Comment 3 for bug 1491307

>> So does new nova net security-group-rules are supposed to be applied on existing instance ?

I believe it should, especially important in cases where new rules are added to make the group more restrictive. The admin would think that his rule is applied and safe, whereas actually he needs to manually re-associate that group with 'one of the instances' for it to be applied across all VMs. More details can be seen in the public security bug 1492961 raised be me.

I think it has to do something with the sec group rules not being refreshed in the code path... "refresh_security_group_rules" func not being called I suppose!

I am new to OpenStack and would like to work on investigating and fixing this issue. I've assigned this to myself. Request reviewers to confirm and discuss the vulnerabilities and possible solutions.