It looks that OVO Port.get_objects() don't filter properly on security_group_ids. I checked it in /opt/stack/neutron/neutron/api/rpc/handlers/resources_rpc.py with local pdb and I got results like:
140 @oslo_messaging.expected_exceptions(rpc_exc.CallbackNotFound)
141 def bulk_pull(self, context, resource_type, version, filter_kwargs=None):
142 if resource_type == "Port":
143 import remote_pdb; remote_pdb.set_trace()
144 filter_kwargs = filter_kwargs or {}
145 resource_type_cls = _resource_to_class(resource_type)
146 # TODO(kevinbenton): add in producer registry so producers can add
147 # hooks to mangle these things like they can with 'pull'.
148 -> return [obj.obj_to_primitive(target_version=version)
149 for obj in resource_type_cls.get_objects(context, _pager=None,
150 **filter_kwargs)]
(Pdb++) pp filter_kwargs
{u'security_group_ids': [u'b7a14ec4-36be-4fcc-ba9e-d58287a3ef91']}
(Pdb++) pp resource_type_cls
<class 'neutron.objects.ports.Port'>
(Pdb++) pp resource_type_cls.get_objects(context, _pager=None, **filter_kwargs)
[Port(admin_state_up=True,allowed_address_pairs=[],binding=PortBinding,binding_levels=[PortBindingLevel],created_at=2018-01-19T22:17:19Z,data_plane_status=<?>,description='',device_id='',device_owner='',dhcp_options=[],distributed_binding=None,dns=None,fixed_ips=[IPAllocation],id=1e624c28-343d-4bd7-994d-8d1cec1944ba,mac_address=fa:16:3e:a1:05:15,name='',network_id=1cf64024-3a22-4c6b-b914-4ee4cd4bee52,project_id='c0749e3c-9724-499c-9e6a-ff2f59449909',qos_policy_id=None,revision_number=7,security=PortSecurity(1e624c28-343d-4bd7-994d-8d1cec1944ba),security_group_ids=set([b7a14ec4-36be-4fcc-ba9e-d58287a3ef91]),status='ACTIVE',updated_at=2018-01-19T22:17:43Z),
Port(admin_state_up=True,allowed_address_pairs=[],binding=PortBinding,binding_levels=[PortBindingLevel],created_at=2018-01-19T22:17:23Z,data_plane_status=<?>,description='',device_id='',device_owner='',dhcp_options=[],distributed_binding=None,dns=None,fixed_ips=[IPAllocation],id=8b00f7d9-f66b-4a1a-a47c-620cc6b8caed,mac_address=fa:16:3e:bc:c2:32,name='',network_id=1cf64024-3a22-4c6b-b914-4ee4cd4bee52,project_id='c0749e3c-9724-499c-9e6a-ff2f59449909',qos_policy_id=None,revision_number=7,security=PortSecurity(8b00f7d9-f66b-4a1a-a47c-620cc6b8caed),security_group_ids=set([7fcda581-965f-4802-b9af-09091f929531]),status='ACTIVE',updated_at=2018-01-19T22:17:45Z),
Port(admin_state_up=True,allowed_address_pairs=[],binding=PortBinding,binding_levels=[PortBindingLevel],created_at=2018-01-19T22:17:18Z,data_plane_status=<?>,description='',device_id='dhcp4d86b788-a506-5af1-b7cc-b9464f818a8f-1cf64024-3a22-4c6b-b914-4ee4cd4bee52',device_owner='network:dhcp',dhcp_options=[],distributed_binding=None,dns=None,fixed_ips=[IPAllocation],id=9e6978e5-14b7-41f1-86d4-8c3d6461d6b5,mac_address=fa:16:3e:df:c2:b0,name='',network_id=1cf64024-3a22-4c6b-b914-4ee4cd4bee52,project_id='c0749e3c-9724-499c-9e6a-ff2f59449909',qos_policy_id=None,revision_number=5,security=PortSecurity(9e6978e5-14b7-41f1-86d4-8c3d6461d6b5),security_group_ids=set([]),status='ACTIVE',updated_at=2018-01-19T22:17:22Z),
