python-openstackclient

openstack adds new security group on list if project filter provided

Bug #1732716 reported by Shannon Mitchell on 2017-11-16

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	python-openstackclient	New	Undecided	Unassigned

Bug Description

version: python-openstackclient version 3.12.0
command: openstack security group list --project nonexistingproject

When using a mulit-domain config domain-admin user, the openstack client tries to do a project show then a list to find the id. It gets an auth error on the list and a 404 when looking up the nonexistingproject. The openstack client then continues to query neutron with something like the following:

curl -g -i -X GET "http://XXX.XXX.XXX.XXX:9696/v2.0/security-groups?tenant_id=nonexistingproject" -H "User-Agent: openstacksdk/0.9.19 keystoneauth1/3.2.0 python-requests/2.18.4 CPython/2.7.10" -H "Accept: application/json" -H "X-Auth-Token: XXXXXXXXXXXXXXXX"

This results in neutron creating a new security group due the nature of how neutron handles thing.

https://bugs.launchpad.net/neutron/+bug/1653025

According to the bug report above, neutron expects the project uuid to be validated before the security-group query. I would expect python-openstackclient to fail on either the auth failure or 404 and not execute the security-group query against neutron. I could imagine that a bunch of stale security groups with non-existing projects could possibly be a security issue?

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.