The API calls create instance boot and add Instance to Security Group accept a security group name rather than an ID.
In Nova Security Group Names are constrained to be unique.
In Quantum Security Group Names are not constrained to be unique - so if two groups are created with the same name it becomes impossible to add instances to them via the Nova API.
To maintain backwards compatibility with Nova Security Groups, and to avoid issues during Instance Creation or when adding Instances to a Security Group the NovaQauntumSecurityGroupAPI should enforce uniqueness of Group Names. This will provide consistency for users of the Nova API (it will still be possible to break this model by creating SecGroups with non-unique names in Quantum).
The longer term solution would be for the Nova API to work with SecurityGroup IDs (which are always unique) rather than Names.
Forcing Quantum (which is already using uuids for Security groups) to also impose unique names to satisfy Nova does not feel like a good fix.
This seems like something we need to fix in the v3 API, which should be focused on using Quantum for networking.