Edit Instance Security Group throws an Error

Fix proposed to branch: master
Review: https://review.openstack.org/39940

This is important to be fixed in Havana RC1. If we don't have a response from the author, I will take this bug.

On the other hand, we have a patch for bug 1203413 to change from security group name to security group id (when launching an instance) to avoid issues with Neutron -- will this cause problems when using nova networking?

Thanks for pointing this. When looking around the bugs and reviews, I found bug 1203413 too.

With Neutron security group, we need to use ID as security group identifier. (bug 1203413 is correct).
What I haven't investigated is whether nova accepts security group ID in editing security groups for a instance.

There are three cases with security group. Very tricky...
(a1) nova security group API with nova-network backend
(a2) nova security group API with neutron backend
(b) neutron security group API (with neutron)

IMO we must cover at least (a1) and (b) and (a2) is optional.

If nova accepts ID, the solution of bug 1203413 is best.
Otherwise, (as a workaround) sg.name is copied to sg.id in SecurityGroupManager in api/nova.py.

However, if nova does not accept security group ID, (a1) and (a2) cannot be coexist and it seems to be a bug of Nova.

I will continue to investigate the situation tomorrow.

For Nova you can only add or remove security groups from an instance by name:

https://github.com/openstack/nova/blob/50482bed857e916a178d3e664d1c8d3c40ce9e0d/nova/api/openstack/compute/contrib/security_groups.py#L484
https://github.com/openstack/nova/blob/50482bed857e916a178d3e664d1c8d3c40ce9e0d/nova/compute/api.py#L3453

Nova has a separate security group implementation for Neutron security groups, which interprets the "name" passed in through the API as either id or name:

https://github.com/openstack/nova/blob/50482bed857e916a178d3e664d1c8d3c40ce9e0d/nova/network/security_group/neutron_driver.py#L365

For the (a1) case there is a relatively simple fix in api/nova.py, see my comments here:

https://review.openstack.org/#/c/39940/3/openstack_dashboard/api/nova.py

I think that fix is sufficient to resolve this bug.

After I reviewed nova code and horizon openstack_dashboard/api,
my conclusion is:

- For (a1) case, the fix Kieran mentioned above fixes the bug. It is sufficient.

- For (b) (neutron) there is no need to change.

- For (a2), this case should be removed. At now the backend security group implementation is determined by the config option (enable_security_group), so there is a possibility of (a2). If we determine the backend by neutron security group extension is enabled or not, we no longer need to consider (a2).

The action items are:
- to update https://review.openstack.org/#/c/39940 . This bug can be closed by this patch.
- to remove enable_security_group config option and determine the security group backend by considering neutron security group is enabled or not. I will file a bug about it.

I filed a bug 1227804 to remove enable_secuirty_group config option.

Fix proposed to branch: master
Review: https://review.openstack.org/47512

Reviewed: https://review.openstack.org/47512
Committed: http://github.com/openstack/horizon/commit/d1d0e465ebe30845bf15a005d6b26b9a70aadabd
Submitter: Jenkins
Branch: master

commit d1d0e465ebe30845bf15a005d6b26b9a70aadabd
Author: Akihiro MOTOKI <email address hidden>
Date: Fri Sep 20 03:52:23 2013 +0900

    Fix Instance secgroup update error with Nova secgroup

    Nova add/remove_security_group takes secgroup name instead of id.
    Add api test for update_instance_security_group in api.nova.

    Change the parameter name "new_sgs" of server_update_security_groups
    to "new_security_group_ids" to clarify it takes ID as a parameter.

    Based on the initial patch in https://review.openstack.org/#/c/39940

    Change-Id: I8d9b6f5c22eee5adbaea51ce352483ab74f488f6
    Closes-Bug: #1207184