[FWaaS]: Not able to delete the firewall with shared policy and unshared rule
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Fix Released
|
Medium
|
Koteswara Rao Kelam |
Bug Description
Steps to reproduce:
1. As admin, create a rule r1(unshared) and associate it to the shared policy p1
2. As a tenant1, try to create firewall f1 with policy p1
3. It thows error but f1 got created
4. We cann't even delete the created firewall f1
console:
===============
root@koti-
user1
root@koti-
root@koti-
+------
| id | name | firewall_rules |
+------
| 367ff338-
+------
root@koti-
404-{u'
root@koti-
+------
| id | name | firewall_policy_id |
+------
| 6bd27e5f-
+------
root@koti-
404-{u'
Changed in neutron: | |
assignee: | nobody → Eugene Nikanorov (enikanorov) |
Changed in neutron: | |
status: | New → Confirmed |
Changed in neutron: | |
milestone: | juno-2 → none |
Changed in neutron: | |
milestone: | none → juno-rc1 |
status: | Fix Committed → Fix Released |
Changed in neutron: | |
milestone: | juno-rc1 → 2014.2 |
The issue here is :
Firewall policy is shared by admin but rule is not shared. As a result, the tenant1 can see firewall policy but not able to see firewall rule. icega-osc: ~# neutron firewall-list ------- ------- ------- ------- ----+-- ----+-- ------- ------- ------- ------- ------- -+ ------- ------- ------- ------- ----+-- ----+-- ------- ------- ------- ------- ------- -+ b944-4b53- 9a71-9fc098e7f7 f2 | f1 | fb957fca- c8e7-47f8- 898c-61ff28e588 6c | ------- ------- ------- ------- ----+-- ----+-- ------- ------- ------- ------- ------- -+ icega-osc: ~# neutron firewall- policy- list ------- ------- ------- ------- ----+-- ----+-- ------- ------- ------- ------- ------- ---+ ------- ------- ------- ------- ----+-- ----+-- ------- ------- ------- ------- ------- ---+ c8e7-47f8- 898c-61ff28e588 6c | p1 | [99bbf788- 5920-48a8- 9ad3-7e40ba7f47 ed] |<<<<<<<<<<<<policy is listed with rule ------- ------- ------- ------- ----+-- ----+-- ------- ------- ------- ------- ------- ---+ icega-osc: ~# neutron firewall- rule-list< <<<<<<< <<<<<<< <<<<<<< <<<<But no rules are listed here. icega-osc: ~#
TENANT1
===============
root@koti-
+------
| id | name | firewall_policy_id |
+------
| 4661bb56-
+------
root@koti-
+------
| id | name | firewall_rules |
+------
| fb957fca-
+------
root@koti-
root@koti-
We can avoid this situation by NOT allowing following cases
1. Creating shared policy with unshared rule
2. updating a policy shared without updating its rules.
So in any case shared policy should always have all shared rules only.
Please share your thoughts.