Unsharing a shared policy/rule should not be allowed when it is in use by other tenant
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Fix Released
|
Low
|
Koteswara Rao Kelam |
Bug Description
Steps to reproduce:
1. As admin, create a shared policy p1 with shared rule r1
2. As tenant1, create a firewall f1 with policy p1
3. As admin, update p1 and r1 as unshared -- Actually it should not be allowed as they are in use but allowed in icehouse GA
4. As tenant1, try to delete f1. It fails with following error
Console of tenant1
=======
root@koti-
Created a new firewall:
+------
| Field | Value |
+------
| admin_state_up | True |
| description | |
| firewall_policy_id | 367ff338-
| id | 1665bbf3-
| name | f1 |
| status | PENDING_CREATE |
| tenant_id | d637bea7d56b4ac
+------
root@koti-
+------
| Field | Value |
+------
| admin_state_up | True |
| description | |
| firewall_policy_id | 367ff338-
| id | 1665bbf3-
| name | f1 |
| status | ACTIVE |
| tenant_id | d637bea7d56b4ac
+------
/********unshare p1 and r1 as admin**********/
root@koti-
404-{u'
root@koti-
+------
| Field | Value |
+------
| admin_state_up | True |
| description | |
| firewall_policy_id | 367ff338-
| id | 1665bbf3-
| name | f1 |
| status | PENDING_DELETE |<<<<<<
| tenant_id | d637bea7d56b4ac
+------
Changed in neutron: | |
importance: | Undecided → Low |
assignee: | nobody → Ilya Shakhat (shakhat) |
Changed in neutron: | |
assignee: | Ilya Shakhat (shakhat) → nobody |
Changed in neutron: | |
assignee: | nobody → tcs_openstack_group (tcs-openstack-group) |
Changed in neutron: | |
status: | New → In Progress |
Changed in neutron: | |
assignee: | tcs_openstack_group (tcs-openstack-group) → Priyanka (priyanka-majeti) |
Changed in neutron: | |
milestone: | none → kilo-1 |
status: | Fix Committed → Fix Released |
Changed in neutron: | |
milestone: | kilo-1 → 2015.1.0 |
According to the bug, If the admin updates the policy/rule used by other tenants to create firewall then tenant is unable to delete the firewalll.
Possible solution: We can put a check on tenant_id, Compare the tenant_id which created the firewall with the tenant_id that is trying to update the Policy/Rule. If they dont match then it doesnt allow for the updation of policy/rule.
I would appreciate suggestions on this.