Community Articles

Find and share helpful community-sourced technical articles.
Labels (1)
avatar
Expert Contributor

As discussed in my previous article Using Pre-defined Security Groups with Cloudbreak, the preferred method for managing security for hostgroups in Cloudbreak is to use the native interface from your cloud provider. For Openstack, one of the easiest ways to do it is to use the openstack CLI. My Openstack environment uses a self-signed certificate and is only accessible through a VPN, so I have to use the --insecure flag to ignore the certificate errors.

Before you can use the CLI commands, you have to know your Openstack login parameters. This includes username and password, but also the URL of the security endpoint, project name, etc. For mine, I have a script that puts these values in environment variables, but they can be specified on the openstack command line if desired.

export OS_USERNAME=john.whitmore
export OS_PASSWORD='xxxxxxxxxxxxxx'
export OS_SYSTEM_SCOPE=Project
export OS_USER_DOMAIN_NAME=Default
export OS_AUTH_URL=http://###.###.###.###:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_PROJECT_NAME=Tenant1
export OS_PROJECT_DOMAIN_NAME=Default

The first step is to create the security group.

openstack --insecure security group create hdp-sec-mgmt
+-----------------+---------------------------------------------------------------------------------+
| Field           | Value                                                                           |
+-----------------+---------------------------------------------------------------------------------+
| created_at      | None                                                                            |
| description     | hdp-sec-mgmt                                                                   |
| id              | 0b9f6f3f-f5fd-431d-af31-a5c4efb53158                                            |
| name            | hdp-sec-mgmt                                                                   |
| project_id      | ad120b0e0e3c41f5b621f7149c876390                                                |
| revision_number | None                                                                            |
| rules           | direction='egress', ethertype='IPv4', id='64659d92-e5f8-4689-981f-391217d64674' |
|                 | direction='egress', ethertype='IPv6', id='d8273584-66d0-4575-a8c6-a883e4112cb7' |
| updated_at      | None                                                                            |
+-----------------+---------------------------------------------------------------------------------+

This creates a new security group with default outbound access rules. It will create with the requested name even if there is one by the same name. Therefore, we will create the ingress rules using the id that was returned, because that is unique. For the same reason, when you use the rule, Cloudbreak shows the id so that you can be sure you are using the rule you expect even if there are duplicate names.

Next you add your ingress rules. The default for the create rule subcommand is --ingress and --tcp, therefore I don't have to specify those for each line.

openstack --insecure security group rule create 0b9f6f3f-f5fd-431d-af31-a5c4efb53158 --dst-port 60200
openstack --insecure security group rule create 0b9f6f3f-f5fd-431d-af31-a5c4efb53158 --dst-port 39915
openstack --insecure security group rule create 0b9f6f3f-f5fd-431d-af31-a5c4efb53158 --dst-port 6188
openstack --insecure security group rule create 0b9f6f3f-f5fd-431d-af31-a5c4efb53158 --dst-port 3888
openstack --insecure security group rule create 0b9f6f3f-f5fd-431d-af31-a5c4efb53158 --dst-port 8080
openstack --insecure security group rule create 0b9f6f3f-f5fd-431d-af31-a5c4efb53158 --dst-port 8886
openstack --insecure security group rule create 0b9f6f3f-f5fd-431d-af31-a5c4efb53158 --dst-port 22
openstack --insecure security group rule create 0b9f6f3f-f5fd-431d-af31-a5c4efb53158 --dst-port 8440
openstack --insecure security group rule create 0b9f6f3f-f5fd-431d-af31-a5c4efb53158 --dst-port 5432
openstack --insecure security group rule create 0b9f6f3f-f5fd-431d-af31-a5c4efb53158 --dst-port 1080
openstack --insecure security group rule create 0b9f6f3f-f5fd-431d-af31-a5c4efb53158 --dst-port 8441
openstack --insecure security group rule create 0b9f6f3f-f5fd-431d-af31-a5c4efb53158 --dst-port 4505
openstack --insecure security group rule create 0b9f6f3f-f5fd-431d-af31-a5c4efb53158 --dst-port 4506
openstack --insecure security group rule create 0b9f6f3f-f5fd-431d-af31-a5c4efb53158 --dst-port 443
openstack --insecure security group rule create 0b9f6f3f-f5fd-431d-af31-a5c4efb53158 --dst-port 61181
openstack --insecure security group rule create 0b9f6f3f-f5fd-431d-af31-a5c4efb53158 --dst-port 61310
openstack --insecure security group rule create 0b9f6f3f-f5fd-431d-af31-a5c4efb53158 --dst-port 8670
openstack --insecure security group rule create 0b9f6f3f-f5fd-431d-af31-a5c4efb53158 --dst-port 32768
openstack --insecure security group rule create 0b9f6f3f-f5fd-431d-af31-a5c4efb53158 --dst-port 8480
openstack --insecure security group rule create 0b9f6f3f-f5fd-431d-af31-a5c4efb53158 --dst-port 32769
openstack --insecure security group rule create 0b9f6f3f-f5fd-431d-af31-a5c4efb53158 --dst-port 9443
openstack --insecure security group rule create 0b9f6f3f-f5fd-431d-af31-a5c4efb53158 --dst-port 36677
openstack --insecure security group rule create 0b9f6f3f-f5fd-431d-af31-a5c4efb53158 --dst-port 2181
openstack --insecure security group rule create 0b9f6f3f-f5fd-431d-af31-a5c4efb53158 --dst-port 8485
openstack --insecure security group rule create 0b9f6f3f-f5fd-431d-af31-a5c4efb53158 --dst-port 18886

