to provide further advanced functionality as deemed necessary.

Extension to Trove API

The extended Trove API would look something like:

1. GET /security-groups:

List all of the security Groups, with details of which instances they are attached to.

2. GET /security-groups-rules/{secgroup-id}:

List details of the specific security group with id {secgroup_id} including which instance it is attached to and details of the security group rules that it contains.

3. POST /security-group-rules:

This would take information about the security group, and the rule in the POST body and would create a security group rule within the specified security group.

4. DELETE /security-group-rules/{sec-group-rule-id}:

Deletes a security group rule corresponding to {sec-group-rule-id}

Implementation Note - Security Groups as an extension

Since security groups in nova is implemented as an extension, we will also implement security groups in Trove as an extension. This extension will be installable if needed and ideally should be able to be toggled on/off depending on the requirements.

We're currently taking a look at Stevedore (https://github.com/dreamhost/stevedore) to see if we can leverage its dynamic plugin model to achieve this goal.

Future Scenarios

Note that the initial avatar of the implementation that this blueprint calls for is but the simple implementation mentioned above but one can extend this further to provide for the following:

  1. A separate API for end users to be able to create, delete and manage their own security groups so that it is possible for instances to share security groups.
  2. An API for a default set of rules (per tenant) so that any security groups that we create are pre-populated with these intelligent defaults.
  3. With some further work, group security group rules can also be implemented (similar to nova's implementation).