OpenStack Compute (Nova)

no obvious way to delete incorrect security rules (added to the default nova security group)

Reported by Kashyap Chamarthy on 2013-04-02
14
This bug affects 3 people
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Medium
Unassigned

Bug Description

Try to add an incorrect security rules, like
  1] adding an icmp rule without providing cidr to the default nova security group
    - also, ICMP doesn't run on ports (so providing arbitrary ports for ICMP should be disabled ?)
  2] add an ssh rule, without cidr

And there appears to be no way to delete these incorrect rules

A small test:

=======
(~(keystone_admin)$ nova secgroup-list
+---------+-------------+
| Name | Description |
+---------+-------------+
| default | default |
+---------+-------------+

(~(keystone_admin)$ nova secgroup-list-rules default

(~(keystone_admin)$

(~(keystone_user1)]$ nova secgroup-add-group-rule default default icmp -1 -1
+-------------+-----------+---------+----------+--------------+
| IP Protocol | From Port | To Port | IP Range | Source Group |
+-------------+-----------+---------+----------+--------------+
| icmp | -1 | -1 | | default |
+-------------+-----------+---------+----------+--------------+

(~(keystone_user1)]$ nova secgroup-add-group-rule default default icmp 22 22
+-------------+-----------+---------+----------+--------------+
| IP Protocol | From Port | To Port | IP Range | Source Group |
+-------------+-----------+---------+----------+--------------+
| icmp | 22 | 22 | | default |
+-------------+-----------+---------+----------+--------------+

(~(keystone_user1)]$ nova secgroup-list-rules default
+-------------+-----------+---------+----------+--------------+
| IP Protocol | From Port | To Port | IP Range | Source Group |
+-------------+-----------+---------+----------+--------------+
| icmp | -1 | -1 | | default |
| icmp | 22 | 22 | | default |
+-------------+-----------+---------+----------+--------------+
=======

-> Now attempt to delete:
=======
(~(keystone_user1)]$ nova secgroup-delete-rule default icmp 22 22
usage: nova secgroup-delete-rule <secgroup> <ip-proto> <from-port> <to-port>
                                 <cidr>
error: too few arguments
=======
(~(keystone_user1)]$ nova secgroup-delete-rule default icmp 22 22 0.0.0.0/0
ERROR: 'cidr'
=======

-> For reference, correct way to add rules:
=========================================
(~(keystone_user1)]$ nova secgroup-add-rule default tcp 22 22 0.0.0.0/0
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range | Source Group |
+-------------+-----------+---------+-----------+--------------+
| tcp | 22 | 22 | 0.0.0.0/0 | |
+-------------+-----------+---------+-----------+--------------+
(~(keystone_user1)]$ nova secgroup-add-rule default icmp -1 -1 0.0.0.0/0
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range | Source Group |
+-------------+-----------+---------+-----------+--------------+
| icmp | -1 | -1 | 0.0.0.0/0 | |
+-------------+-----------+---------+-----------+--------------+
(~(keystone_user1)]$

-> Now, I end up with an inconsistent set of rules:
=============
(~(keystone_user1)]$ nova secgroup-list-rules default
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range | Source Group |
+-------------+-----------+---------+-----------+--------------+
| icmp | -1 | -1 | | default |
| icmp | -1 | -1 | 0.0.0.0/0 | |
| icmp | 22 | 22 | | default |
| tcp | 22 | 22 | 0.0.0.0/0 | |
+-------------+-----------+---------+-----------+--------------+
(~(keystone_user1)]$
=============

Actual results:
Incorrect/invalid rules can be created.

Expected results:
Incorrect/invalid rules should be sanitized. In case they're allowed, there should be a way to delete them.

Dan Smith (danms) wrote :

What version of nova is this? I get a different error when I try:

dan@guaranine:/opt/stack/tempest$ nova secgroup-delete-rule default icmp -1 -1 1.1.1.1/8
ERROR: 'NoneType' object has no attribute 'upper'

Changed in nova:
importance: Undecided → Medium
status: New → Confirmed
git-harry (git-harry) wrote :

According to the following link there are two types of rules - one type specify an IP range the other a source group.

http://docs.openstack.org/developer/nova/nova.concepts.html#concept-security-groups

You are creating rules with a source group, they can be deleted using nova secgroup-delete-group-rule not nova secgroup-delete-rule

# nova secgroup-list-rules default
+-------------+-----------+---------+----------+--------------+
| IP Protocol | From Port | To Port | IP Range | Source Group |
+-------------+-----------+---------+----------+--------------+
| icmp | -1 | -1 | | default |
| icmp | 22 | 22 | | default |
+-------------+-----------+---------+----------+--------------+

# nova secgroup-delete-group-rule default default icmp 22 22

# nova secgroup-list-rules default
+-------------+-----------+---------+----------+--------------+
| IP Protocol | From Port | To Port | IP Range | Source Group |
+-------------+-----------+---------+----------+--------------+
| icmp | -1 | -1 | | default |
+-------------+-----------+---------+----------+--------------+

When specifying ICMP the two arguments are not ports but ICMP code and type - http://docs.openstack.org/cli/quick-start/content/nova_client.html#nova_cli_security_groups

Brent Eagles (beagles) wrote :

Shouldn't this be closed? The usage described in the bug isn't valid.

Kashyap Chamarthy (kchamart) wrote :

@Dan Smith: Sorry for such a late reply. I missed this. And I didn't mention the original version :( . It was with Folsom, I'm sure, but can't recall the exact package versions.

@Brent: Just curious, shouldn't adding dubious security rules be disallowed ? If you still think this usage invalid/trivial, it can be closed, if others agree.

I can test this w/ Grizzly and check if it still persists.

Thanks.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers