You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cloudstack.apache.org by Kishan Kavala <Ki...@citrix.com> on 2013/04/25 16:34:24 UTC

RE: [Discuss] ACL deny rules

There was a discussion regarding API name alias [1]. After adding API name alias, we still need to have different response tags for backward compatibility. 
New: <networkaclitem>..</networkaclitem>
Old: <networkacl>..<networkacl>

If we are to use the same API, networkId and aclId both have to be made optional. Would it better to have new API createNetworkACLItem instead and deprecate createNetworkACL gradually? 

[1] http://mail-archives.apache.org/mod_mbox/cloudstack-dev/201304.mbox/%3CCD92E986.17651%25nitin.mehta@citrix.com%3E

> -----Original Message-----
> From: Chiradeep Vittal
> Sent: Wednesday, 3 April 2013 1:08 AM
> To: Kishan Kavala; dev@cloudstack.apache.org; Chandan Purushothama
> Subject: Re: Question pertaining to the Support of ACL deny rules
> 
> 
> 
> On 4/2/13 6:46 AM, "Kishan Kavala" <Ki...@citrix.com> wrote:
> > To implement API alias, APICommand annotation needs to be changed to
> >support multiple API names for the same Cmd object.
> 
> Can you call this out in a separate DISCUSS ?
> 
> >
> >> * createNetwork - I like this idea of being able to specify at
> >>creation time, but  it should fail if the ACL service is not present
> >[KK] ACL service will always be present in VPC case. We do not support
> >ACL container in non-vpc case.
> 
> But this can change.
> 
> >
> >> * listNetworkAclContainers - listAPIs usually have filters as
> >>parameters.
> >> You are proposing two filters -- by ACLList Id and network id. I
> >>could easily  see filtering by list of network ids, by vpc id, those
> >>that contain a particular  ACLItem, etc. At the very least can we
> >>rewrite the API that takes a filter as an  input ? How do I know which
> >>ACLList is the default one?
> >[KK] I'll add additional filters- byNetworkIds, byVpcId. Each ACLList
> >will have flag indicating default true/false.
> 
> Is there a standard filter syntax for this?
> 
> >
> >> * Scripts - do you propose deleting and re-creating the entire chain
> >>when you  update a rule? Or do you plan to surgically move around the
> >>rules as the  ordering changes?
> >[KK] Planning on deleting and re-creating all the rules.
> >
> >> * what are the contents of the default ACLList?
> >[KK] default ACLList will contain deny all rule.
> 
> Can you update the spec with the default ACL list?
> 
> Thanks
> --
> Chiradeep