OpenStack Dashboard (Horizon)

security-groups rule add does not handle "any" protocol or port (while neutron allows it)

Bug #1669467 reported by Yves-Gwenael Bourhis
16
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Dashboard (Horizon)
Fix Released
High
Akihiro Motoki
OpenStack Dashboard (Horizon) pike-1

Bug Description

Neutron allows setting port or protocol wildcard by not specifying any value for them.

example, these are allowed by neutron :

    neutron security-group-rule-create --direction egress <sec_group_id>
    neutron security-group-rule-create --direction egress --protocol tcp <sec_group_id>

Currently horizon refuses not specifying a port and does not mention that we can leave the protocol field empty as a wildcard. Meaning that the above commands can not be performed via horizon.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to horizon (master)

Fix proposed to branch: master
Review: https://review.openstack.org/440621

Changed in horizon:
assignee: nobody → Yves-Gwenael Bourhis (yves-gwenael-bourhis)
status: New → In Progress
Revision history for this message
Lajos Katona (lajos-katona) wrote :

Hi,
You can use the All TCP or All UDP rules and that has the same feature as the wildcards in the CLI.

OpenStack Infra (hudson-openstack)
Changed in horizon:
assignee: Yves-Gwenael Bourhis (yves-gwenael-bourhis) → Akihiro Motoki (amotoki)
Revision history for this message
Yves-Gwenael Bourhis (yves-gwenael-bourhis) wrote :

ALL TCP/UDP does not handle the request like `neutron security-group-rule-create --direction egress --protocol tcp <sgid>` would.

Indeed, after creating a rune with `neutron security-group-rule-create --direction egress --protocol tcp <sgid>` you see in horizon :

    Egress IPv4 TCP 1 - None 0.0.0.0/0 -

With ALL TCP the created rule is seen this way:

    Egress IPv4 TCP Any 0.0.0.0/0

In CLI here are the differences when issuing a security-group-show:
http://paste.openstack.org/show/602511/

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to horizon (master)

Reviewed: https://review.openstack.org/440621
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=87337ff255b581a57809e7ea9d901c00b3514d45
Submitter: Jenkins
Branch: master

commit 87337ff255b581a57809e7ea9d901c00b3514d45
Author: Yves-Gwenael Bourhis <email address hidden>
Date: Thu Mar 2 16:13:18 2017 +0100

    Allow any port or protocol in security group rules

    Neutron allows setting port or protocol wildcard by not specifying any value
    for them.

    Example, these are allowed by neutron:

        neutron security-group-rule-create --direction egress <sgid>
        neutron security-group-rule-create --direction egress --protocol tcp <sgid>

    Specifying '-1' for IP protocol means a wildcard IP protocol.
    validate_ip_protocol is updated accordingly.

    'All ports' choice is added to 'Open Port' field.

    Change-Id: I4a7262eda89e3206c743fee14c78aa6b49308ce6
    Closes-Bug: 1669467

Changed in horizon:
status: In Progress → Fix Released
Rob Cresswell (robcresswell-deactivatedaccount)
Changed in horizon:
milestone: none → pike-1
importance: Undecided → High
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/horizon 12.0.0.0b1

This issue was fixed in the openstack/horizon 12.0.0.0b1 development milestone.

Revision history for this message
Peter (fazy) wrote :

Hi! I wrote a duplicate about this (#1711319) but I reply here since the page asked me to update only if it's not a duplicate...

So if possible, I would like to ask the backport to Ocata (or maybe Newton), since we are planning to upgrade our Mitaka soon (in separated steps, release by release), but not to Pike.

Thanks,
 Peter ERDOSI

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.