Unsharing a shared policy/rule should not be allowed when it is in use by other tenant

Bug #1334994 reported by Koteswara Rao Kelam
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
Low
Koteswara Rao Kelam

Bug Description

Steps to reproduce:

1. As admin, create a shared policy p1 with shared rule r1
2. As tenant1, create a firewall f1 with policy p1
3. As admin, update p1 and r1 as unshared -- Actually it should not be allowed as they are in use but allowed in icehouse GA
4. As tenant1, try to delete f1. It fails with following error

Console of tenant1
======================
root@koti-icega-osc:/usr/share/pyshared/neutron# neutron firewall-create p1 --name f1
Created a new firewall:
+--------------------+--------------------------------------+
| Field | Value |
+--------------------+--------------------------------------+
| admin_state_up | True |
| description | |
| firewall_policy_id | 367ff338-1014-4788-9cd9-d9d60035dd52 |
| id | 1665bbf3-f527-4ec9-950f-a3f41d618faf |
| name | f1 |
| status | PENDING_CREATE |
| tenant_id | d637bea7d56b4ac288485143ee2a65af |
+--------------------+--------------------------------------+

root@koti-icega-osc:/usr/share/pyshared/neutron# neutron firewall-show f1
+--------------------+--------------------------------------+
| Field | Value |
+--------------------+--------------------------------------+
| admin_state_up | True |
| description | |
| firewall_policy_id | 367ff338-1014-4788-9cd9-d9d60035dd52 |
| id | 1665bbf3-f527-4ec9-950f-a3f41d618faf |
| name | f1 |
| status | ACTIVE |
| tenant_id | d637bea7d56b4ac288485143ee2a65af |
+--------------------+--------------------------------------+

/********unshare p1 and r1 as admin**********/

root@koti-icega-osc:/usr/share/pyshared/neutron# neutron firewall-delete f1
404-{u'NeutronError': {u'message': u'Firewall Policy 367ff338-1014-4788-9cd9-d9d60035dd52 could not be found.', u'type': u'FirewallPolicyNotFound', u'detail': u''}}<<<<<<<<<<<<<<<<<<<<<<<<<Error as p1 and r1 are not shared now
root@koti-icega-osc:/usr/share/pyshared/neutron# neutron firewall-show f1
+--------------------+--------------------------------------+
| Field | Value |
+--------------------+--------------------------------------+
| admin_state_up | True |
| description | |
| firewall_policy_id | 367ff338-1014-4788-9cd9-d9d60035dd52 |
| id | 1665bbf3-f527-4ec9-950f-a3f41d618faf |
| name | f1 |
| status | PENDING_DELETE |<<<<<<<<<<<<<<<<<<<<<<<<< f1 went to pending delete state
| tenant_id | d637bea7d56b4ac288485143ee2a65af |
+--------------------+--------------------------------------+

Tags: fwaas
Changed in neutron:
importance: Undecided → Low
assignee: nobody → Ilya Shakhat (shakhat)
Ilya Shakhat (shakhat)
Changed in neutron:
assignee: Ilya Shakhat (shakhat) → nobody
Changed in neutron:
assignee: nobody → tcs_openstack_group (tcs-openstack-group)
Changed in neutron:
status: New → In Progress
Changed in neutron:
assignee: tcs_openstack_group (tcs-openstack-group) → Priyanka (priyanka-majeti)
Revision history for this message
Priyanka (priyanka-majeti) wrote :

According to the bug, If the admin updates the policy/rule used by other tenants to create firewall then tenant is unable to delete the firewalll.

Possible solution: We can put a check on tenant_id, Compare the tenant_id which created the firewall with the tenant_id that is trying to update the Policy/Rule. If they dont match then it doesnt allow for the updation of policy/rule.

I would appreciate suggestions on this.

Revision history for this message
Koteswara Rao Kelam (koti-kelam) wrote :

There are 2 cases here.
1. Admin policy p1 is shared and is used by firewall f1 of different tenant1. Then updating p1 to unshared should not be allowed as it is in use.
2.Admin rule r1 is shared and is used by firewall policy p1 of different tenant. Then updating r1 to unshared should not be allowed as it is in use.

case 2 will be fixed as part of following review
https://review.openstack.org/#/c/108952/

You can fix case 1 as part of this defect. Please refer update_firewall_rule() function in the above review and add similar fix in update_firewall_poly()

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/124376

Changed in neutron:
assignee: Priyanka (priyanka-majeti) → Koteswara Rao Kelam (koti-kelam)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.openstack.org/124376
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=ea3a0a428fac308f9ab65d0beb733de380cace56
Submitter: Jenkins
Branch: master

commit ea3a0a428fac308f9ab65d0beb733de380cace56
Author: Koteswara Rao Kelam <email address hidden>
Date: Fri Sep 26 04:34:11 2014 -0700

    Disallow unsharing used firewall policy

    When admin policy p1 is shared and is used by firewall f1 of different tenant,
    then updating p1 with shared=False should not be allowed as it is in use.

