neutron

Cannot delete security group rules with unicode chars in their description

Bug #1788045 reported by James Penick
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack SDK
New
Undecided
Unassigned
neutron
Invalid
Undecided
Unassigned

Bug Description

 Some editing programs, like gdoc, will mutate double quotes to their unicode equivalent if you haven't disabled that feature. If someone accidentally creates a security group rule with a magic quote (due to an errant copy and paste) they could create a security group with a magic double quote in the description.

 Subsequent attempts to delete that rule will fail with "Failed to delete rule with name or ID 'fc52f547-300e-43cd-ae8e-833d856b304a': 'ascii' codec can't encode character u'\u201d' in position 136: ordinal not in range(128)"

 To fix this I had to go into the DB and update the description line to remove the errant magic quote, at which point the delete succeeded.

I'm including the following in case anyone else hits this and wants a quick example of how to fix it:
mysql> use neutron;

mysql> select * from securitygrouprules where id='fc52f547-300e-43cd-ae8e-833d856b304a' \G
*************************** 1. row ***************************
       project_id: 335384b960d53910a94b201fbb78a13a
               id: fc52f547-300e-43cd-ae8e-833d856b304a
security_group_id: e595a97d-1729-4686-b5e7-123b4af30dba
  remote_group_id: e595a97d-1729-4686-b5e7-123b4af30dba
        direction: ingress
        ethertype: IPv4
         protocol: icmp
   port_range_min: 11
   port_range_max: NULL
 remote_ip_prefix: 0.0.0.0/0
 standard_attr_id: 977
1 row in set (0.00 sec)

mysql> select * from standardattributes where id=977;
+-----+--------------------+---------------------+---------------------+---------------+-----------------+
| id | resource_type | created_at | updated_at | description | revision_number |
+-----+--------------------+---------------------+---------------------+---------------+-----------------+
| 977 | securitygrouprules | 2018-08-08 22:37:56 | 2018-08-08 22:37:56 | ICMP Ping” | 0 |
+-----+--------------------+---------------------+---------------------+---------------+-----------------+

1 row in set (0.00 sec)
mysql> update standardattributes set description = "ICMP PING" where id=977;
Query OK, 1 row affected (0.00 sec)
Rows matched: 1 Changed: 1 Warnings: 0

(openstack) security group rule delete fc52f547-300e-43cd-ae8e-833d856b304a
(openstack)

Revision history for this message
Hongbin Lu (hongbin.lu) wrote :

Hi @James,

If I reproduced this issue correct, this doesn't seem to be a neutron bug. In below, I tried to create a security group rule with unicode character. The trace indicated that the error was raised in client side:

  $ RULE_ID=$(openstack security group rule create --protocol "icmp" --remote-ip "0.0.0.0/0" --description "ICMP Ping”" default -c id -f value)

  $ openstack security group rule delete $RULE_ID
  Failed to delete rule with name or ID '576a8d9b-c5db-47aa-bb16-873071ed3f8a': 'ascii' codec can't encode
  character u'\u201d' in position 136: ordinal not in range(128)
  1 of 1 rules failed to delete.

  $ openstack --debug security group rule delete $RULE_ID
  ...
  Traceback (most recent call last):
    File "/usr/local/lib/python2.7/dist-packages/osc_lib/shell.py", line 134, in run
      ret_val = super(OpenStackShell, self).run(argv)
    File "/usr/local/lib/python2.7/dist-packages/cliff/app.py", line 279, in run
      result = self.run_subcommand(remainder)
    File "/usr/local/lib/python2.7/dist-packages/osc_lib/shell.py", line 169, in run_subcommand
      ret_value = super(OpenStackShell, self).run_subcommand(argv)
    File "/usr/local/lib/python2.7/dist-packages/cliff/app.py", line 400, in run_subcommand
      result = cmd.run(parsed_args)
    File "/usr/local/lib/python2.7/dist-packages/osc_lib/command/command.py", line 41, in run
      return super(Command, self).run(parsed_args)
    File "/usr/local/lib/python2.7/dist-packages/cliff/command.py", line 184, in run
      return_code = self.take_action(parsed_args) or 0
    File "/usr/local/lib/python2.7/dist-packages/openstackclient/network/common.py", line 120, in take_action
      raise exceptions.CommandError(msg)
  CommandError: 1 of 1 rules failed to delete.

If I directly delete it through REST API, it worked:

  $ curl -i -X DELETE -H "Accept: application/json" -H "X-Auth-Token: $TOKEN"
  "http://10.0.0.15:9696/v2.0/security-group-rules/$RULE_ID"
  HTTP/1.1 204 No Content
  X-Openstack-Request-Id: req-b042e293-2b00-4a45-a19f-f50566e236af
  Content-Length: 0
  Date: Tue, 21 Aug 2018 19:16:58 GMT

Revision history for this message
Hongbin Lu (hongbin.lu) wrote :

I am going to mark this bug as "invalid" since it doesn't seem to be a neutron bug.

Changed in neutron:
status: New → Invalid
Revision history for this message
Hongbin Lu (hongbin.lu) wrote :

FYI, this bug is forwarded to openstacksdk: https://storyboard.openstack.org/#!/story/2003517

Revision history for this message
James Penick (penick) wrote :

Ah, you're right. Thank you, and sorry for the confusion.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.