neutron

Bug #2019960
Comment #16

Comment 16 for bug 2019960

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-10-09: Fix merged to neutron (master)

#16

Reviewed: https://review.opendev.org/c/openstack/neutron/+/896273
Committed: https://opendev.org/openstack/neutron/commit/78027da56ccb25d19ac2c3bc1c174acb2150e6a5
Submitter: "Zuul (22348)"
Branch: master

commit 78027da56ccb25d19ac2c3bc1c174acb2150e6a5
Author: Rodolfo Alonso Hernandez <email address hidden>
Date: Tue Sep 12 08:57:45 2023 +0000

Remove the publish patch in SG rule BEFORE_DELETE and BEFORE_CREATE

    The method ``delete_security_group_rule`` is publishing the
    BEFORE_DELETE event before starting the security group rule deletion.
    This event is published using a wrap method called
    ``SecurityGroupDbMixin._registry_publish``. This method is capturing
    any ``CallbackFailure`` exception and raising a
    ``SecurityGroupRuleInUse`` one. That makes no sense because:
    * We are hidding the real cause of the callback failure.
    * The BEFORE_DELETE is not checking that the security group rule is
      being used (NOTE 1).
    * If any new implementation makes this check, the corresponding callback
      should return explicitly this exception.

    The method ``_create_security_group_rule`` is publishing the
    BEFORE_CREATE event before starting the security group rule creation.
    The same argument applies here: the callback manager should return the
    exception raise by the callback method (NOTE 2).

    In a follow-up patch, this events will be captured to check the
    permissions related to the user creating or deleting the security group
    rule. In case of error, it will be needed to raise a ``NotAuthorized``
    derived exception, instead of a ``InUse`` one.

    NOTE 1: this is the current use of BEFORE_DELETE event in the
    OpenStack repository:
    * [2] Omni project had no activity for the last 4 years.
    * [3] networking-arista: the method ``run_cmds_on_all_switches``, that
      calls ``run_openstack_sg_cmds``, returns its own exceptions.
    * [4] networking-opencontrail: same justification.
    * [5] The ML2/OVN mechanism driver, that will raise an exception if the
      OVN ACL deletion doesn't succeed.

    NOTE 2: this is the current use of BEFORE_DELETE event in the
    OpenStack repository:
    * [2] Omni project had no activity for the last 4 years.

    [1]https://codesearch.openstack.org/?q=%5C.SECURITY_GROUP_RULE&i=nope&literal=nope&files=&excludeFiles=&repos=
    [2]https://opendev.org/x/omni/src/branch/master/neutron/neutron/plugins/ml2/drivers/aws/callbacks.py
    [3]https://opendev.org/x/networking-arista/src/branch/master/networking_arista/ml2/security_groups/arista_security_groups.py
    [4]https://opendev.org/x/networking-opencontrail/src/branch/master/networking_opencontrail/ml2/opencontrail_sg_callback.py
    [5]https://opendev.org/openstack/neutron/src/branch/master/neutron/plugins/ml2/drivers/ovn/mech_driver/mech_driver.py

Partial-Bug: #2019960

Change-Id: I8d5f5392fb7a6ab9b20e9222c143f4e67c925cae

Reviewed:  https://review.opendev.org/c/openstack/neutron/+/896273
Committed: https://opendev.org/openstack/neutron/commit/78027da56ccb25d19ac2c3bc1c174acb2150e6a5
Submitter: "Zuul (22348)"
Branch:    master

commit 78027da56ccb25d19ac2c3bc1c174acb2150e6a5
Author: Rodolfo Alonso Hernandez <ralonsoh@redhat.com>
Date:   Tue Sep 12 08:57:45 2023 +0000

Remove the publish patch in SG rule BEFORE_DELETE and BEFORE_CREATE
    
    The method ``delete_security_group_rule`` is publishing the
    BEFORE_DELETE event before starting the security group rule deletion.
    This event is published using a wrap method called
    ``SecurityGroupDbMixin._registry_publish``. This method is capturing
    any ``CallbackFailure`` exception and raising a
    ``SecurityGroupRuleInUse`` one. That makes no sense because:
    * We are hidding the real cause of the callback failure.
    * The BEFORE_DELETE is not checking that the security group rule is
      being used (NOTE 1).
    * If any new implementation makes this check, the corresponding callback
      should return explicitly this exception.
    
    The method ``_create_security_group_rule`` is publishing the
    BEFORE_CREATE event before starting the security group rule creation.
    The same argument applies here: the callback manager should return the
    exception raise by the callback method (NOTE 2).
    
    In a follow-up patch, this events will be captured to check the
    permissions related to the user creating or deleting the security group
    rule. In case of error, it will be needed to raise a ``NotAuthorized``
    derived exception, instead of a ``InUse`` one.
    
    NOTE 1: this is the current use of BEFORE_DELETE event in the
    OpenStack repository:
    * [2] Omni project had no activity for the last 4 years.
    * [3] networking-arista: the method ``run_cmds_on_all_switches``, that
      calls ``run_openstack_sg_cmds``, returns its own exceptions.
    * [4] networking-opencontrail: same justification.
    * [5] The ML2/OVN mechanism driver, that will raise an exception if the
      OVN ACL deletion doesn't succeed.
    
    NOTE 2: this is the current use of BEFORE_DELETE event in the
    OpenStack repository:
    * [2] Omni project had no activity for the last 4 years.
    
    [1]https://codesearch.openstack.org/?q=%5C.SECURITY_GROUP_RULE&i=nope&literal=nope&files=&excludeFiles=&repos=
    [2]https://opendev.org/x/omni/src/branch/master/neutron/neutron/plugins/ml2/drivers/aws/callbacks.py
    [3]https://opendev.org/x/networking-arista/src/branch/master/networking_arista/ml2/security_groups/arista_security_groups.py
    [4]https://opendev.org/x/networking-opencontrail/src/branch/master/networking_opencontrail/ml2/opencontrail_sg_callback.py
    [5]https://opendev.org/openstack/neutron/src/branch/master/neutron/plugins/ml2/drivers/ovn/mech_driver/mech_driver.py
    
    Partial-Bug: #2019960
    
    Change-Id: I8d5f5392fb7a6ab9b20e9222c143f4e67c925cae