Juniper Openstack

Need to allow specifying both service type and service group in a firewall rule

Bug #1762517 reported by Senthilnathan Murugappan on 2018-04-09

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
Juniper Openstack	Status tracked in Trunk
R5.0	Fix Committed	High	Suresh Akula	Juniper Openstack r5.0.0
Trunk	Fix Committed	High	Suresh Akula	Juniper Openstack r5.1.0

Bug Description

Due to https://github.com/Juniper/contrail-controller/commit/4058f109f4ef86d271532be4ee3e5a59d7498afc#diff-cbe7aab1b81a714bef717cdd0839a497R1985

If a user wants to update a FW-Rule with a service property specified to service-group refs he wont be able to, we should atleast allow user to specify both.

Believe in agent, it would be an AND operation of all services, hope that is fine.

Tags:

Senthilnathan Murugappan (msenthil) on 2018-04-11

tags:

added: ui

Revision history for this message

Senthilnathan Murugappan (msenthil) wrote on 2018-04-11:

If using VncApi the recommended way is to use set_service_group_list() rather than add_service_group().

Reason:
Add service group would split the firewall-rule update call to "PUT on FWRule Object" to remove the service property and a "POST on ref-update" to link Service-Group and Firewall-Rule rather a
set_service_group_list() would make a single api call with both ref update and service property removed so we dont need any change in the Contrail config rest api server side.

ToDo:
Contrail UI needs to adapt to set_service_group_list() so reassigning to UI team.

Revision history for this message

Suresh Akula (surakula) wrote on 2018-04-11:

Instead checking the object... can we check object size, from UI we are sending as empty object if we edit Service Property to Sevice Group

Update from Service Property to Service Group ObjectSample json:

{"firewall-rule":{"endpoint_1":{"virtual_network":null,"address_group":null,"any":true,"tags":[]},"endpoint_2":{"virtual_network":null,"address_group":null,"any":true,"tags":[]},

"service_group_refs":[{"to":["default-policy-management","sg1"]}],
"service":{},

"action_list":{"simple_action":"pass"},"security_logging_object_refs":[],"direction":"<>","match_tags":{"tag_list":[]},"uuid":"04abb9b9-706d-44fd-bcb2-051e98e9e9ae"}}

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2018-04-18: [Review update] R5.0

Review in progress for https://review.opencontrail.org/42136
Submitter: Suresh Akula (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2018-04-19: [Review update] master

Review in progress for https://review.opencontrail.org/42137
Submitter: Suresh Akula (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2018-04-19: [Review update] R5.0

Review in progress for https://review.opencontrail.org/42136
Submitter: Suresh Akula (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2018-04-19: [Review update] master

Review in progress for https://review.opencontrail.org/42137
Submitter: Suresh Akula (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2018-04-19: A change has been merged

#11

Reviewed: https://review.opencontrail.org/42137
Committed: http://github.com/Juniper/contrail-web-controller/commit/df302565b5d6077abef9b52fbf61e275c1d3c6fb
Submitter: Zuul v3 CI (<email address hidden>)
Branch: master

commit df302565b5d6077abef9b52fbf61e275c1d3c6fb
Author: Suresh Akula <email address hidden>
Date: Wed Apr 18 16:55:27 2018 -0700

Contrail Security Firewall Rule:
Fixed: Need to allow specifying both service type and service group in a firewall rule.
Added new bypass method to update firewall rule, update service property with Service Group Refs

Change-Id: If25d9b38076b1a8b4c9b0bc0c3ece2a63080a742
Closes-Bug: #1762517

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2018-04-19:

#12

Reviewed: https://review.opencontrail.org/42136
Committed: http://github.com/Juniper/contrail-web-controller/commit/8b0b87b68336c58b208f3bc5a5ced78a27922ad4
Submitter: Zuul v3 CI (<email address hidden>)
Branch: R5.0

commit 8b0b87b68336c58b208f3bc5a5ced78a27922ad4
Author: Suresh Akula <email address hidden>
Date: Wed Apr 18 16:55:27 2018 -0700

Change-Id: If25d9b38076b1a8b4c9b0bc0c3ece2a63080a742
Closes-Bug: #1762517

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.