You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cloudstack.apache.org by Antonio Fornié Casarrubios <an...@gmail.com> on 2014/02/24 13:55:49 UTC
[Question][Proposal] Functionality when editing a shared ACL by NetworkId
Hi all,
There is this functionality that seems to be wrong and I would like to
double check with you all. Actually this functionality could be considered
very important so I appreciate collaboration.
It's about the functionality for ACLs shared among networks. Let's say you
have a VPC with Networks NW1 and NW2, and you have and ACL (what Cloudstack
calls ACLList) with several rules, and you choose this ACL as the ACL for
both NW1 and NW2. The current functionality is that in general if you
modify the ACL this change will affect NW1 and NW2 of course.
But there is a special case: you could send the parameter networkid. It
makes sense that if you send a createNetowrkACL request to allow additional
traffic and you specifically state NW1, this should not affect NW2.
The proposal then is to change this functionality so that, if and only if
the request specifies a networkid, the command should only affect the
specified network. Which in Java terms will mean that if other networks use
the same ACLList, it will be cloned and then the command will be applied to
the new clone that will be assigned to the given network.
Note that:
* The new clone ACL List is created only if it is actually shared with more
networks, otherwise it doesn't make sense.
* The name for the new ACL List will be the same old name plus a random
suffix.
Any thoughts? Reasons not to go this way?
Thanks and cheers
Antonio
Schuberg Philis - MCE
Re: [Question][Proposal] Functionality when editing a shared ACL by NetworkId
Posted by Antonio Fornié Casarrubios <an...@gmail.com>.
Yes, it surely can be done that way, but that doesn't change the fact that
if the Commands I mentioned do not work properly (at least for the case
when you specifically provide a networkId) we should fix it instead of
expecting users to find some good craft as workaround, right? Does anybody
think this proposed change will be wrong or have any bad effects?
Thanks again. Cheers
Antonio
Schuberg Philis - MCE
2014-02-24 23:30 GMT+01:00 Chiradeep Vittal <Ch...@citrix.com>:
> Surely this can be done by a few well crafted API calls from CloudMonkey?
>
> On 2/24/14 4:55 AM, "Antonio Fornié Casarrubios"
> <an...@gmail.com> wrote:
>
> >Hi all,
> >
> >There is this functionality that seems to be wrong and I would like to
> >double check with you all. Actually this functionality could be considered
> >very important so I appreciate collaboration.
> >
> >It's about the functionality for ACLs shared among networks. Let's say you
> >have a VPC with Networks NW1 and NW2, and you have and ACL (what
> >Cloudstack
> >calls ACLList) with several rules, and you choose this ACL as the ACL for
> >both NW1 and NW2. The current functionality is that in general if you
> >modify the ACL this change will affect NW1 and NW2 of course.
> >
> >But there is a special case: you could send the parameter networkid. It
> >makes sense that if you send a createNetowrkACL request to allow
> >additional
> >traffic and you specifically state NW1, this should not affect NW2.
> >
> >The proposal then is to change this functionality so that, if and only if
> >the request specifies a networkid, the command should only affect the
> >specified network. Which in Java terms will mean that if other networks
> >use
> >the same ACLList, it will be cloned and then the command will be applied
> >to
> >the new clone that will be assigned to the given network.
> >
> >Note that:
> >* The new clone ACL List is created only if it is actually shared with
> >more
> >networks, otherwise it doesn't make sense.
> >* The name for the new ACL List will be the same old name plus a random
> >suffix.
> >
> >
> >Any thoughts? Reasons not to go this way?
> >
> >Thanks and cheers
> >
> >Antonio
> >Schuberg Philis - MCE
>
>
Re: [Question][Proposal] Functionality when editing a shared ACL by
NetworkId
Posted by Chiradeep Vittal <Ch...@citrix.com>.
Surely this can be done by a few well crafted API calls from CloudMonkey?
On 2/24/14 4:55 AM, "Antonio Fornié Casarrubios"
<an...@gmail.com> wrote:
>Hi all,
>
>There is this functionality that seems to be wrong and I would like to
>double check with you all. Actually this functionality could be considered
>very important so I appreciate collaboration.
>
>It's about the functionality for ACLs shared among networks. Let's say you
>have a VPC with Networks NW1 and NW2, and you have and ACL (what
>Cloudstack
>calls ACLList) with several rules, and you choose this ACL as the ACL for
>both NW1 and NW2. The current functionality is that in general if you
>modify the ACL this change will affect NW1 and NW2 of course.
>
>But there is a special case: you could send the parameter networkid. It
>makes sense that if you send a createNetowrkACL request to allow
>additional
>traffic and you specifically state NW1, this should not affect NW2.
>
>The proposal then is to change this functionality so that, if and only if
>the request specifies a networkid, the command should only affect the
>specified network. Which in Java terms will mean that if other networks
>use
>the same ACLList, it will be cloned and then the command will be applied
>to
>the new clone that will be assigned to the given network.
>
>Note that:
>* The new clone ACL List is created only if it is actually shared with
>more
>networks, otherwise it doesn't make sense.
>* The name for the new ACL List will be the same old name plus a random
>suffix.
>
>
>Any thoughts? Reasons not to go this way?
>
>Thanks and cheers
>
>Antonio
>Schuberg Philis - MCE