Port(admin_state_up=True,allowed_address_pairs=[],binding=PortBinding,binding_levels=[PortBindingLevel],created_at=2018-01-19T22:17:18Z,data_plane_status=<?>,description='',device_id='',device_owner='',dhcp_options=[],distributed_binding=None,dns=None,fixed_ips=[IPAllocation],id=a6e80a22-eff6-4dde-86c2-faa0d18e7a66,mac_address=fa:16:3e:17:ab:48,name='',network_id=1cf64024-3a22-4c6b-b914-4ee4cd4bee52,project_id='c0749e3c-9724-499c-9e6a-ff2f59449909',qos_policy_id=None,revision_number=7,security=PortSecurity(a6e80a22-eff6-4dde-86c2-faa0d18e7a66),security_group_ids=set([b7a14ec4-36be-4fcc-ba9e-d58287a3ef91]),status='ACTIVE',updated_at=2018-01-19T22:17:43Z),
Port(admin_state_up=True,allowed_address_pairs=[],binding=PortBinding,binding_levels=[PortBindingLevel],created_at=2018-01-19T22:17:21Z,data_plane_status=<?>,description='',device_id='',device_owner='',dhcp_options=[],distributed_binding=None,dns=None,fixed_ips=[IPAllocation],id=b86fe420-488d-4218-965c-74f3ad2bc758,mac_address=fa:16:3e:a8:3b:27,name='',network_id=1cf64024-3a22-4c6b-b914-4ee4cd4bee52,project_id='c0749e3c-9724-499c-9e6a-ff2f59449909',qos_policy_id=None,revision_number=7,security=PortSecurity(b86fe420-488d-4218-965c-74f3ad2bc758),security_group_ids=set([952eff79-5b7c-4503-b1bc-fdc96bb8479d]),status='ACTIVE',updated_at=2018-01-19T22:17:44Z)]
(Pdb++)
So it's definitely not filtered and in result there are Ports which uses different SG than passed in filter_kwargs.
I will have to investigate why it is like that....
It looks that OVO Port.get_objects() don't filter properly on security_group_ids. I checked it in /opt/stack/ neutron/ neutron/ api/rpc/ handlers/ resources_ rpc.py with local pdb and I got results like:
140 @oslo_messaging .expected_ exceptions( rpc_exc. CallbackNotFoun d) kwargs= None): pdb.set_ trace() to_class( resource_ type) to_primitive( target_ version= version) type_cls. get_objects( context, _pager=None, group_ids' : [u'b7a14ec4- 36be-4fcc- ba9e-d58287a3ef 91']} objects. ports.Port' > type_cls. get_objects( context, _pager=None, **filter_kwargs) state_up= True,allowed_ address_ pairs=[ ],binding= PortBinding, binding_ levels= [PortBindingLev el],created_ at=2018- 01-19T22: 17:19Z, data_plane_ status= <?>,description ='',device_ id='',device_ owner=' ',dhcp_ options= [],distributed_ binding= None,dns= None,fixed_ ips=[IPAllocati on],id= 1e624c28- 343d-4bd7- 994d-8d1cec1944 ba,mac_ address= fa:16:3e: a1:05:15, name='' ,network_ id=1cf64024- 3a22-4c6b- b914-4ee4cd4bee 52,project_ id='c0749e3c- 9724-499c- 9e6a-ff2f594499 09',qos_ policy_ id=None, revision_ number= 7,security= PortSecurity( 1e624c28- 343d-4bd7- 994d-8d1cec1944 ba),security_ group_ids= set([b7a14ec4- 36be-4fcc- ba9e-d58287a3ef 91]),status= 'ACTIVE' ,updated_ at=2018- 01-19T22: 17:43Z) , state_up= True,allowed_ address_ pairs=[ ],binding= PortBinding, binding_ levels= [PortBindingLev el],created_ at=2018- 01-19T22: 17:23Z, data_plane_ status= <?