Comment 10 for bug 1592000

I personally can't find a way that feature can be exposed without introducing incompatibility. See, a lot of users already assume and expect that default security group in Neutron has specific contents and behave in a specific way. Now, if we allow to change the contents, either through configuration files or via API, we introduce another set of calls for API users to run to validate that they will get the desired setup. Existing users and tools that are not aware of that potential new feature will not even check if default group is what they could expect from all previous releases, so they will just proceed with this assumption, getting either broken applications (in case of zero trust model applied by admin) or, even worse, getting instances silently exposed to external traffic that applications may be unprepared to deal with.

In that way, it does not really matter whether we expose it via config file; or api; whether we introduce a new api extension, or not... Someone is going to be screwed by us.

I prefer we don't pursue the idea. In the end, tenants are the ones to set models for their instances, not admins.