Consider Consolidating Assigned Devices and Assigned dynamic groups
itdependsnetworks opened this issue · comments
Environment
- Nautobot version: 1.3
- nautobot-plugin-firewall-model version: 0.1
Proposed Functionality
There are currently both Assigned Devices and Assigned dynamic groups, I am proposing to consolidate down to just dynamic groups. This will continue to be used in the Nautobot ecosystem, with more reliance and knowledge of it moving forward.
Use Case
There is complication in that both have weight. Let's explore an issue.
- A Policy
Deny-Bogons
is assigned to device=nyc-fw01 with weight 100 and dynamic_group={site: nyc} with weight 1000 - Another Policy
Allow-Internet
is applied to the device with weight 500 - What should the order of policy be?
Conceptually, this will not work, and while I understand that we can simply document "operator beware", not to do such a thing, it is still odd.
As a developer of a job or creating configuration management from the system, it is not clear what the intention should be, for either prefer assigned devices or dynamic groups
As a developer, there is an increased complication to always determine given a set of Policies, which Device's are actually in scope.
As a developer, there is an increased complication to always determine given a set of Devices, which Policy's are actually in scope.
As an alternate, I believe that the assigned devices and dynamic groups should at a minimum be mutually exclusive, but would prefer to aggregate down to dynamic groups.
In speaking with @whitej6 go with "As an alternate, I believe that the assigned devices and dynamic groups should at a minimum be mutually exclusive, but would prefer to aggregate down to dynamic groups."
Accepted as validation to pre-vent assigning both attrs AND creating a connivence method to return a device queryset via #70 to return relevant devices to a policy.