Creating SG rule specifying BOTH remote_ip_prefix and remote_group_id should NOT be allowed
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Juniper Openstack |
Fix Committed
|
Medium
|
Unassigned | ||
OpenContrail |
Fix Committed
|
Medium
|
Unassigned |
Bug Description
Contrail allows to create a security group rule with specifying BOTH remote_ip_prefix and remote_group_id. This should NOT be allowed as is the case in OVS.
I find the below tempest test failing in environment with Contrail configured. This is a Negative test and as per the scenario trying to create SG rule with both remote_ip_prefix and remote_group_id shouldn't be allowed.
tempest.
I have tried the test scenario in the CLI as well:
omp@st7:~$ neutron security-
Created a new security_
+------
| Field | Value |
+------
| direction | ingress |
| ethertype | IPv4 |
| id | 1d38dd35-
| port_range_max | 22 |
| port_range_min | 22 |
| protocol | tcp |
| remote_group_id | |
| remote_ip_prefix | 0.0.0.0/0 |
| security_group_id | 8b183d95-
| tenant_id | ee61323896a34be
+------
Trying to do the same in devstack is NOT allowed. It throws an error:
ubuntu@
"Only remote_ip_prefix or remote_group_id may be provided."
information type: | Proprietary → Public |
affects: | juniperopenstack → opencontrail |
tags: | added: security-group tempest |
Changed in juniperopenstack: | |
importance: | Undecided → Medium |
Changed in opencontrail: | |
importance: | Undecided → Medium |
tags: | added: config neutronapi |
Review in progress for https:/ /review. opencontrail. org/8658
Submitter: Sachin Bansal (<email address hidden>)