Comment 2 for bug 1738279

https://github.com/Juniper/contrail-controller/blob/R3.2/src/config/vnc_openstack/vnc_openstack/__init__.py#L1079
https://github.com/Juniper/contrail-controller/blob/R3.2/src/config/vnc_openstack/vnc_openstack/neutron_plugin_interface.py#L614
https://github.com/Juniper/contrail-controller/blob/R3.2/src/config/vnc_openstack/vnc_openstack/neutron_plugin_interface.py#L584
https://github.com/Juniper/contrail-controller/blob/R3.2/src/config/vnc_openstack/vnc_openstack/neutron_plugin_db.py#L4628
https://github.com/Juniper/contrail-controller/blob/R3.2/src/config/vnc_openstack/vnc_openstack/neutron_plugin_db.py#L1265
https://github.com/Juniper/contrail-controller/blob/R3.2/src/config/vnc_openstack/vnc_openstack/neutron_plugin_db.py#L395

def _security_group_rule_create(self, sg_id, sg_rule)
sg_vnc = self._vnc_lib.security_group_read(id=sg_id)
#read the group - API request 1
rules = sg_vnc.get_security_group_entries()
#get the rules from the group
rules.add_policy_rule(sg_rule)
#add sg_rule to SG rules
sg_vnc.set_security_group_entries(rules)
#prepare object for update
self._vnc_lib.security_group_update(sg_vnc)
#update SG - API request 2

If there was API request to update the same SG with self._vnc_lib.security_group_update(sg_vnc), adding rule 5 on existing 4 rules, and if landed in time between API request 1 and API request 2 above, then it will be lost. It's because of the time for "API request 1" there were 4 rules.

API returns 200/OK as it's doing correctly what was requested - to update SG adding rules one by one.

Solution could be to accept the list or rules, loop it and do rules.add_policy_rule(sg_rule),
but we'll need a new methods as we're sending only one rule in existing ones.