neutron

[FWaaS]: Not able to delete the firewall with shared policy and unshared rule

Bug #1334981 reported by Koteswara Rao Kelam on 2014-06-27

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	neutron	Fix Released	Medium	Koteswara Rao Kelam	neutron 2014.2 "juno"

Bug Description

Steps to reproduce:

1. As admin, create a rule r1(unshared) and associate it to the shared policy p1
2. As a tenant1, try to create firewall f1 with policy p1
3. It thows error but f1 got created
4. We cann't even delete the created firewall f1

console:
===============
root@koti-icega-osc:/usr/share/pyshared/neutron# echo $OS_USERNAME
user1
root@koti-icega-osc:/usr/share/pyshared/neutron#
root@koti-icega-osc:/usr/share/pyshared/neutron# neutron firewall-policy-list
+--------------------------------------+------+----------------------------------------+
| id | name | firewall_rules |
+--------------------------------------+------+----------------------------------------+
| 367ff338-1014-4788-9cd9-d9d60035dd52 | p1 | [d9247da7-b885-4a16-974a-2b56e76f89d1] |
+--------------------------------------+------+----------------------------------------+
root@koti-icega-osc:/usr/share/pyshared/neutron# neutron firewall-create p1 --name f1
404-{u'NeutronError': {u'message': u'Firewall Rule d9247da7-b885-4a16-974a-2b56e76f89d1 could not be found.', u'type': u'FirewallRuleNotFound', u'detail': u''}}<<<<<<<<<<<<<<<<<<<<<<<Got this error but still f1 got created

root@koti-icega-osc:/usr/share/pyshared/neutron# neutron firewall-list
+--------------------------------------+------+--------------------------------------+
| id | name | firewall_policy_id |
+--------------------------------------+------+--------------------------------------+
| 6bd27e5f-c8d9-4d52-a556-2f86e7db5ea5 | f1 | 367ff338-1014-4788-9cd9-d9d60035dd52 |
+--------------------------------------+------+--------------------------------------+

root@koti-icega-osc:/usr/share/pyshared/neutron# neutron firewall-delete f1
404-{u'NeutronError': {u'message': u'Firewall Rule d9247da7-b885-4a16-974a-2b56e76f89d1 could not be found.', u'type': u'FirewallRuleNotFound', u'detail': u''}}<<<<<<<<<<<<<<<<<<<<<<<<this firewall f1 cann't be deleted. I logged into mysql and then deleted.

Tags:

Eugene Nikanorov (enikanorov) on 2014-06-27

Changed in neutron:
assignee:	nobody → Eugene Nikanorov (enikanorov)

Ilya Shakhat (shakhat) on 2014-06-30

Changed in neutron:
status:	New → Confirmed

Revision history for this message

Koteswara Rao Kelam (koti-kelam) wrote on 2014-07-08:

The issue here is :

Firewall policy is shared by admin but rule is not shared. As a result, the tenant1 can see firewall policy but not able to see firewall rule.
TENANT1
===============
root@koti-icega-osc:~# neutron firewall-list
+--------------------------------------+------+--------------------------------------+
| id | name | firewall_policy_id |
+--------------------------------------+------+--------------------------------------+
| 4661bb56-b944-4b53-9a71-9fc098e7f7f2 | f1 | fb957fca-c8e7-47f8-898c-61ff28e5886c |
+--------------------------------------+------+--------------------------------------+
root@koti-icega-osc:~# neutron firewall-policy-list
+--------------------------------------+------+----------------------------------------+
| id | name | firewall_rules |
+--------------------------------------+------+----------------------------------------+
| fb957fca-c8e7-47f8-898c-61ff28e5886c | p1 | [99bbf788-5920-48a8-9ad3-7e40ba7f47ed] |<<<<<<<<<<<<policy is listed with rule
+--------------------------------------+------+----------------------------------------+
root@koti-icega-osc:~# neutron firewall-rule-list<<<<<<<<<<<<<<<<<<<<<<<<<<But no rules are listed here.
root@koti-icega-osc:~#

We can avoid this situation by NOT allowing following cases

1. Creating shared policy with unshared rule
2. updating a policy shared without updating its rules.

So in any case shared policy should always have all shared rules only.

Please share your thoughts.

Revision history for this message

Sumit Naiksatam (snaiksat) wrote on 2014-07-09:

Thanks for catching this. Agree with the approach suggested, a shared policy should not have any shared rules. Koteswara are you planning to post a patch for this?

Changed in neutron:
importance:	Undecided → Medium
milestone:	none → juno-2
tags:	added: icehouse-backport-potential

Revision history for this message

Koteswara Rao Kelam (koti-kelam) wrote on 2014-07-10:

Yes. I have the fix. I will submit the patch.

Changed in neutron:
assignee:	Eugene Nikanorov (enikanorov) → Koteswara Rao Kelam (koti-kelam)

Kyle Mestery (mestery) on 2014-07-22

Changed in neutron:
milestone:	juno-2 → none

Revision history for this message

Sumit Naiksatam (snaiksat) wrote on 2014-08-16:

Hi Koteswara, do you intend to pursue this fix?

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-08-21: Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/115912

Changed in neutron:
status:	Confirmed → In Progress

Revision history for this message

badveli_vishnuus (badveli-vishnuus) wrote on 2014-08-21:

Hello Koteswara Rao
Please let us know, we should not allow policy and rule in different mode
Thanks
Vishnu

Revision history for this message

Koteswara Rao Kelam (koti-kelam) wrote on 2014-08-22:

A shared policy can have shared rules only but a unshared policy can have shared rules. ie if user want to share a policy, he should first share all rules associated with that policy and then share the policy. See commit message for more details.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-09-15: Fix merged to neutron (master)

Reviewed: https://review.openstack.org/115912
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=0df97dbe070b23763272d85781b9afaede441ef1
Submitter: Jenkins
Branch: master

commit 0df97dbe070b23763272d85781b9afaede441ef1
Author: Koteswara Rao Kelam <email address hidden>
Date: Thu Aug 21 02:33:57 2014 -0700

shared policy shouldn't have unshared rules

    A shared firewall policy should always have shared rules. So the following
    cases should not be allowed:
    1.Create shared policy with unshared rules
    2.Update policy shared=True when it has unshared rules
    3.Update policy with shared=True and unshared rules
    4.Update shared policy with unshared rules

Change-Id: I3d71899c328d3fefa96c1f99d6ba706160e445cc
Closes-bug: 1334981

Changed in neutron:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2014-10-03

Changed in neutron:
milestone:	none → juno-rc1
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2014-10-16

Changed in neutron:
milestone:	juno-rc1 → 2014.2

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.