Each line outputs information about the rule that was created

+-------------------+--------------------------------------+
| Field             | Value                                |
+-------------------+--------------------------------------+
| created_at        | None                                 |
| description       |                                      |
| direction         | ingress                              |
| ether_type        | IPv4                                 |
| id                | fbe378e6-5adc-44dd-b695-3769d27d228e |
| name              | None                                 |
| port_range_max    | 8080                                 |
| port_range_min    | 8080                                 |
| project_id        | ad120b0e0e3c41f5b621f7149c876390     |
| protocol          | tcp                                  |
| remote_group_id   | None                                 |
| remote_ip_prefix  | 0.0.0.0/0                            |
| revision_number   | None                                 |
| security_group_id | 0b9f6f3f-f5fd-431d-af31-a5c4efb53158 |
| updated_at        | None                                 |
+-------------------+--------------------------------------+

You can list all of the rules in the security group to verify it.

openstack --insecure security group rule list 0b9f6f3f-f5fd-431d-af31-a5c4efb53158

The listing of the rule at the end looks like this:

+--------------------------------------+-------------+-----------+-------------+-----------------------+
| ID                                   | IP Protocol | IP Range  | Port Range  | Remote Security Group |
+--------------------------------------+-------------+-----------+-------------+-----------------------+
| 067cd1a9-d744-4fdc-aaaa-b2c2e148b525 | None        | None      |             | None                  |
| 07c68cbe-0acf-4a20-baef-e0d8940ea94c | None        | None      |             | None                  |
| 0b502d4f-596f-4e27-8451-9ca8d99dc4b7 | tcp         | 0.0.0.0/0 | 6188:6188   | None                  |
| 4053d474-6332-48bf-bf87-45f34355c6cd | tcp         | 0.0.0.0/0 | 3888:3888   | None                  |
| 49df8547-1723-4380-b548-7f74f32e2b71 | tcp         | 0.0.0.0/0 | 8440:8440   | None                  |
| 4cde8bc0-c52c-46c6-a506-b8e22654d3be | tcp         | 0.0.0.0/0 | 32768:32768 | None                  |
| 4e4f5e4c-ef9b-472b-9901-37a24c8d7571 | tcp         | 0.0.0.0/0 | 8485:8485   | None                  |
| 5cbe51a4-b82f-4828-bac7-2399d600ecae | tcp         | 0.0.0.0/0 | 4505:4505   | None                  |
| 60e0a5f3-6826-4274-b87d-2fa614cc504e | tcp         | 0.0.0.0/0 | 60200:60200 | None                  |
| 63803572-419a-472b-ad09-c6568f7f3981 | tcp         | 0.0.0.0/0 | 39915:39915 | None                  |
| fbe378e6-5adc-44dd-b695-3769d27d228e | tcp         | 0.0.0.0/0 | 8080:8080   | None                  |
| 8bca6668-47f4-4089-a028-a1a95620cfe4 | tcp         | 0.0.0.0/0 | 9443:9443   | None                  |
| 96caddc4-6a99-4be1-995d-282c7d6e2173 | tcp         | 0.0.0.0/0 | 61181:61181 | None                  |
| 9fa5764a-4bab-4d7b-8ebb-239f80d3ceb1 | tcp         | 0.0.0.0/0 | 22:22       | None                  |
| a1eca812-e485-4cae-8bef-a1cad525f86b | tcp         | 0.0.0.0/0 | 4506:4506   | None                  |
| a580c721-bd45-480d-8413-ae15442b5557 | tcp         | 0.0.0.0/0 | 443:443     | None                  |
| a6f74c6e-fc96-4314-a18f-60af8c5d9bde | tcp         | 0.0.0.0/0 | 5432:5432   | None                  |
| c072ebef-19ec-403f-9505-547cff4f2b05 | tcp         | 0.0.0.0/0 | 2181:2181   | None                  |
| caff450a-1c7c-405b-bc8e-49d2d815566d | tcp         | 0.0.0.0/0 | 32769:32769 | None                  |
| cd0bf21c-f46c-44bb-bf9f-2b0f119177fa | tcp         | 0.0.0.0/0 | 18886:18886 | None                  |
| cf3e99fe-758f-44c2-800b-cddeb1607183 | tcp         | 0.0.0.0/0 | 8441:8441   | None                  |
| d5191190-b3f9-4dde-b3aa-cc615afb78e3 | tcp         | 0.0.0.0/0 | 1080:1080   | None                  |
| d733e203-5b41-492b-ba79-997be1094e41 | tcp         | 0.0.0.0/0 | 61310:61310 | None                  |
| d9fbcefa-223c-4f3d-a4d1-d6d990ddabf5 | tcp         | 0.0.0.0/0 | 8670:8670   | None                  |
| f414bfb0-fc43-43d6-96e6-a70dd60351c9 | tcp         | 0.0.0.0/0 | 8886:8886   | None                  |
| f823d654-d04c-4d5b-96c0-ee3e12bf57a7 | tcp         | 0.0.0.0/0 | 36677:36677 | None                  |
| fa86a862-7223-43d4-8b49-ed6365ab1c91 | tcp         | 0.0.0.0/0 | 8480:8480   | None                  |
+--------------------------------------+-------------+-----------+-------------+-----------------------+

If you want to limit the access instead of taking the default 0.0.0.0/0, you can add --remote-ip <ip-address CIDR> to each line.

I think you will find this much quicker than going through the GUI for every added port.

968 Views