neutron

neutron security-group-list with filtering by NON-EXISTING tenant-id will create unexpected default security-group

Bug #1653025 reported by Yi Zhao
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
Wishlist
Unassigned

Bug Description

The neutron security-group-list command with filtering by NON-EXISTING tenant-id will create unexpected default security-group, details are shown below:

# neutron security-group-list --tenant-id UNDEFINED

# show neutron database table: securitygroups, you will find a sg entry with project_id: UNDEFINED, which is not existed in keystone.
MariaDB [neutron]> select * from securitygroups;
+----------------------------------+--------------------------------------+---------+------------------+
| project_id | id | name | standard_attr_id |
+----------------------------------+--------------------------------------+---------+------------------+
| XXXXXXX | 457dfd14-68d3-4a89-a987-52a6fab85496 | default | 103 |
| 12345 | 6fd9d319-10e4-4ec4-842d-7c049cf10113 | default | 233 |
| abc | 8666935a-520e-40f3-a92e-150934179535 | default | 223 |
| UNDEFINED | 9c282662-f973-4f7f-9fa3-d5ed6e2ac71f | default | 228 |
+----------------------------------+--------------------------------------+---------+------------------+

# same thing happens to the table securitygrouprules:
MariaDB [neutron]> select * from securitygrouprules WHERE project_id='UNDEFINED';
+------------+--------------------------------------+--------------------------------------+--------------------------------------+-----------+-----------+----------+----------------+----------------+------------------+------------------+
| project_id | id | security_group_id | remote_group_id | direction | ethertype | protocol | port_range_min | port_range_max | remote_ip_prefix | standard_attr_id |
+------------+--------------------------------------+--------------------------------------+--------------------------------------+-----------+-----------+----------+----------------+----------------+------------------+------------------+
| UNDEFINED | 376c6247-41b7-48b1-ae69-dd97062edc8a | 9c282662-f973-4f7f-9fa3-d5ed6e2ac71f | 9c282662-f973-4f7f-9fa3-d5ed6e2ac71f | ingress | IPv6 | NULL | NULL | NULL | NULL | 231 |
| UNDEFINED | 4aab7577-8433-4f62-b156-03ba1c374cb3 | 9c282662-f973-4f7f-9fa3-d5ed6e2ac71f | NULL | egress | IPv4 | NULL | NULL | NULL | NULL | 230 |
| UNDEFINED | 86337a57-1735-4dbb-874f-7cf13a32b4d1 | 9c282662-f973-4f7f-9fa3-d5ed6e2ac71f | 9c282662-f973-4f7f-9fa3-d5ed6e2ac71f | ingress | IPv4 | NULL | NULL | NULL | NULL | 229 |
| UNDEFINED | e7e774a9-ee3c-4dfb-9e77-fa3630751bfc | 9c282662-f973-4f7f-9fa3-d5ed6e2ac71f | NULL | egress | IPv6 | NULL | NULL | NULL | NULL | 232 |
+------------+--------------------------------------+--------------------------------------+--------------------------------------+-----------+-----------+----------+----------------+----------------+------------------+------------------+
4 rows in set (0.00 sec)

Tested under OpenStack Kilo and master

Tags: sg-fw
Yi Zhao (zhaoyi44)
tags: added: sg-fw
Changed in neutron:
assignee: nobody → Yi Zhao (zhaoyi44)
Yi Zhao (zhaoyi44)
Changed in neutron:
assignee: Yi Zhao (zhaoyi44) → nobody
Revision history for this message
Armando Migliaccio (armando-migliaccio) wrote :

This is a 'known' side effect. Neutron expects that a tenant (or project) UUID is valid. To address this, neutron would be required to interact with keystone in order to assert the validity of the submitted parameter.

Changed in neutron:
status: New → Confirmed
importance: Undecided → Wishlist
Hunt Xu (huntxu)
Changed in neutron:
assignee: nobody → Hunt Xu (huntxu)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/464194

Changed in neutron:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on neutron (master)

Change abandoned by Hunt Xu (<email address hidden>) on branch: master
Review: https://review.openstack.org/464194

Hunt Xu (huntxu)
Changed in neutron:
assignee: Hunt Xu (huntxu) → nobody
status: In Progress → Confirmed
Revision history for this message
Brian Haley (brian-haley) wrote :

This was fixed recently, only an administrator can trigger this operation now.

Changed in neutron:
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.