neutron security-group-list with filtering by NON-EXISTING tenant-id will create unexpected default security-group
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Fix Released
|
Wishlist
|
Unassigned |
Bug Description
The neutron security-group-list command with filtering by NON-EXISTING tenant-id will create unexpected default security-group, details are shown below:
# neutron security-group-list --tenant-id UNDEFINED
# show neutron database table: securitygroups, you will find a sg entry with project_id: UNDEFINED, which is not existed in keystone.
MariaDB [neutron]> select * from securitygroups;
+------
| project_id | id | name | standard_attr_id |
+------
| XXXXXXX | 457dfd14-
| 12345 | 6fd9d319-
| abc | 8666935a-
| UNDEFINED | 9c282662-
+------
# same thing happens to the table securitygrouprules:
MariaDB [neutron]> select * from securitygrouprules WHERE project_
+------
| project_id | id | security_group_id | remote_group_id | direction | ethertype | protocol | port_range_min | port_range_max | remote_ip_prefix | standard_attr_id |
+------
| UNDEFINED | 376c6247-
| UNDEFINED | 4aab7577-
| UNDEFINED | 86337a57-
| UNDEFINED | e7e774a9-
+------
4 rows in set (0.00 sec)
Tested under OpenStack Kilo and master
tags: | added: sg-fw |
Changed in neutron: | |
assignee: | nobody → Yi Zhao (zhaoyi44) |
Changed in neutron: | |
assignee: | Yi Zhao (zhaoyi44) → nobody |
Changed in neutron: | |
assignee: | nobody → Hunt Xu (huntxu) |
Changed in neutron: | |
assignee: | Hunt Xu (huntxu) → nobody |
status: | In Progress → Confirmed |
This is a 'known' side effect. Neutron expects that a tenant (or project) UUID is valid. To address this, neutron would be required to interact with keystone in order to assert the validity of the submitted parameter.