Neutron does not seem to implement the default security groups calls, so when neutron is managing security groups, nova tries to pass the call off to it (I think) and fails. I think this bug is really against neutron and nova, but I'm not sure where to start. I'm not sure if anyone else is trying to use this call or not and maybe it should just be dropped. The API doesn't support it and the docs on it are wrong.
http://docs.openstack.org/api/openstack-compute/2/content/ext-os-security-group-default-rules.html (note that the example URLs in that doc are missing the word "default")
curl -i 'http://1.2.3.4:8774/v2/f5ad8f41cd8540ca83b6998b83bf9bba/os-security-group-default-rules' -X GET -H "X-Auth-Project-Id: admin" -H "Accept: application/json" -H "X-Auth-Token: 487b898af056401b806786623e3c2656"
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack Traceback (most recent call last):
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack File "/usr/lib/python2.7/dist-packages/nova/api/openstack/__init__.py", line 125, in __call__
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack return req.get_response(self.application)
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack File "/usr/lib/python2.7/dist-packages/webob/request.py", line 1320, in send
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack application, catch_exc_info=False)
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack File "/usr/lib/python2.7/dist-packages/webob/request.py", line 1284, in call_application
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack app_iter = application(self.environ, start_response)
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack File "/usr/lib/python2.7/dist-packages/webob/dec.py", line 144, in __call__
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack return resp(environ, start_response)
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack File "/usr/lib/python2.7/dist-packages/keystoneclient/middleware/auth_token.py", line 582, in __call__
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack return self.app(env, start_response)
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack File "/usr/lib/python2.7/dist-packages/webob/dec.py", line 144, in __call__
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack return resp(environ, start_response)
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack File "/usr/lib/python2.7/dist-packages/webob/dec.py", line 144, in __call__
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack return resp(environ, start_response)
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack File "/usr/lib/python2.7/dist-packages/routes/middleware.py", line 131, in __call__
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack response = self.app(environ, start_response)
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack File "/usr/lib/python2.7/dist-packages/webob/dec.py", line 144, in __call__
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack return resp(environ, start_response)
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack File "/usr/lib/python2.7/dist-packages/webob/dec.py", line 130, in __call__
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack resp = self.call_func(req, *args, **self.kwargs)
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack File "/usr/lib/python2.7/dist-packages/webob/dec.py", line 195, in call_func
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack return self.func(req, *args, **kwargs)
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack File "/usr/lib/python2.7/dist-packages/nova/api/openstack/wsgi.py", line 917, in __call__
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack content_type, body, accept)
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack File "/usr/lib/python2.7/dist-packages/nova/api/openstack/wsgi.py", line 983, in _process_stack
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack action_result = self.dispatch(meth, request, action_args)
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack File "/usr/lib/python2.7/dist-packages/nova/api/openstack/wsgi.py", line 1070, in dispatch
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack return method(req=request, **action_args)
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack File "/usr/lib/python2.7/dist-packages/nova/api/openstack/compute/contrib/security_group_default_rules.py", line 181, in index
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack for rule in self.security_group_api.get_all_default_rules(context):
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack AttributeError: 'NativeNeutronSecurityGroupAPI' object has no attribute 'get_all_default_rules'
The default security group rules was a way to automatically populate the "default" security group that was created automatically when a project was created (usually on the first request for a security group for that project).
This is useful for deployments where all projects should start with a specific set of security group rules.
Should Neutron continue this pattern forward? I'm not sure.
The way I see it there are 2 ways to approach this:
1. Neutron does not implement the default security gorup logic, Nova stops supporting this feature and doesn't pass the requests on for Neutron
2. Neutron implements the same concept as a 'Default' security group that is pre-populated with some rules
This appears to be a bug against Neutron if anything.