    Change-Id: I7c753f9d8a25a7edc40233316398475c8ad3efe9
    Closes-bug: #1334994

Changed in neutron:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (feature/lbaasv2)

Fix proposed to branch: feature/lbaasv2
Review: https://review.openstack.org/130864

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (feature/lbaasv2)
Download full text (72.6 KiB)

Reviewed: https://review.openstack.org/130864
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=c089154a94e5872efc95eab33d3d0c9de8619fe4
Submitter: Jenkins
Branch: feature/lbaasv2

commit 62588957fbeccfb4f80eaa72bef2b86b6f08dcf8
Author: Kevin Benton <email address hidden>
Date: Wed Oct 22 13:04:03 2014 -0700

    Big Switch: Switch to TLSv1 in server manager

    Switch to TLSv1 for the connections to the backend
    controllers. The default SSLv3 is no longer considered
    secure.

    TLSv1 was chosen over .1 or .2 because the .1 and .2 weren't
    added until python 2.7.9 so TLSv1 is the only compatible option
    for py26.

    Closes-Bug: #1384487
    Change-Id: I68bd72fc4d90a102003d9ce48c47a4a6a3dd6e03

commit 17204e8f02fdad046dabdb8b31397289d72c877b
Author: OpenStack Proposal Bot <email address hidden>
Date: Wed Oct 22 06:20:15 2014 +0000

    Imported Translations from Transifex

    For more information about this automatic import see:
    https://wiki.openstack.org/wiki/Translations/Infrastructure

    Change-Id: I58db0476c810aa901463b07c42182eef0adb5114

commit d712663b99520e6d26269b0ca193527603178742
Author: Carl Baldwin <email address hidden>
Date: Mon Oct 20 21:48:42 2014 +0000

    Move disabling of metadata and ipv6_ra to _destroy_router_namespace

    I noticed that disable_ipv6_ra is called from the wrong place and that
    in some cases it was called with a bogus router_id because the code
    made an incorrect assumption about the context. In other case, it was
    never called because _destroy_router_namespace was being called
    directly. This patch moves the disabling of metadata and ipv6_ra in
    to _destroy_router_namespace to ensure they get called correctly and
    avoid duplication.

    Change-Id: Ia76a5ff4200df072b60481f2ee49286b78ece6c4
    Closes-Bug: #1383495

commit f82a5117f6f484a649eadff4b0e6be9a5a4d18bb
Author: OpenStack Proposal Bot <email address hidden>
Date: Tue Oct 21 12:11:19 2014 +0000

    Updated from global requirements

    Change-Id: Idcbd730f5c781d21ea75e7bfb15959c8f517980f

commit be6bd82d43fbcb8d1512d8eb5b7a106332364c31
Author: Angus Lees <email address hidden>
Date: Mon Aug 25 12:14:29 2014 +1000

    Remove duplicate import of constants module

    .. and enable corresponding pylint check now the only offending instance
    is fixed.

    Change-Id: I35a12ace46c872446b8c87d0aacce45e94d71bae

commit 9902400039018d77aa3034147cfb24ca4b2353f6
Author: rajeev <email address hidden>
Date: Mon Oct 13 16:25:36 2014 -0400

    Fix race condition on processing DVR floating IPs

    Fip namespace and agent gateway port can be shared by multiple dvr routers.
    This change uses a set as the control variable for these shared resources
    and ensures that Test and Set operation on the control variable are
    performed atomically so that race conditions do not occur among
    multiple threads processing floating IPs.
    Limitation: The scope of this change is limited to addressing the race
    condition described in the bug report. It may not address other issues
    such as pre-existing issue wit...

Thierry Carrez (ttx)
Changed in neutron:
milestone: none → kilo-1
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in neutron:
milestone: kilo-1 → 2015.1.0
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.