Looking at the 2 security group APIs in nova, in the case of nova-network when you add a new secgroup rule it gets into the db but doesn't get down to the virt driver which actually does the iptables stuff (in the case of libvirt) if you hit the KeyError when it calls refresh_instance_security_rules. That failure doesn't get back to the user because the nova-network secgroup API does a cast to refresh the rules. So, yeah, the operation from the CLI would not return an error, but the rules aren't applied for the guest if you hit the KeyError, so you might have a false sense of security.
Looking at the 2 security group APIs in nova, in the case of nova-network when you add a new secgroup rule it gets into the db but doesn't get down to the virt driver which actually does the iptables stuff (in the case of libvirt) if you hit the KeyError when it calls refresh_ instance_ security_ rules. That failure doesn't get back to the user because the nova-network secgroup API does a cast to refresh the rules. So, yeah, the operation from the CLI would not return an error, but the rules aren't applied for the guest if you hit the KeyError, so you might have a false sense of security.