Bug 1877630

Summary: [RHOSP13] neutron security-group-list --tenant-id command can create Security Groups with non-existent project
Product: Red Hat OpenStack Reporter: Yadnesh Kulkarni <ykulkarn>
Component: python-neutronclientAssignee: Rodolfo Alonso <ralonsoh>
Status: CLOSED WONTFIX QA Contact: Toni Freger <tfreger>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 13.0 (Queens)CC: amuller, apevec, chrisw, scohen, skaplons
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1877631 (view as bug list) Environment:
Last Closed: 2020-09-21 15:10:26 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1877631    

Description Yadnesh Kulkarni 2020-09-10 03:06:00 UTC 
Description of problem:

(overcloud) [stack@director13 ~]$ openstack project list
+----------------------------------+---------+
| ID                               | Name    |
+----------------------------------+---------+
| 640cd3931ff248ae94c79ec12f8f28d6 | service |
| 78c82decabc14c1493b1647bc8bf6791 | admin   |
+----------------------------------+---------+

(overcloud) [stack@director13 ~]$ neutron security-group-list 
neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.
+--------------------------------------+---------+----------------------------------+----------------------------------------------------------------------+
| id                                   | name    | tenant_id                        | security_group_rules                                                 |
+--------------------------------------+---------+----------------------------------+----------------------------------------------------------------------+
| c1b0edd0-24db-48b8-b83b-638b09642abf | default | 78c82decabc14c1493b1647bc8bf6791 | egress, IPv4                                                         |
|                                      |         |                                  | egress, IPv6                                                         |
|                                      |         |                                  | ingress, IPv4, remote_group_id: c1b0edd0-24db-48b8-b83b-638b09642abf |
|                                      |         |                                  | ingress, IPv6, remote_group_id: c1b0edd0-24db-48b8-b83b-638b09642abf |
+--------------------------------------+---------+----------------------------------+----------------------------------------------------------------------+

Using neutron cli to list sec grps in a tenant which does not exist.
~~~
(overcloud) [stack@director13 ~]$ neutron security-group-list --tenant-id some-fake-tenant
neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.
+--------------------------------------+---------+------------------+----------------------------------------------------------------------+
| id                                   | name    | tenant_id        | security_group_rules                                                 |
+--------------------------------------+---------+------------------+----------------------------------------------------------------------+
| a610f02f-7b37-468f-ae03-0b328c2364c5 | default | some-fake-tenant | egress, IPv4                                                         |
|                                      |         |                  | egress, IPv6                                                         |
|                                      |         |                  | ingress, IPv4, remote_group_id: a610f02f-7b37-468f-ae03-0b328c2364c5 |
|                                      |         |                  | ingress, IPv6, remote_group_id: a610f02f-7b37-468f-ae03-0b328c2364c5 |
+--------------------------------------+---------+------------------+----------------------------------------------------------------------+
~~~

(overcloud) [stack@director13 ~]$ neutron security-group-list 
neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.
+--------------------------------------+---------+----------------------------------+----------------------------------------------------------------------+
| id                                   | name    | tenant_id                        | security_group_rules                                                 |
+--------------------------------------+---------+----------------------------------+----------------------------------------------------------------------+
| 5d33a0f2-e7d4-4ccc-a0f7-11d0a165d9ce | default | some-fake-tenant                 | egress, IPv4                                                         |
|                                      |         |                                  | egress, IPv6                                                         |
|                                      |         |                                  | ingress, IPv4, remote_group_id: 5d33a0f2-e7d4-4ccc-a0f7-11d0a165d9ce |
|                                      |         |                                  | ingress, IPv6, remote_group_id: 5d33a0f2-e7d4-4ccc-a0f7-11d0a165d9ce |
| c1b0edd0-24db-48b8-b83b-638b09642abf | default | 78c82decabc14c1493b1647bc8bf6791 | egress, IPv4                                                         |
|                                      |         |                                  | egress, IPv6                                                         |
|                                      |         |                                  | ingress, IPv4, remote_group_id: c1b0edd0-24db-48b8-b83b-638b09642abf |
|                                      |         |                                  | ingress, IPv6, remote_group_id: c1b0edd0-24db-48b8-b83b-638b09642abf |
+--------------------------------------+---------+----------------------------------+----------------------------------------------------------------------+


Version-Release number of selected component (if applicable):
python-neutron-12.0.6-10.el7ost.noarch
python2-neutronclient-6.7.0-1.el7ost.noarch
python2-neutron-lib-1.13.0-1.el7ost.noarch


How reproducible:
100%

Actual results:
When using "--tenant-id", existence of a project is not validated and new sec grp is created

Expected results:
Using "--tenant-id" should first check whether the project exists or not and only list sec grps in that tenant and certainly should not create new sec grps.


Additional info: