List of security groups is not filtered by tenant when quantum SG is enabled

Could you add detailed steps to reproduce this issue?

Hi Gabriel,

Here's the steps to reproduce the issue.

1. add nova.conf as below to use Quantum's security groups

  security_group_api = quantum

 NB: be sure to use a quantum plugin that supports SG.

2. click on Access & Security tab.

 You'd see two "default" security groups

----

It occurred to me that this might be a problem of quantum integration inside nova code (nova/network/quantumv2/api.py) since I guess horizon just makes OpenStack SG API, which is proxied to Quantum.

You also need to uncomment a line in /etc/quantum/plugins/openvswitch/ovs_quantum_plugin.ini

[SECURITYGROUP]
# Firewall driver for realizing quantum security group function
firewall_driver = quantum.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver

And restart q-agt, n-cpu, n-api.

And I only see it while logged in as admin.

Looks like a nova/quantum issue to me:

curl -i http://115.146.93.78:8774/v2/c542bf988efe40d0b1794523a1599a7a/os-security-groups -X GET -H "X-Auth-Project-Id: c542bf988efe40d0b1794523a1599a7a" -H "User-Agent: python-novaclient" -H "Accept: application/json" -H "X-Auth-Token: 943ff65ba98f37c81179d04d3bd1ce3a"
HTTP/1.1 200 OK
X-Compute-Request-Id: req-c145f321-e305-41e5-a7eb-c799876cda33
Content-Type: application/json
Content-Length: 1046
Date: Mon, 18 Mar 2013 06:10:57 GMT

{"security_groups": [{"rules": [{"from_port": 55, "group": {}, "ip_protocol": "tcp", "to_port": 55, "parent_group_id": "7f015dbd-57a3-499f-a190-2f44d4237ce8", "ip_range": {"cidr": "0.0.0.0/0"}, "id": "549ef037-1b5a-4e1d-9037-05ebc97680ec"}], "tenant_id": "1656e05368164d918183fcf4a699e9f5", "id": "7f015dbd-57a3-499f-a190-2f44d4237ce8", "name": "default", "description": "default"}, {"rules": [{"from_port": -1, "group": {"tenant_id": "c542bf988efe40d0b1794523a1599a7a", "name": "default"}, "ip_protocol": null, "to_port": -1, "parent_group_id": "80f76a6d-7cd3-4528-9fbc-25522cffa05b", "ip_range": {}, "id": "149cda67-5b50-4e52-8010-c3253581a50a"}, {"from_port": -1, "group": {"tenant_id": "c542bf988efe40d0b1794523a1599a7a", "name": "default"}, "ip_protocol": null, "to_port": -1, "parent_group_id": "80f76a6d-7cd3-4528-9fbc-25522cffa05b", "ip_range": {}, "id": "310d03d8-9fad-4d48-98a3-fe8c9eeb922f"}], "tenant_id": "c542bf988efe40d0b1794523a1599a7a", "id": "80f76a6d-7cd3-4528-9fbc-25522cffa05b", "name": "default", "description": "default"}]}

Fix proposed to branch: master
Review: https://review.openstack.org/24632

Reviewed: https://review.openstack.org/24632
Committed: http://github.com/openstack/nova/commit/775e3b02b2afbf101db22b87a1c3b189d68532e1
Submitter: Jenkins
Branch: master

commit 775e3b02b2afbf101db22b87a1c3b189d68532e1
Author: Kieran Spear <email address hidden>
Date: Mon Mar 18 17:32:26 2013 +1100

    Pass project id in quantum driver secgroup list

    The quantum driver is always returning security groups from every tenant
    a user has access to, even when the "project" filter is supplied.

    Make sure we pass along the project value when we call
    quantum.list_security_groups() so it's properly filtered.

    Fixes bug 1155381.

    Change-Id: I682c66a1f3f9db18b5f9924a37b45c759ff259f7

Fix proposed to branch: milestone-proposed
Review: https://review.openstack.org/25401

Reviewed: https://review.openstack.org/25401
Committed: http://github.com/openstack/nova/commit/989435822e5841bc1355e75bbdb003b10a3baf58
Submitter: Jenkins
Branch: milestone-proposed

commit 989435822e5841bc1355e75bbdb003b10a3baf58
Author: Kieran Spear <email address hidden>
Date: Mon Mar 18 17:32:26 2013 +1100

    Pass project id in quantum driver secgroup list

    The quantum driver is always returning security groups from every tenant
    a user has access to, even when the "project" filter is supplied.

    Make sure we pass along the project value when we call
    quantum.list_security_groups() so it's properly filtered.

    Fixes bug 1155381.

    Change-Id: I682c66a1f3f9db18b5f9924a37b45c759ff259f7
    (cherry picked from commit 775e3b02b2afbf101db22b87a1c3b189d68532e1)