Juniper Openstack

Unable to commit security drafts

  1. Series r5.0
  2. Bug #1794954
Bug #1794954 reported by Senthilnathan Murugappan
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Juniper Openstack
Status tracked in Trunk
R5.0
Fix Committed
High
Édouard Thuleau
Juniper Openstack r5.0.2
Trunk
Fix Committed
High
Édouard Thuleau
Juniper Openstack r5.1.0

Bug Description

Like always i have objects on both local and global scope. Couple of Local scope FWRules refs global scope AG and few Rules doesnt have any AG refs.

It seems we are bailing out if we dont have any AG in the FWR. Please find the traces for more info.

09/28/2018 10:14:50 AM [contrail-api] [ERROR]: __default__ [SYS_ERR]: VncApiError: <type 'exceptions.AttributeError'>
Python 2.7.5: /usr/bin/python
Fri Sep 28 10:14:50 2018

A problem occurred in a Python script. Here is the sequence of
function calls leading up to the error, in the order they occurred.

 /usr/lib/python2.7/site-packages/vnc_cfg_api_server/vnc_cfg_api_server.py in handler_trap_exception(*args=(), **kwargs={})
 2290 (code, err_msg) = status
 2291 raise cfgm_common.exceptions.HttpError(code, err_msg)
 2292 response = handler(*args, **kwargs)
 2293 self._generate_rest_api_response_trace(trace, response)
 2294
response undefined
handler = <bound method VncApiServer.security_policy_draft...i_server.vnc_cfg_api_server.VncApiServer object>>
args = ()
kwargs = {}

 /usr/lib/python2.7/site-packages/vnc_cfg_api_server/vnc_cfg_api_server.py in security_policy_draft(self=<vnc_cfg_api_server.vnc_cfg_api_server.VncApiServer object>)
 4865 self._security_commit_resources(scope_type, parent_type,
 4866 parent_fq_name,
 4867 parent_uuid, pm)
 4868 elif action == 'discard':
 4869 self._security_discard_resources(pm)
parent_uuid = '7edf6871-e9b1-4d58-99ef-cc633447d161'
pm = {'address_groups': [{'to': ['draft-policy-management', 'ctest-TestFirewallDraft_1-17272828-72254403'], 'uuid': '676b11bc-07e0-4fe0-890b-dabc6430cb95'}], 'firewall_policys': [{'to': ['draft-policy-management', 'ctest-TestFirewallDraft_1-17272828-07264327'], 'uuid': '042d0560-3219-4eec-87f1-f50bbbd096a7'}], 'firewall_rules': [{'to': ['draft-policy-management', 'ctest-TestFirewallDraft_1-17272828-18182363'], 'uuid': '2fc18ccc-d16c-4014-878a-6eb97975eb76'}], 'fq_name': ['draft-policy-management'], 'service_groups': [{'to': ['draft-policy-management', 'ctest-TestFirewallDraft_1-17272828-25477628'], 'uuid': 'f771e84b-8dfa-4b50-a864-9bb1e22e3fba'}], 'uuid': 'e1705a2e-f170-4b91-876a-6f9a71c7777e'}

