neutron

It is possible to delete default security group

Bug #1423475 reported by Eran Kuris on 2015-02-19

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	neutron	Expired	Undecided	Unassigned

Bug Description

When I enter to horizon (WebUI) with user admin and trying to delete default security group I get an error message that I cannot do this action.
When I run same scenario from neutron client by using this commands :
[root@puma15 ~(keystone_admin)]# neutron security-group-list
+--------------------------------------+---------+-------------+
| id | name | description |
+--------------------------------------+---------+-------------+
| 8f7a6756-60e4-45e2-a35a-673bcd9508aa | default | default |
+--------------------------------------+---------+-------------+
[root@puma15 ~(keystone_admin)]# neutron security-group-delete 8f7a6756-60e4-45e2-a35a-673bcd9508aa
Deleted security_group: 8f7a6756-60e4-45e2-a35a-673bcd9508aa

I can see that the action successful when it should not . After few seconds from delete action I type the command :
[root@puma15 ~(keystone_admin)]# neutron security-group-list
+--------------------------------------+---------+-------------+
| id | name | description |
+--------------------------------------+---------+-------------+
| e56b4c51-5324-405e-bc54-0044247b6b5b | default | default |
+--------------------------------------+---------+-------------+

As we can see it generate a new default security group with new ID .

Version :
[root@puma15 ~(keystone_admin)]# rpm -qa | grep neut
python-neutron-2014.2.2-2.el7ost.noarch
openstack-neutron-openvswitch-2014.2.2-2.el7ost.noarch
openstack-neutron-2014.2.2-2.el7ost.noarch
openstack-neutron-ml2-2014.2.2-2.el7ost.noarch
python-neutronclient-2.3.9-1.el7ost.noarch
[root@puma15 ~(keystone_admin)]# rpm -qa | grep rhel
libreport-rhel-2.1.11-21.el7.x86_64
[root@puma15 ~(keystone_admin)]# ll /etc/yum.repos.d/
total 48
-rw-r--r--. 1 root root 252 Feb 16 10:13 epel.repo
-rw-------. 1 root root 24221 Feb 16 10:03 Eran_answer_file.txt
-rw-r--r--. 1 root root 358 Feb 16 09:34 redhat.repo
-rw-r--r--. 1 root root 165 Feb 16 09:34 rhel-optional.repo
-rw-r--r--. 1 root root 153 Feb 16 09:34 rhel-server.repo
-rw-r--r--. 1 root root 2316 Feb 16 09:44 rhos-release-6-rhel-7.1.repo
-rw-r--r--. 1 root root 122 Feb 13 01:06 rhos-release.repo

Tags:

Revision history for this message

Hirofumi Ichihara (ichihara-hirofumi) wrote on 2015-02-19:

Users cannot delete default security group even if they use API.
But it's inappropriate to regenerate security group with new ID.
I am looking to fix.

Changed in neutron:
assignee:	nobody → Hirofumi Ichihara (ichihara-hirofumi)
summary:	- It is possible to delete default security group via neutron client + It is possible to delete default security group

Revision history for this message

Ann Taraday (akamyshnikova) wrote on 2015-02-19:

Admin is allowed to delete default security group [1]. Recreation appeared because if there is no default security group it will be created automatilly [2] [3], so it was designed. I think this should be discussed,
[1] https://github.com/openstack/neutron/blob/master/neutron/db/securitygroups_db.py#L233
[2] https://github.com/openstack/neutron/blob/master/neutron/db/securitygroups_db.py#L181
[3] https://github.com/openstack/neutron/blob/master/neutron/db/securitygroups_db.py#L542

Revision history for this message

Hirofumi Ichihara (ichihara-hirofumi) wrote on 2015-02-20:

Thank you for your advices. I agree with you. I posted to ML[1].

[1]: http://lists.openstack.org/pipermail/openstack-dev/2015-February/057424.html

Eugene Nikanorov (enikanorov) on 2015-02-22

tags:

added: sg-fw

Revision history for this message

Eugene Nikanorov (enikanorov) wrote on 2015-05-04:

Marking as Incomplete as there is no progress on this for 3 months and bug describes as-designed behavior.

tags:	added: api
Changed in neutron:
status:	New → Incomplete

Hirofumi Ichihara (ichihara-hirofumi) on 2015-10-08

Changed in neutron:
assignee:	Hirofumi Ichihara (ichihara-hirofumi) → nobody

Revision history for this message

Sreekumar S (sreesiv) wrote on 2015-10-29:

Although this seems as-designed, As a user can I use it to function as a 'restore default'?
Like I added/deleted couple of rules to default sec group, and now I decide to revoke all of that and restore to the fresh default safe one. At that time I can decide to delete the default one and wait for it to be recreated.

If such a use case is valid, then...

The UI (horizon) and the CLI should inform the user that 'You are about to delete the default sec group, all your changes will be lost. The default security group will be re-created with the default rules".

Please confirm if the above use case is valid. In case if it is, I can work on it. May be I can raise another bug to track it with the proper heading/comments and close this as 'by design'.

Revision history for this message

Launchpad Janitor (janitor) wrote on 2015-12-29:

[Expired for neutron because there has been no activity for 60 days.]

Changed in neutron:
status:	Incomplete → Expired

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.