Incorrect permissions on __no_rule__ security group
Affects | Status | Importance | Assigned to | Milestone | ||
---|---|---|---|---|---|---|
Juniper Openstack | Status tracked in Trunk | |||||
R3.2 |
Fix Committed
|
Undecided
|
Édouard Thuleau | |||
Trunk |
Fix Committed
|
Undecided
|
Édouard Thuleau | |||
OpenContrail |
Fix Committed
|
Undecided
|
Édouard Thuleau |
Bug Description
When we tried to create new port through neutron client with --no-security-
global RefsExistError = <class 'cfgm_common.
content = u"['default-
<class 'cfgm_common.
__class__ = <class 'cfgm_common.
__delattr__ = <method-wrapper '__delattr__' of RefsExistError object>
__dict__ = {}
__doc__ = None
__format__ = <built-in method __format__ of RefsExistError object>
__getattrib
__getitem__ = <method-wrapper '__getitem__' of RefsExistError object>
__getslice__ = <method-wrapper '__getslice__' of RefsExistError object>
__hash__ = <method-wrapper '__hash__' of RefsExistError object>
__init__ = <method-wrapper '__init__' of RefsExistError object>
__module__ = 'cfgm_common.
__new__ = <built-in method __new__ of type object>
__reduce__ = <built-in method __reduce__ of RefsExistError object>
__reduce_ex__ = <built-in method __reduce_ex__ of RefsExistError object>
__repr__ = <method-wrapper '__repr__' of RefsExistError object>
__setattr__ = <method-wrapper '__setattr__' of RefsExistError object>
__setstate__ = <built-in method __setstate__ of RefsExistError object>
__sizeof__ = <built-in method __sizeof__ of RefsExistError object>
__str__ = <method-wrapper '__str__' of RefsExistError object>
__subclassh
__unicode__ = <built-in method __unicode__ of RefsExistError object>
__weakref__ = None
args = (u"['default-
message = u"['default-
The above is a description of an error in a Python program. Here is
the original traceback:
Traceback (most recent call last):
File "/usr/lib/
response = handler(*args, **kwargs)
File "/usr/lib/
return self.plugin_
File "/usr/lib/
net_info = cfgdb.port_
File "/usr/lib/
return func(self, *args, **kwargs)
File "/usr/lib/
port_obj = self._port_
File "/usr/lib/
sg_obj = self._get_
File "/usr/lib/
sg_obj = self._create_
File "/usr/lib/
sg_uuid = self._vnc_
File "/usr/lib/
data = json_body)
File "/usr/lib/
retry_
File "/usr/lib/
raise RefsExistError(
RefsExistError: ['default-domain', 'default-project', '__no_rule__'] already exists with uuid: 09e7b601-
After some investigation we found out that there is __no_rule__ security group already present in default OpenContrail tenant, but only user admin with role admin can use it. Also every time when we manually deleted __no_rule__ security group, port create with --no-security-
Steps to reproduce this bug:
1. Source RC file for any user other than user admin
2. neutron port-create --no-security-
3. neutron port-create --no-security-
It may succeed the first time, when __no_rule__ security group is newly created, but it will always fail the next time.
Host OS: Ubuntu 14.04
OpenStack distribution: Kilo
OpenContrail version: 2.21
neutron plugin: v2
description: | updated |
Changed in juniperopenstack: | |
assignee: | nobody → Sachin Bansal (sbansal) |
tags: | added: config |
Changed in juniperopenstack: | |
importance: | Undecided → High |
Changed in juniperopenstack: | |
assignee: | Sachin Bansal (sbansal) → Édouard Thuleau (ethuleau) |
Changed in opencontrail: | |
assignee: | nobody → Édouard Thuleau (ethuleau) |
Changed in opencontrail: | |
status: | New → Fix Committed |
tags: | added: dt |
Workaround is to disable auth for contrail-api in /etc/contrail/ contrail- api.conf:
multi_tenancy=False
Then other users can see __no_rule__ security group.