I did some investigation into the issue where it appeared as though we were collecting duplicate
security groups during
ems_refresh. This was attributed to multiple tenants having
security groups of the same name, the most obvious example of this being the
While this is indeed the case, the
security groups in question are not duplicates. It appears each tenant has its own independent set of
security groups, defined within an isolated name space. So, while they may appear to be duplicates based on name, each is an independent entity that can, and will, have different rules associated with them. This is also true for the
Accounting for this seems fairly straightforward:
- When we display a global list of
security groupsthey must be qualified by tenant to avoid ambiguity.
- When presenting a list of available
security groupsfor selection - during provisioning, for example - the list should be filtered by tenant as needed.