 /usr/lib/python2.7/site-packages/vnc_cfg_api_server/vnc_cfg_api_server.py in _security_commit_resources(self=<vnc_cfg_api_server.vnc_cfg_api_server.VncApiServer object>, scope_type='global_system_config', parent_type='policy-management', parent_fq_name=[u'default-policy-management'], parent_uuid='7edf6871-e9b1-4d58-99ef-cc633447d161', pm={'address_groups': [{'to': ['draft-policy-management', 'ctest-TestFirewallDraft_1-17272828-72254403'], 'uuid': '676b11bc-07e0-4fe0-890b-dabc6430cb95'}], 'firewall_policys': [{'to': ['draft-policy-management', 'ctest-TestFirewallDraft_1-17272828-07264327'], 'uuid': '042d0560-3219-4eec-87f1-f50bbbd096a7'}], 'firewall_rules': [{'to': ['draft-policy-management', 'ctest-TestFirewallDraft_1-17272828-18182363'], 'uuid': '2fc18ccc-d16c-4014-878a-6eb97975eb76'}], 'fq_name': ['draft-policy-management'], 'service_groups': [{'to': ['draft-policy-management', 'ctest-TestFirewallDraft_1-17272828-25477628'], 'uuid': 'f771e84b-8dfa-4b50-a864-9bb1e22e3fba'}], 'uuid': 'e1705a2e-f170-4b91-876a-6f9a71c7777e'})
 4909 uuid = None
 4910 self._holding_backrefs(updates, held_refs, scope_type,
 4911 r_class.object_type, fq_name, draft)
 4912 # Purge pending resource as we re-use the same UUID
 4913 self.internal_request_delete(r_class.object_type,
r_class = <class 'vnc_cfg_api_server.vnc_cfg_types.AddressGroupServer'>
r_class.object_type = 'address_group'
fq_name = [u'default-policy-management', 'ctest-TestFirewallDraft_1-17272828-72254403']
draft = {'display_name': 'ctest-TestFirewallDraft_1-17272828-72254403', 'draft_mode_state': 'created', 'firewall_rule_back_refs': [{'attr': None, 'to': ['default-domain', 'ctest-TestFirewallDraft_1-17272828', 'ctest-TestFirewallDraft_1-17272828-50664007'], 'uuid': '758768d2-f9be-4e55-8c02-db0f3be390e9'}], 'fq_name': ['draft-policy-management', 'ctest-TestFirewallDraft_1-17272828-72254403'], 'id_perms': {'created': '2018-09-28T04:44:02.162180', 'creator': None, 'description': None, 'enable': True, 'last_modified': '2018-09-28T04:44:02.207634', 'permissions': {'group': 'admin', 'group_access': 7, 'other_access': 7, 'owner': 'contrail-api', 'owner_access': 7}, 'user_visible': True, 'uuid': {'uuid_lslong': 9875227110609570709L, 'uuid_mslong': 7452069507698282464}}, 'parent_type': 'policy-management', 'parent_uuid': 'e1705a2e-f170-4b91-876a-6f9a71c7777e', 'perms2': {'global_access': 0, 'owner': 'cloud-admin', 'owner_access': 7, 'share': []}, 'tag_refs': [{'attr': None, 'to': ['label=ag'], 'uuid': 'c3c727de-247d-4def-b633-2fb7ca23d123'}], 'uuid': '676b11bc-07e0-4fe0-890b-dabc6430cb95'}

