OpenStack security groups and tenants


I did some investigation into the issue where it appeared as though we were collecting duplicate security groups during ems_refresh. This was attributed to multiple tenants having security groups of the same name, the most obvious example of this being the default security group.

While this is indeed the case, the security groups in question are not duplicates. It appears each tenant has its own independent set of security groups, defined within an isolated name space. So, while they may appear to be duplicates based on name, each is an independent entity that can, and will, have different rules associated with them. This is also true for the default security group.

Accounting for this seems fairly straightforward:

  • When we display a global list of security groups they must be qualified by tenant to avoid ambiguity.
  • When presenting a list of available security groups for selection - during provisioning, for example - the list should be filtered by tenant as needed.