no obvious way to delete incorrect security rules (added to the default nova security group)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Fix Released
|
Medium
|
Amandeep |
Bug Description
Try to add an incorrect security rules, like
1] adding an icmp rule without providing cidr to the default nova security group
- also, ICMP doesn't run on ports (so providing arbitrary ports for ICMP should be disabled ?)
2] add an ssh rule, without cidr
And there appears to be no way to delete these incorrect rules
A small test:
=======
(~(keystone_admin)$ nova secgroup-list
+------
| Name | Description |
+------
| default | default |
+------
(~(keystone_admin)$ nova secgroup-list-rules default
(~(keystone_admin)$
(~(keystone_
+------
| IP Protocol | From Port | To Port | IP Range | Source Group |
+------
| icmp | -1 | -1 | | default |
+------
(~(keystone_
+------
| IP Protocol | From Port | To Port | IP Range | Source Group |
+------
| icmp | 22 | 22 | | default |
+------
(~(keystone_
+------
| IP Protocol | From Port | To Port | IP Range | Source Group |
+------
| icmp | -1 | -1 | | default |
| icmp | 22 | 22 | | default |
+------
=======
-> Now attempt to delete:
=======
(~(keystone_
usage: nova secgroup-
error: too few arguments
=======
(~(keystone_
ERROR: 'cidr'
=======
-> For reference, correct way to add rules:
=======
(~(keystone_
+------
| IP Protocol | From Port | To Port | IP Range | Source Group |
+------
| tcp | 22 | 22 | 0.0.0.0/0 | |
+------
(~(keystone_
+------
| IP Protocol | From Port | To Port | IP Range | Source Group |
+------
| icmp | -1 | -1 | 0.0.0.0/0 | |
+------
(~(keystone_
-> Now, I end up with an inconsistent set of rules:
=============
(~(keystone_
+------
| IP Protocol | From Port | To Port | IP Range | Source Group |
+------
| icmp | -1 | -1 | | default |
| icmp | -1 | -1 | 0.0.0.0/0 | |
| icmp | 22 | 22 | | default |
| tcp | 22 | 22 | 0.0.0.0/0 | |
+------
(~(keystone_
=============
Actual results:
Incorrect/invalid rules can be created.
Expected results:
Incorrect/invalid rules should be sanitized. In case they're allowed, there should be a way to delete them.
Changed in nova: | |
assignee: | nobody → Amandeep (rattenpal-amandeep) |
Changed in nova: | |
assignee: | Amandeep (rattenpal-amandeep) → Kanchan Gupta (kanchan-gupta1) |
Changed in nova: | |
assignee: | Kanchan Gupta (kanchan-gupta1) → Amandeep (rattenpal-amandeep) |
Changed in nova: | |
status: | Confirmed → In Progress |
summary: |
- no obvious way to delete incorrect security rules (added to the default + no obvious way to delete correct security rules (added to the default nova security group) |
Changed in nova: | |
status: | In Progress → Fix Committed |
Changed in nova: | |
milestone: | none → kilo-1 |
status: | Fix Committed → Fix Released |
Changed in nova: | |
milestone: | kilo-1 → 2015.1.0 |
What version of nova is this? I get a different error when I try:
dan@guaranine: /opt/stack/ tempest$ nova secgroup- delete- rule default icmp -1 -1 1.1.1.1/8
ERROR: 'NoneType' object has no attribute 'upper'