 /usr/lib/python2.7/site-packages/vnc_cfg_api_server/vnc_cfg_api_server.py in _holding_backrefs(self=<vnc_cfg_api_server.vnc_cfg_api_server.VncApiServer object>, updates=[('create', ('firewall-policy', {'application_policy_set_back_refs': [], 'display_name': 'ctest-TestFirewallDraft_1-17272828-07264327', 'firewall_rule_refs': [{'attr': {...}, 'to': [...], 'uuid': '2fc18ccc-d16c-4014-878a-6eb97975eb76'}], 'fq_name': [u'default-policy-management', 'ctest-TestFirewallDraft_1-17272828-07264327'], 'parent_type': 'policy-management', 'parent_uuid': '7edf6871-e9b1-4d58-99ef-cc633447d161', 'uuid': '042d0560-3219-4eec-87f1-f50bbbd096a7'})), ('create', ('firewall-rule', {'action_list': {'alert': False, 'apply_service': [], 'assign_routing_instance': None, 'gateway_name': None, 'log': False, 'mirror_to': None, 'qos_action': None, 'simple_action': 'pass'}, 'direction': '<>', 'display_name': 'ctest-TestFirewallDraft_1-17272828-18182363', 'endpoint_1': {'address_group': None, 'any': False, 'subnet': None, 'tag_ids': [262149], 'tags': ['global:site=blr'], 'virtual_network': None}, 'endpoint_2': {'address_group': None, 'any': False, 'subnet': None, 'tag_ids': [262149], 'tags': ['global:site=blr'], 'virtual_network': None}, 'fq_name': [u'default-policy-management', 'ctest-TestFirewallDraft_1-17272828-18182363'], 'match_tag_types': {'tag_type': [3]}, 'match_tags': {u'tag_list': ['deployment']}, 'parent_type': 'policy-management', 'parent_uuid': '7edf6871-e9b1-4d58-99ef-cc633447d161', ...})), ('create', ('service-group', {'display_name': 'ctest-TestFirewallDraft_1-17272828-25477628', 'fq_name': [u'default-policy-management', 'ctest-TestFirewallDraft_1-17272828-25477628'], 'parent_type': 'policy-management', 'parent_uuid': '7edf6871-e9b1-4d58-99ef-cc633447d161', 'service_group_firewall_service_list': {u'firewall_service': [{...}]}, 'uuid': 'f771e84b-8dfa-4b50-a864-9bb1e22e3fba'})), ('update', ('firewall-rule', '153d144d-44f9-4383-8bea-d5ad8b9c82f2', {'endpoint_1': {'address_group': u'default-policy-management:ctest-TestFirewallDraft_1-17272828-72254403', 'any': None, 'subnet': None, 'tag_ids': [], 'tags': [], 'virtual_network': None}}))], held_refs=[(('application_policy_set', 'b113d04e-64f4-40c1-b6f7-2e7f1de8eb95', 'ADD', 'firewall_policy'), {'attr': {'sequence': '30'}, 'ref_fq_name': [u'default-policy-management', 'ctest-TestFirewallDraft_1-17272828-07264327']})], scope_type='global_system_config', obj_type='address_group', fq_name=[u'default-policy-management', 'ctest-TestFirewallDraft_1-17272828-72254403'], obj_dict={'display_name': 'ctest-TestFirewallDraft_1-17272828-72254403', 'draft_mode_state': 'created', 'firewall_rule_back_refs': [{'attr': None, 'to': ['default-domain', 'ctest-TestFirewallDraft_1-17272828', 'ctest-TestFirewallDraft_1-17272828-50664007'], 'uuid': '758768d2-f9be-4e55-8c02-db0f3be390e9'}], 'fq_name': ['draft-policy-management', 'ctest-TestFirewallDraft_1-17272828-72254403'], 'id_perms': {'created': '2018-09-28T04:44:02.162180', 'creator': None, 'description': None, 'enable': True, 'last_modified': '2018-09-28T04:44:02.207634', 'permissions': {'group': 'admin', 'group_access': 7, 'other_access': 7, 'owner': 'contrail-api', 'owner_access': 7}, 'user_visible': True, 'uuid': {'uuid_lslong': 9875227110609570709L, 'uuid_mslong': 7452069507698282464}}, 'parent_type': 'policy-management', 'parent_uuid': 'e1705a2e-f170-4b91-876a-6f9a71c7777e', 'perms2': {'global_access': 0, 'owner': 'cloud-admin', 'owner_access': 7, 'share': []}, 'tag_refs': [{'attr': None, 'to': ['label=ag'], 'uuid': 'c3c727de-247d-4def-b633-2fb7ca23d123'}], 'uuid': '676b11bc-07e0-4fe0-890b-dabc6430cb95'})
 5023 for ep_type in ['endpoint_1', 'endpoint_2']:
 5024 if (ep_type in fr and
 5025 fr[ep_type].get('address_group', '').split(
 5026 ':') == obj_dict['fq_name']):
 5027 ept = FirewallRuleEndpointType(
fr = {'endpoint_1': {'address_group': None, 'any': False, 'subnet': None, 'tag_ids': [131078], 'tags': ['tier=web'], 'virtual_network': None}, 'endpoint_2': {'address_group': 'draft-policy-management:ctest-TestFirewallDraft_1-17272828-72254403', 'any': False, 'subnet': None, 'tag_ids': [], 'tags': [], 'virtual_network': None}, 'fq_name': ['default-domain', 'ctest-TestFirewallDraft_1-17272828', 'ctest-TestFirewallDraft_1-17272828-50664007'], 'parent_type': 'project', 'parent_uuid': 'bccc47df-5c10-4781-8e1d-7eddc4e6569b', 'uuid': '758768d2-f9be-4e55-8c02-db0f3be390e9'}
ep_type = 'endpoint_1'
].get undefined
obj_dict = {'display_name': 'ctest-TestFirewallDraft_1-17272828-72254403', 'draft_mode_state': 'created', 'firewall_rule_back_refs': [{'attr': None, 'to': ['default-domain', 'ctest-TestFirewallDraft_1-17272828', 'ctest-TestFirewallDraft_1-17272828-50664007'], 'uuid': '758768d2-f9be-4e55-8c02-db0f3be390e9'}], 'fq_name': ['draft-policy-management', 'ctest-TestFirewallDraft_1-17272828-72254403'], 'id_perms': {'created': '2018-09-28T04:44:02.162180', 'creator': None, 'description': None, 'enable': True, 'last_modified': '2018-09-28T04:44:02.207634', 'permissions': {'group': 'admin', 'group_access': 7, 'other_access': 7, 'owner': 'contrail-api', 'owner_access': 7}, 'user_visible': True, 'uuid': {'uuid_lslong': 9875227110609570709L, 'uuid_mslong': 7452069507698282464}}, 'parent_type': 'policy-management', 'parent_uuid': 'e1705a2e-f170-4b91-876a-6f9a71c7777e', 'perms2': {'global_access': 0, 'owner': 'cloud-admin', 'owner_access': 7, 'share': []}, 'tag_refs': [{'attr': None, 'to': ['label=ag'], 'uuid': 'c3c727de-247d-4def-b633-2fb7ca23d123'}], 'uuid': '676b11bc-07e0-4fe0-890b-dabc6430cb95'}
<type 'exceptions.AttributeError'>: 'NoneType' object has no attribute 'split'
    __class__ = <type 'exceptions.AttributeError'>
    __delattr__ = <method-wrapper '__delattr__' of exceptions.AttributeError object>
    __dict__ = {}
    __doc__ = 'Attribute not found.'
    __format__ = <built-in method __format__ of exceptions.AttributeError object>
    __getattribute__ = <method-wrapper '__getattribute__' of exceptions.AttributeError object>
    __getitem__ = <method-wrapper '__getitem__' of exceptions.AttributeError object>
    __getslice__ = <method-wrapper '__getslice__' of exceptions.AttributeError object>
    __hash__ = <method-wrapper '__hash__' of exceptions.AttributeError object>
    __init__ = <method-wrapper '__init__' of exceptions.AttributeError object>
    __new__ = <built-in method __new__ of type object>
    __reduce__ = <built-in method __reduce__ of exceptions.AttributeError object>
    __reduce_ex__ = <built-in method __reduce_ex__ of exceptions.AttributeError object>
    __repr__ = <method-wrapper '__repr__' of exceptions.AttributeError object>
    __setattr__ = <method-wrapper '__setattr__' of exceptions.AttributeError object>
    __setstate__ = <built-in method __setstate__ of exceptions.AttributeError object>
    __sizeof__ = <built-in method __sizeof__ of exceptions.AttributeError object>
    __str__ = <method-wrapper '__str__' of exceptions.AttributeError object>
    __subclasshook__ = <built-in method __subclasshook__ of type object>
    __unicode__ = <built-in method __unicode__ of exceptions.AttributeError object>
    args = ("'NoneType' object has no attribute 'split'",)
    message = "'NoneType' object has no attribute 'split'"

