Feature #3175
Implement Security Groups
| Status: | Closed | Start date: | 11/28/2014 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: |  Carlos Martín | % Done: | 100% | |
| Category: | Core & System | |||
| Target version: | Release 4.12 | |||
| Resolution: | fixed | Pull request: |
Subtasks
Related issues
Associated revisions
Feature #3175: New Security Group pool in the core
Feature #3175: New onesecgroup command
Feature #3175: Add secgroup acl resource to CLI
Feature #3175: Make sec groups start with ID 100
Feature #3175: Sec groups store the VMs using them
Feature #3175: Copy the Sec Group rules to the VM Template
Feature #3175: Ask for SECGROUP USE auth in VM creation.
This only checks the sec groups requested directly in
each NIC/SECURITY_GROUPS. The sec groups added from the
vnet (and AR) are not checked for auth.
Feature #3175: Add a security group tab to sunstone
Feature #3175: Migrate the sec group wizard to new non-modal mechanism
Feature #3175: First version of the sec groups wizard
Feature #3175: Security group definition for vnet, ar & nic
Feature #3175: Fix bug in sec group table refresh
Feature #3175: Sec group table in vnet AR update
Feature #3175: Show selected security groups for vnets and AR info
Feature #3175: Move vnet creation wizard to new window model
Feature #3175: New vnet update wizard
Feature #3175: Update sec groups in Template nic
Feature #3175: Change sec group TYPE to RULE_TYPE
Feature #3175: SG vnm driver now uses the model of TEMPLATE/SECURITY_GROUP_RULE and TEMPLATE/NIC/SECURITY_GROUPS
Feature #3175: Add vnet selector in sec group wizard
Feature #3175: Core support for RULE/NETWORK_ID
Each rule is copied once for each vnet's AR
Feature #3175: Better security group ID management
Feature #3175: Add extended info to NICs in vm view
Feature #3175: Refactor SG wizard
Feature #3175: Improve SG info panel, and nic SG table
Feature #3175: Add advanced section to SG wizard
Feature #3175: SG update wizard
Feature #3175: Remove dependency between VM and SG tabs
Feature #3175: Refactor SG wizard
Feature #3175: Improve SG wizard
Feature #3175: Do not send icmp_type for 'all' value
Feature #3175: Fix bug in SG clone
Feature #3175: Hide SG in VNet template attributes
Feature #3175: Table for rules in onesecgroup show
Feature #3175: Table for SG rules in onevm show
Feature #3175: onedb migrator to add SG table
Feature #3175: Fix SG tables after merge
feature #3175: Move AR attributes for SG to class constants
Feature #3175: Better management of nics without security groups
Feature #3175: Include TEMPLATE/SECURITY_GROUP_RULE as a
required attribute to send to the vnm drivers.
Feature #3175: Better sg/post call that can handle exceptions.
Feature #3175: Handle IP/SIZE nets
Feature #3175: Add support for IPSEC
Feature #3175: Prevent deadlocks
Feature #3175: use proper vnet
feature #3175: Rename split method
feature #3175: Copy security group rules by reference
feature #3175: Cache SECURITY_GROUP parsing
feature #3175: Review VirtualMachine method scope
feature #3175: Do not duplicate SG information
feature #3175: fix error bootstraping security group rules
feature #3175: Fix error rebuilding AR security groups
feature #3175: Check security group consistency
feature #3175: Add a default SG rule to allow outbound connections for every protocol
feature #3175: Security Group 0 cannot be deleted
feature #3175: Solves memory leaks. Add SG 0 to new networks
feature #3175: Remove duplicated sgs when the VNET is inserted
feature #3175: Group Users can create Security Groups
Feature #3175: Change range labels to "port range"
Feature #3175: New SG protocol "all" in sunstone
Feature #3175: fix multiple choice table bug
Feature #3175: New group wizard: add SG create rights
Feature #3175: Add SECGROUP to sunstone acls
Feature #3175: Add secgroup tab to other yaml files
Feature #3175: Add default SG in onedb migrator
Feature #3175: Add required fields to new rule wizard
Feature #3175: Add a warning about the default SG
Feature #3175: Improve SG driver
- Refactor and apply new ACCEPT => REJECT strategy
- Adds icmp_type support
- Do not apply duplicate rules
- Specific ipset per protocol
- Improve rule types readibility in the driver
- Adds support for mac and ip spoofing filtering
- Reorder rules
Feature #3175: Default security group allows also inbound and outbound connections
Feature #3175: Tooltips
Feature #3175: Add migrator rule to include inbound connections
Feature #3175: Remove debugging info
Feature #3175: Avoid errors if empty rules and apply an ACCEPT policy by default.
Feature #3175: Rewrite the security_groups post script to handle the errors better.
Feature #3175: Add spoofing checkboxes to vnet wizard
Feature #3175: Move SecurityGroups.rb to top vnm remotes dir
Feature #3175: Extract IPNetmask to its own library
Feature #3175: FILTER_IP_SPOOFING and FILTER_MAC_SPOOFING must be set to "YES" (and not just any value) in order to be applied.
Feature #3175: Function that returns true if the VM has deprecated firewall attributes
Feature #3175: Call the new SG driver from the ebtables and 802.1q driver
Feature #3175: Firewall driver is compatible with the security groups driver
Feature #3175: FW drivers manage the SG drivers as well
Feature #3175: Unify the way the filter driver is called and handled
Feature #3175: 802.1Q/clean and post are the same as fw/clean and post
Feature #3175: Tooltips for IP and MAC spoofing
Feature #3175: Add FILTER_MAC_SPOOFING and FILTER_IP_SPOOFING to the
inherited attributes in oned.conf
feature #3175: Some refactor of SG classes
feature #3175: More refactor
feature #3175: Moved Nic and VM to new modules
feature #3175: Moved firewall and SG drivers to new module. Removed old files
feature #3175: Fix multiple syntax errors
feature #3175: Move VNM drivers to new modules
feature #3175: Fix bugs
feature #3175: Fix minor bugs. Add simple test
feature #3175: Fix bug
feature #3175: Rename OpenNebulaNetwork class to VNMDriver. Change filenames also
feature #3175: Fix bugs. New method to access commands
feature #3175: Fix spoofing with non-SG VMs
feature #3175: Check if RANGE has proper syntax
Feature #3175: Fix 802.1Q call
Feature #3175: Syntax errors
History
#1
Updated by Tino Vázquez almost 7 years ago
- Related to Backlog #3200: Create a security group to allow ESP (IP protocol 50) added
#2
Updated by Ruben S. Montero over 6 years ago
- Related to Backlog #3250: Implement Security Groups for Open vSwitch added
#3
Updated by Carlos Martín over 6 years ago
Docs (work in progress) can be found in branch feature-3175 of the doc repo
#4
Updated by Carlos Martín over 6 years ago
- Related to Bug #3424: Template update deletes legacy Firewall driver attributes (e.g. WHITE_PORTS...) added
#5
Updated by Ruben S. Montero over 6 years ago
- Status changed from Assigned to Closed
- Target version set to Release 4.12
- Resolution set to fixed