neutron

_validate_security_groups_on_port does not validating external_ids

Bug #1095864 reported by Aaron Rosen
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
Medium
Aaron Rosen
neutron 2013.1 "grizzly"

Bug Description

The function _validate_security_groups_on_port was not validating a ports security group id if the id was an external id.

Tags: sg-fw
Aaron Rosen (arosen)
Changed in quantum:
assignee: nobody → Aaron Rosen (arosen)
OpenStack Infra (hudson-openstack)
Changed in quantum:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to quantum (master)

Fix proposed to branch: master
Review: https://review.openstack.org/18929

Revision history for this message
Salvatore Orlando (salvatore-orlando) wrote :

Are we advocating the possibility of associating an external security group id to a port?
This would make sense if we were not storing security groups in quantum db as well, but since we have a quantum db record for each nova security group, it seems it should always be possible to use it.

The reason for it is that probably you want nova users to specify nova security groups when creating quantum ports. But then it seems you're claiming we should store the nova security group id in the quantum port object, whereas maybe quantum should work out automatically the corresponding quantum security group id.

But that's clumsy as well, as we will end up with the user getting a different id for the security groups in the response. E.g.: you create a port with security group id x and then when you fetch it its value is y.

I'm stopping here because I think I went far beyond the scope of this bug.
To cut a long story short, I think we should find another way of passing external security group ids to quantum ports.

Revision history for this message
dan wendlandt (danwent) wrote :

Hi Aaron,

At this point, I don't think there's a version of the security group handler stuff merged into nova, and I believe the plan is to actually change Nova so that it truly proxies security group calls to quantum, rather than having a nova-id and a quantum-id. At that point, wouldn't the need for the external-id go away? Or am I misunderstanding what external-id is used for?

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to quantum (master)

Reviewed: https://review.openstack.org/18929
Committed: http://github.com/openstack/quantum/commit/26332dcbd8c25fb581c27ced1eb175bcd209c1fa
Submitter: Jenkins
Branch: master

commit 26332dcbd8c25fb581c27ced1eb175bcd209c1fa
Author: Aaron Rosen <email address hidden>
Date: Wed Jan 9 15:08:02 2013 -0800

    _validate_security_groups_on_port was not validating external_ids

    The function _validate_security_groups_on_port was not validating a ports
    security group id if the id was an external id. The unit tests now use
    set_override() rather than setting cfg values directly. Lastly, quantum.conf
    now has the proxy_mode option exposed.
    Fixes bug 1095864

    Change-Id: I0ec7f9ed36f1a46156c47a115be936bb41ef75d9

Changed in quantum:
status: In Progress → Fix Committed
Akihiro Motoki (amotoki)
Changed in quantum:
milestone: none → grizzly-3
tags: added: sg-fw
Changed in quantum:
importance: Undecided → Medium
Thierry Carrez (ttx)
Changed in quantum:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in quantum:
milestone: grizzly-3 → 2013.1
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.