The above is a description of an error in a Python program. Here is
the original traceback:

Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/vnc_cfg_api_server/vnc_cfg_api_server.py", line 2292, in handler_trap_exception
    response = handler(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/vnc_cfg_api_server/vnc_cfg_api_server.py", line 4867, in security_policy_draft
    parent_uuid, pm)
  File "/usr/lib/python2.7/site-packages/vnc_cfg_api_server/vnc_cfg_api_server.py", line 4911, in _security_commit_resources
    r_class.object_type, fq_name, draft)
  File "/usr/lib/python2.7/site-packages/vnc_cfg_api_server/vnc_cfg_api_server.py", line 5025, in _holding_backrefs
    fr[ep_type].get('address_group', '').split(
AttributeError: 'NoneType' object has no attribute 'split'

Senthilnathan Murugappan (msenthil)
tags: added: sanityblocker
Édouard Thuleau (ethuleau)
information type: Proprietary → Public
Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] master

Review in progress for https://review.opencontrail.org/46646
Submitter: Édouard Thuleau (<email address hidden>)

Revision history for this message
Shivayogi Ugaji (shivayogi123) wrote :

Yijie, Edouard is on PTO, Can you please help with back porting this to 5.0 ?

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R5.0

Review in progress for https://review.opencontrail.org/46805
Submitter: Shivayogi Ugaji (<email address hidden>)

Jeba Paulaiyan (jebap)
tags: added: blocker
Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/46805
Committed: http://github.com/Juniper/contrail-controller/commit/ad65c5e7f2c861a168907db7cb7f45c7a022311c
Submitter: Zuul v3 CI (<email address hidden>)
Branch: R5.0

commit ad65c5e7f2c861a168907db7cb7f45c7a022311c
Author: Édouard Thuleau <email address hidden>
Date: Tue Oct 2 11:58:07 2018 +0200

[config] Fix TypeError issue when commit security

Fix code to not try to split a None object when commit a global draft
address group with a reference to a project scoped firewall rule in
its endpoint 2.
Also permits to use the saùe address group in the both firewall rule's
endpoints before the draft address group is committed.

Change-Id: Iace2995f6b701e87a2fcbdb7a4656775cc639513
Closes-Bug: #1794954

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] master

Review in progress for https://review.opencontrail.org/46646
Submitter: Édouard Thuleau (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/46646
Committed: http://github.com/Juniper/contrail-controller/commit/a0b6c2b0f4c8fd48c1138dd2da9336d3270dce93
Submitter: Zuul v3 CI (<email address hidden>)
Branch: master

commit a0b6c2b0f4c8fd48c1138dd2da9336d3270dce93
Author: Édouard Thuleau <email address hidden>
Date: Tue Oct 2 11:58:07 2018 +0200

[config] Fix TypeError issue when commit security

Fix code to not try to split a None object when commit a global draft
address group with a reference to a project scoped firewall rule in
its endpoint 2.
Also permits to use the saùe address group in the both firewall rule's
endpoints before the draft address group is committed.

Change-Id: Iace2995f6b701e87a2fcbdb7a4656775cc639513
Closes-Bug: #1794954

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.