Juniper Openstack

Creating SG rule specifying BOTH remote_ip_prefix and remote_group_id should NOT be allowed

Bug #1435160 reported by Om Prakash Pandey
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Juniper Openstack
Fix Committed
Medium
Unassigned
OpenContrail
Fix Committed
Medium
Unassigned

Bug Description

Contrail allows to create a security group rule with specifying BOTH remote_ip_prefix and remote_group_id. This should NOT be allowed as is the case in OVS.

I find the below tempest test failing in environment with Contrail configured. This is a Negative test and as per the scenario trying to create SG rule with both remote_ip_prefix and remote_group_id shouldn't be allowed.

tempest.api.network.test_security_groups_negative.NegativeSecGroupTest.test_create_security_group_rule_with_remote_ip_and_group

I have tried the test scenario in the CLI as well:

omp@st7:~$ neutron security-group-rule-create --direction ingress --protocol tcp --port_range_min 22 --port_range_max 22 --remote-ip-prefix 0.0.0.0/0 --remote-group-id d7334fc1-4d2a-41f7-be0d-07afeba20778 omSecGrp
Created a new security_group_rule:
+-------------------+--------------------------------------+
| Field | Value |
+-------------------+--------------------------------------+
| direction | ingress |
| ethertype | IPv4 |
| id | 1d38dd35-09ee-4ac8-b174-7af45be9c5f5 |
| port_range_max | 22 |
| port_range_min | 22 |
| protocol | tcp |
| remote_group_id | |
| remote_ip_prefix | 0.0.0.0/0 |
| security_group_id | 8b183d95-2251-4c89-8d47-e8c59f5f675e |
| tenant_id | ee61323896a34bea9c9a5623fbb6f239 |
+-------------------+--------------------------------------+

Trying to do the same in devstack is NOT allowed. It throws an error:
ubuntu@ubuntu:~/devstack$ neutron security-group-rule-create --direction ingress --protocol tcp --port_range_min 22 --port_range_max 22 --remote-ip-prefix 0.0.0.0/0 --remote-group-id 1d928a0b-2b4f-4b63-a949-03f6ed31cb3d omSecGrp

"Only remote_ip_prefix or remote_group_id may be provided."

Om Prakash Pandey (pandeyop)
information type: Proprietary → Public
affects: juniperopenstack → opencontrail
Om Prakash Pandey (pandeyop)
tags: added: security-group tempest
Nagabhushana R (bhushana)
Changed in juniperopenstack:
importance: Undecided → Medium
Changed in opencontrail:
importance: Undecided → Medium
tags: added: config neutronapi
Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : master

Review in progress for https://review.opencontrail.org/8658
Submitter: Sachin Bansal (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/8658
Committed: http://github.org/Juniper/contrail-controller/commit/983ce2bd86c70901add1ec2d12b396a27ae806b2
Submitter: Zuul
Branch: master

commit 983ce2bd86c70901add1ec2d12b396a27ae806b2
Author: Sachin Bansal <email address hidden>
Date: Wed Mar 25 11:26:41 2015 -0700

Raise error if both remote ip and remote group are specified

Change-Id: I2452d70068d8ad660ddd044c429dff2f027b2c15
Closes-Bug: 1435160

Changed in juniperopenstack:
status: New → Fix Committed
Changed in opencontrail:
status: New → Fix Committed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.