neutron

Can't create a firewall for admin tenant when at least one other tenant has a firewall

Bug #1258438 reported by Tomoko Inoue on 2013-12-06

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	neutron	Fix Released	High	Akihiro Motoki	neutron 2014.1 "icehouse"

Bug Description

Only one firewall is allowed per tenant. This works as expected for non-admin tenants.

When a new firewall is added in the context of admin, this fails if some other tenant already has a firewall. This is because 'get_firewall_count' returns sum of all firewalls in the system. Addition of a new firewall for admin fails with the following error message.

500-{u'NeutronError': {u'message': u'Exceeded allowed count of firewalls for tenant tenant-2. Only one firewall is supported per tenant.', u'type': u'FirewallCountExceeded', u'detail': u''}}

fwaas_plugin.py
----------------
def create_firewall(self, context, firewall):
        LOG.debug(_("create_firewall() called"))
        tenant_id = self._get_tenant_id_for_create(context,
                                                   firewall['firewall'])
        fw_count = self.get_firewalls_count(context)
        if fw_count:
            raise FirewallCountExceeded(tenant_id=tenant_id)
----------------

=> fw_count = self.get_firewalls_count(context)

In the context of admin, the function counts other tenant's firewall.

See original description

Tags:

Tomoko Inoue (inoue-tomoko) on 2013-12-06

Changed in neutron:
assignee:	nobody → Tomoko Inoue (inoue-tomoko)

Akihiro Motoki (amotoki) on 2013-12-06

tags:	added: fwaas
Changed in neutron:
status:	New → Confirmed
importance:	Undecided → High
milestone:	none → icehouse-2

Sumit Naiksatam (snaiksat) on 2013-12-11

tags:

added: havana-backport-potential

Revision history for this message

Rajesh Mohan (rajesh.mohan) wrote on 2013-12-12:

Tomoko,

I tested this on a fresh setup. I could create firewalls on multiple tenants. I used latest code from the trunk.

Can you update the bug with more information to recreate? It seems to work on the current code. Did you try it on specific branch?

Thanks,
-Rajesh Mohan

Revision history for this message

Akihiro Motoki (amotoki) wrote on 2013-12-12:

Hi Rajesh,

The easiest way to reproduce in devstack is as follows:

(1) Create a firewall with demo tenant.
(2) Try to create a firewall with admin tenant but it fails.

When get_firewalls_count is called with admin context, it returns the number of firewall of all tenants. This is the cause of the bug.

Revision history for this message

Sumit Naiksatam (snaiksat) wrote on 2013-12-12:

Akihiro, so this issue is only with creating firewalls as admin tenant, when at least one other tenant has a firewall. If so, the bug report should be changed to state accordingly.

Revision history for this message

Tomoko Inoue (inoue-tomoko) wrote on 2013-12-12:

Hi Rajesh, Akihiro and Sumit

Thank you for your comments.
That's true enough.
I tried to create a second firewall as admin when I found the bug.
I will add a sentence or two to make the explanation clear.

Tomoko Inoue (inoue-tomoko) on 2013-12-12

description:

updated

Rajesh Mohan (rajesh.mohan) on 2013-12-13

description:

updated

Sumit Naiksatam (snaiksat) on 2013-12-13

summary:

- Can't create a firewall per tenant
+ Can't create a firewall for admin tenant when at least one other tenant
+ has a firewall

Tomoko Inoue (inoue-tomoko) on 2013-12-17

Changed in neutron:
status:	Confirmed → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-12-17: Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/62600

Thierry Carrez (ttx) on 2014-01-22

Changed in neutron:
milestone:	icehouse-2 → icehouse-3

Thierry Carrez (ttx) on 2014-03-05

Changed in neutron:
milestone:	icehouse-3 → icehouse-rc1

Revision history for this message

Akihiro Motoki (amotoki) wrote on 2014-03-14:

There is no progress for a long time. RC phase started, so I take this.

Changed in neutron:
assignee:	Tomoko Inoue (inoue-tomoko) → Akihiro Motoki (amotoki)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-03-19: Fix merged to neutron (master)

Reviewed: https://review.openstack.org/80715
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=6c2bec5d9e40c68c75cc56e077e2af97d1359d20
Submitter: Jenkins
Branch: master

commit 6c2bec5d9e40c68c75cc56e077e2af97d1359d20
Author: Akihiro Motoki <email address hidden>
Date: Sat Mar 15 07:57:34 2014 +0900

Ensure to count firewalls in target tenant

    Previously admin tenant cannot create a firewall if other tenant
    already created a firewall. We need to count firewalls only in
    a target tenant.

Change-Id: I3e6d151d00d4a487bdd858e94929fab8960511a2
Closes-Bug: #1258438

Changed in neutron:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2014-04-01

Changed in neutron:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2014-04-17

Changed in neutron:
milestone:	icehouse-rc1 → 2014.1

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.