OpenStack Compute (Nova)

EC2 compatibility describe security group returns erroneous value for group ip permissions

Reported by Kapil Thangavelu on 2011-08-19
14
This bug affects 3 people
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Medium
Unassigned
pyjuju
Critical
Kapil Thangavelu
txAWS
Undecided
Kapil Thangavelu
txaws (Ubuntu)
High
Clint Byrum

Bug Description

When dealing with group to group authorization (including self group authorization), nova doesn't associate the correct port ranges to the group ip permission.

ie.
ec2.authorize_security_group(
                "ensemble-east",
                source_group_name="ensemble-east",
                source_group_owner_id=owner_id)

results in very different output from euca-describe-groups vs. ec2-describe-group.

ec2-describe-group reports

GROUP sg-a7351dce 619193117841 ensemble-east Ensemble group for east
PERMISSION 619193117841 ensemble-east ALLOWS tcp 1 65535 FROM USER 619193117841 NAME ensemble-east ID sg-a7351dce ingress
PERMISSION 619193117841 ensemble-east ALLOWS udp 1 65535 FROM USER 619193117841 NAME ensemble-east ID sg-a7351dce ingress
PERMISSION 619193117841 ensemble-east ALLOWS icmp -1 -1 FROM USER 619193117841 NAME ensemble-east ID sg-a7351dce ingress

where as euca-describe-group

GROUP kapil_project ensemble-internal Ensemble group for internal
PERMISSION kapil_project ensemble-internal ALLOWS GRPNAME ensemble-internal

the output of euca-describe-group isn't parseable to some tools since its also missing port ranges. Its unclear if this source group declaration for an ingress rule has worked correctly.

Tags: ec2 Edit Tag help
Changed in ensemble:
milestone: none → eureka
importance: Undecided → High
importance: High → Critical
Changed in ensemble:
status: New → Triaged
Changed in ensemble:
assignee: nobody → Kapil Thangavelu (hazmat)
Changed in ensemble:
status: Triaged → In Progress
Thierry Carrez (ttx) wrote :

May be a euca2ools issue -- Which version of euca2ools are you running ?

Changed in nova:
status: New → Incomplete
Vish Ishaya (vishvananda) wrote :

With euca2ools 1.2 it source group with no ip permissions. To maintain compatibility we should be creating allow all rules when we receive requests in this format. So this is a bug IMO

Thierry Carrez (ttx) on 2011-08-26
Changed in nova:
importance: Undecided → Medium
status: Incomplete → Confirmed
Changed in txaws:
status: New → In Progress
assignee: nobody → Kapil Thangavelu (hazmat)
Changed in txaws (Ubuntu):
milestone: none → ubuntu-11.10-beta-1
Martin Pitt (pitti) on 2011-08-31
Changed in txaws (Ubuntu):
milestone: ubuntu-11.10-beta-1 → ubuntu-11.10-beta-2
Thierry Carrez (ttx) on 2011-09-02
tags: added: security-group
tags: removed: security-group
Changed in txaws (Ubuntu):
status: New → Triaged
importance: Undecided → High
status: Triaged → In Progress
assignee: nobody → Clint Byrum (clint-fewbar)
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package txaws - 0.2-0ubuntu3

---------------
txaws (0.2-0ubuntu3) oneiric; urgency=low

  * debian/patches/fix-handling-nova-securitygroups.patch,
    debian/patches/fix-s3-alternate-port.patch: Fix txaws compatibility
    with OpenStack Nova. (LP: #829609 , LP: #824403)
 -- Clint Byrum <email address hidden> Thu, 15 Sep 2011 13:13:16 -0700

Changed in txaws (Ubuntu):
status: In Progress → Fix Released
Changed in juju:
status: In Progress → Fix Released
Changed in txaws:
status: In Progress → Fix Committed
Changed in txaws:
status: Fix Committed → Fix Released
Chuck Short (zulcss) on 2011-11-21
tags: added: ec2
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers