neutron

security group rule update is not validated

Bug #1521099 reported by Ryu Ishimoto on 2015-11-30

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	networking-midonet	Invalid	Low	YAMAMOTO Takashi	networking-midonet 2.0.0
	neutron	Won't Fix	Low	YAMAMOTO Takashi

Bug Description

Even though midonet does not support updating of SG rule direction, neutron allows it:

https://github.com/openstack/neutron/blob/master/neutron/extensions/securitygroup.py#L239

The plugin should have a validation to prevent this update.

Tags:

Revision history for this message

YAMAMOTO Takashi (yamamoto) wrote on 2015-11-30:

it sounds like a bug in the extension itself rather than midonet implementation.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-11-30: Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/251268

Changed in neutron:
assignee:	nobody → YAMAMOTO Takashi (yamamoto)
status:	New → In Progress

YAMAMOTO Takashi (yamamoto) on 2015-11-30

Changed in networking-midonet:
status:	New → Invalid
assignee:	nobody → YAMAMOTO Takashi (yamamoto)
importance:	Medium → Low

Rossella Sblendido (rossella-o) on 2015-11-30

Changed in neutron:
importance:	Undecided → Low

Revision history for this message

Akihiro Motoki (amotoki) wrote on 2015-11-30:

In the original design of the security group extension, we don't support SG rule update.
We don't have update_security_group_rule method in SecurityGroupPluginBase.
https://github.com/openstack/neutron/blob/master/neutron/extensions/securitygroup.py#L338

Thus, I think it is better to disable update_security_group_rules method completely rather than disabling the update of 'direction'.

On the other hand, the current neutron API framework has no convenient way to disable some API method like update_security_group_method, so it might return an internal server error. I think it is worth fixed.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-12-01:

Fix proposed to branch: master
Review: https://review.openstack.org/251634

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-12-04: Fix merged to neutron (master)

Reviewed: https://review.openstack.org/251268
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=e407a335713df40984286bafe1d7da4b530091dc
Submitter: Jenkins
Branch: master

commit e407a335713df40984286bafe1d7da4b530091dc
Author: YAMAMOTO Takashi <email address hidden>
Date: Mon Nov 30 18:46:17 2015 +0900

Disallow updating SG rule direction in RESOURCE_ATTRIBUTE_MAP

It doesn't make much sense to allow updating only the direction.
I suppose it was a bug in the first place.

Partial-Bug: #1521099
Change-Id: Idfd48c801be3cd34286595f5ca3c9d629a296200

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-12-18: Fix proposed to neutron (stable/liberty)

Fix proposed to branch: stable/liberty
Review: https://review.openstack.org/259520

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-12-21: Fix merged to neutron (stable/liberty)

Reviewed: https://review.openstack.org/259520
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=7839f769173d2c23d52f25ce9a85200027cdda0e
Submitter: Jenkins
Branch: stable/liberty

commit 7839f769173d2c23d52f25ce9a85200027cdda0e
Author: YAMAMOTO Takashi <email address hidden>
Date: Mon Nov 30 18:46:17 2015 +0900

Disallow updating SG rule direction in RESOURCE_ATTRIBUTE_MAP

It doesn't make much sense to allow updating only the direction.
I suppose it was a bug in the first place.

    Partial-Bug: #1521099
    Change-Id: Idfd48c801be3cd34286595f5ca3c9d629a296200
    (cherry picked from commit e407a335713df40984286bafe1d7da4b530091dc)

tags:

added: in-stable-liberty

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-04-14: Change abandoned on neutron (master)

Change abandoned by Armando Migliaccio (<email address hidden>) on branch: master
Review: https://review.openstack.org/251634
Reason: This review is > 4 weeks without comment, and failed Jenkins the last time it was checked. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and leaving a 'recheck' comment to get fresh test results.

Armando Migliaccio (armando-migliaccio) on 2016-04-14

Changed in neutron:
status:	In Progress → Won't Fix

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-09-01:

Change abandoned by Armando Migliaccio (<email address hidden>) on branch: master
Review: https://review.openstack.org/251634
Reason: looks dead

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.