OpenStack Compute (nova)

euca-authorize adds wrong rules for group-to-group rule

Bug #1006878 reported by Vasyl Khomenko
14
This bug affects 3 people
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Invalid
Medium
Unassigned

Bug Description

When i add group-to-group rule i get only TCP allowed to pass.
Should be passed all traffic.

# euca-add-group test1 -d test1
GROUP test1 test1

# euca-add-group test2 -d test2
GROUP test2 test2

# euca-authorize -o test1 test2
GROUP test2
PERMISSION test2 ALLOWS tcp GRPNAME test1 FROM CIDR 0.0.0.0/0

# euca-describe-groups
GROUP 2fa3fa776ca346ba86e130720ddc94c9 default default
GROUP 2fa3fa776ca346ba86e130720ddc94c9 test1 test1
GROUP 2fa3fa776ca346ba86e130720ddc94c9 test2 test2
PERMISSION 2fa3fa776ca346ba86e130720ddc94c9 test2 ALLOWS tcp 1 65535 GRPNAME test1

Tags: ec2
Revision history for this message
Vincent Hou (houshengbo) wrote :

Have you tried commands like euca-authorize -P icmp -t -1:-1 test2 or euca-authorize -P tcp -p 22 test2on test2? It is possible for a security group to have a default access control, which does not permit other traffic.

Changed in nova:
status: New → Incomplete
Revision history for this message
Vasyl Khomenko (vkhomenko) wrote :

Hi.
Yes, adding custom rules works.
Question is how group to group permission should work?
In diablo release that rule added 3 rules for tcp, udp and icmp.
Here we have only tcp. I think it is bug.

Thierry Carrez (ttx)
Changed in nova:
importance: Undecided → Medium
status: Incomplete → Confirmed
tags: added: ec2
Revision history for this message
Joe Gordon (jogo) wrote :

when running the same command on EC2 it returns:

$ euca-authorize -o test1 test2
None: None

and euca-describe-groups verifies no new rules are added.

Avinash Prasad (avinash-prasad)
Changed in nova:
assignee: nobody → Avinash Prasad (avinash-prasad)
Avinash Prasad (avinash-prasad)
Changed in nova:
status: Confirmed → In Progress
Revision history for this message
Avinash Prasad (avinash-prasad) wrote :

Have been working on the above issue and came across this case.
 So would require some pointers/views on this when I execute the command,

euca-authorize -P udp -o test1 test2

I get the following output,.
GROUP test2
PERMISSION test2 ALLOWS udp GRPNAME test1 FROM CIDR 0.0.0.0/0

The custom rule of tcp is added to group test2 even without mentioning the -p(port number) switch as per the EC2 docs here,

http://docs.aws.amazon.com/AWSEC2/latest/CommandLineReference/ApiReference-cmd-AuthorizeSecurityGroupIngress.html

Whenever the protocol udp/tcp is to be added one needs to mention the port number(-p) as well. Keeping, that in mind in the above example no port number has been mentioned and still the rule gets added.

An example from the EC2 docs highlighting the addition of custom rules are as follows(taken from the above link) are,

PROMPT> ec2-authorize websrv -P tcp -p 80 -u 111122223333 -o OtherAccountGroup
GROUP websrv
PERMISSION websrv ALLOWS tcp 80 80 FROM USER 111122223333 NAME OtherAccountGroup ingress

So, I believe the behavior doesn't seem to be correct as it does not comply with the EC2 API docs/specs. According to me it should raise validation error(stating insufficient parameters are supplied).

A behavior similar to this,
euca-authorize -P tcp ntest2
EC2APIError: [] Not enough parameters to build a valid rule

It would be nice to get some viewpoints on this and views on the above situation to get a clear idea.

Revision history for this message
Sean Dague (sdague) wrote :

This issue is quite old, I'd be curious to see if it's still valid (or broken even worse)

Changed in nova:
status: In Progress → Incomplete
assignee: Avinash Prasad (avinash-prasad) → nobody
Joe Gordon (jogo)
Changed in nova:
status: Incomplete → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.