>,description ='',device_ id='',device_ owner=' ',dhcp_ options= [],distributed_ binding= None,dns= None,fixed_ ips=[IPAllocati on],id= 8b00f7d9- f66b-4a1a- a47c-620cc6b8ca ed,mac_ address= fa:16:3e: bc:c2:32, name='' ,network_ id=1cf64024- 3a22-4c6b- b914-4ee4cd4bee 52,project_ id='c0749e3c- 9724-499c- 9e6a-ff2f594499 09',qos_ policy_ id=None, revision_ number= 7,security= PortSecurity( 8b00f7d9- f66b-4a1a- a47c-620cc6b8ca ed),security_ group_ids= set([7fcda581- 965f-4802- b9af-09091f9295 31]),status= 'ACTIVE' ,updated_ at=2018- 01-19T22: 17:45Z) , state_up= True,allowed_ address_ pairs=[ ],binding= PortBinding, binding_ levels= [PortBindingLev el],created_ at=2018- 01-19T22: 17:18Z, data_plane_ status= <?>,description ='',device_ id='dhcp4d86b78 8-a506- 5af1-b7cc- b9464f818a8f- 1cf64024- 3a22-4c6b- b914-4ee4cd4bee 52',device_ owner=' network: dhcp',dhcp_ options= [],distributed_ binding= None,dns= None,fixed_ ips=[IPAllocati on],id= 9e6978e5- 14b7-41f1- 86d4-8c3d6461d6 b5,mac_ address= fa:16:3e: df:c2:b0, name='' ,network_ id=1cf64024- 3a22-4c6b- b914-4ee4cd4bee 52,project_ id='c0749e3c- 9724-499c- 9e6a-ff2f594499 09',qos_ policy_ id=None, revision_ number= 5,security= PortSecurity( 9e6978e5- 14b7-41f1- 86d4-8c3d6461d6 b5),security_ group_ids= set([]) ,status= 'ACTIVE' ,updated_ at=2018- 01-19T22: 17:22Z) , state_up= True,allowed_ address_ pairs=[ ],binding= PortBinding, binding_ levels= [PortBindingLev el],created_ at=2018- 01-19T22: 17:18Z, data_plane_ status= <?>,description ='',device_ id='',device_ owner=' ',dhcp_ options= [],distributed_ binding= None,dns= None,fixed_ ips=[IPAllocati on],id= a6e80a22- eff6-4dde- 86c2-faa0d18e7a 66,mac_ address= fa:16:3e: 17:ab:48, name='' ,network_ id=1cf64024- 3a22-4c6b- b914-4ee4cd4bee 52,project_ id='c0749e3c- 9724-499c- 9e6a-ff2f594499 09',qos_ policy_ id=None, revision_ number= 7,security= PortSecurity( a6e80a22- eff6-4dde- 86c2-faa0d18e7a 66),security_ group_ids= set([b7a14ec4- 36be-4fcc- ba9e-d58287a3ef 91]),status= 'ACTIVE' ,updated_ at=2018- 01-19T22: 17:43Z) , state_up= True,allowed_ address_ pairs=[ ],binding= PortBinding, binding_ levels= [PortBindingLev el],created_ at=2018- 01-19T22: 17:21Z, data_plane_ status= <?>,description ='',device_ id='',device_ owner=' ',dhcp_ options= [],distributed_ binding= None,dns= None,fixed_ ips=[IPAllocati on],id= b86fe420- 488d-4218- 965c-74f3ad2bc7 58,mac_ address= fa:16:3e: a8:3b:27, name='' ,network_ id=1cf64024- 3a22-4c6b- b914-4ee4cd4bee 52,project_ id='c0749e3c- 9724-499c- 9e6a-ff2f594499 09',qos_ policy_ id=None, revision_ number= 7,security= PortSecurity( b86fe420- 488d-4218- 965c-74f3ad2bc7 58),security_ group_ids= set([952eff79- 5b7c-4503- b1bc-fdc96bb847 9d]),status= 'ACTIVE' ,updated_ at=2018- 01-19T22: 17:44Z) ]
141 def bulk_pull(self, context, resource_type, version, filter_
142 if resource_type == "Port":
143 import remote_pdb; remote_
144 filter_kwargs = filter_kwargs or {}
145 resource_type_cls = _resource_
146 # TODO(kevinbenton): add in producer registry so producers can add
147 # hooks to mangle these things like they can with 'pull'.
148 -> return [obj.obj_
149 for obj in resource_
150 **filter_kwargs)]
(Pdb++) pp filter_kwargs
{u'security_
(Pdb++) pp resource_type_cls
<class 'neutron.
(Pdb++) pp resource_
[Port(admin_
Port(admin_
Port(admin_
Port(admin_
Port(admin_
(Pdb++)
So it's definitely not filtered and in result there are Ports which uses different SG than passed in filter_kwargs.
I will have to investigate why it is like that....