Bug 975338

Summary:	"quantum security-group-rule-list" from the "admin" tenant shows the security group rules of all tenants
Product:	Red Hat OpenStack	Reporter:	Rami Vaknin <rvaknin>
Component:	python-cliff	Assignee:	lpeer <lpeer>
Status:	CLOSED NOTABUG	QA Contact:
Severity:	medium	Docs Contact:
Priority:	unspecified
Version:	3.0	CC:	rkukura, yeylon
Target Milestone:	---
Target Release:	4.0
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2013-12-06 22:08:08 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Rami Vaknin 2013-06-18 07:14:20 UTC

Version:
Grizzly on rhel6.4 with openstack-quantum-2013.1.2-3.el6ost and python-cliff-1.3-1.el6ost (puddle 2013-06-13.2).

Description:
"quantum security-group-rule-list" running in the "admin" user context show security group rules of all tenants while it should show security group rules of the admin tenant.
The list of all security group rules should appear only when the "--all-tenant" argument is in use.

[root ~(keystone_admin)]# quantum security-group-rule-list
+--------------------------------------+----------------+-----------+----------+------------------+--------------+
| id                                   | security_group | direction | protocol | remote_ip_prefix | remote_group |
+--------------------------------------+----------------+-----------+----------+------------------+--------------+
| 04b69c0e-4fe1-44ba-b772-794d844e5101 | default        | ingress   | tcp      | 0.0.0.0/0        |              |
| 19d17912-2e20-46d0-bf8d-1fc6c52220ce | default        | egress    |          |                  |              |
| 1f158243-cb24-4950-803a-e19025e1ac9f | default        | egress    |          |                  |              |
| 5acf9b3d-347c-483b-9ab4-e79f4d044918 | default        | ingress   |          |                  | default      |
| 5bb0e605-3bab-45ae-bedd-898f484daec0 | default        | ingress   | icmp     | 0.0.0.0/0        |              |
| 5cccde9b-ebae-450a-8590-5d36797ddd9c | default        | ingress   |          |                  | default      |
| 6b5b5d71-123e-41ff-9b93-0b1db724b540 | default        | egress    |          |                  |              |
| 7057ea12-44c1-4090-a93c-dd80ae1c6414 | default        | egress    |          |                  |              |
| 8c53ad7b-565e-433b-809c-b69b40518ad3 | default        | ingress   |          |                  | default      |
| 9bccf920-2da7-4566-b590-eb2fb091f0b2 | default        | ingress   |          |                  | default      |
| af095e7f-55d1-4d90-ac29-7741424ade57 | default        | egress    |          |                  |              |
| b7d7742d-11c3-428f-835f-6191b4303d15 | default        | egress    |          |                  |              |
| ce1708e0-db0b-41f2-894f-d630d63069fe | default        | ingress   |          |                  | default      |
| dc4cd283-6aa1-49a4-ac2d-9d1fd2296e1d | default        | ingress   |          |                  | default      |
| e221c58f-f08b-4b18-a501-7d88c2b6fa27 | default        | ingress   | icmp     | 0.0.0.0/0        |              |
| e77e4065-37a8-4f0d-ac06-4e826328e218 | default        | ingress   | tcp      | 0.0.0.0/0        |              |
+--------------------------------------+----------------+-----------+----------+------------------+--------------+
[root ~(keystone_admin)]# . keystonerc_vlan_186 
[root ~(keystone_vlan_186)]$ quantum security-group-rule-list
+--------------------------------------+----------------+-----------+----------+------------------+--------------+
| id                                   | security_group | direction | protocol | remote_ip_prefix | remote_group |
+--------------------------------------+----------------+-----------+----------+------------------+--------------+
| 19d17912-2e20-46d0-bf8d-1fc6c52220ce | default        | egress    |          |                  |              |
| 9bccf920-2da7-4566-b590-eb2fb091f0b2 | default        | ingress   |          |                  | default      |
| b7d7742d-11c3-428f-835f-6191b4303d15 | default        | egress    |          |                  |              |
| dc4cd283-6aa1-49a4-ac2d-9d1fd2296e1d | default        | ingress   |          |                  | default      |
| e221c58f-f08b-4b18-a501-7d88c2b6fa27 | default        | ingress   | icmp     | 0.0.0.0/0        |              |
| e77e4065-37a8-4f0d-ac06-4e826328e218 | default        | ingress   | tcp      | 0.0.0.0/0        |              |
+--------------------------------------+----------------+-----------+----------+------------------+--------------+

For instance, security group rule id "e77e4065-37a8-4f0d-ac06-4e826328e218" appears in the output of "quantum security-group-rule-list" command while running it from both the "admin" tenant and other non-admin tenant.

Comment 2 Bob Kukura 2013-12-06 21:52:03 UTC

I propose to close this as NOTABUG. 

All operations in neutron invoked with admin credentials return information for all tenants by default. Changing this behaviour (and adding a --all-tenants parameter to override it) just for security-group-rule-list would make this operation inconsistent with the rest of the neutron API, and lead to confusion. 

Whether the entire neutron API should be modified to require admins to pass --all-tenants to see resources belonging to tenants other than admin can be raised as a separate issue. Such a change would break compatibility with previous versions, and would most likely need to be part of a future major API version upgrade.

Finally, its can't be assumed that names (such as 'default') are unique. To see the security_group_id rather than its name in the output, use "neutron security-group-rule-list --no-nameconv". To see only the rules in a specific security group, use "neutron security-group-rule-list --security_group_id=<security_group_id>".