1877631 – [RHOSP16.1] neutron security-group-list --tenant-id command can create Security Groups with non-existent project

Bug 1877631 - [RHOSP16.1] neutron security-group-list --tenant-id command can create Security Groups with non-existent project

Summary: [RHOSP16.1] neutron security-group-list --tenant-id command can create Securi...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-neutron
Sub Component:
Version:	17.0 (Wallaby)
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Rodolfo Alonso
QA Contact:	Fiorella Yanac
Docs Contact:
URL:
Whiteboard:
Depends On:	1877630
Blocks:
TreeView+	depends on / blocked

Reported:	2020-09-10 03:11 UTC by Yadnesh Kulkarni
Modified:	2023-12-15 19:15 UTC (History)
CC List:	8 users (show)
Fixed In Version:	openstack-neutron-17.1.0-0.20201216183147.64637e1.el8ost
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	1877630
Environment:
Last Closed:	2022-09-21 12:11:25 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Launchpad	1896588	None	None	None	2020-09-24 15:56:27 UTC
OpenStack gerrit	753053	None	MERGED	Check project_id/tenant_id in API call	2022-07-11 13:13:10 UTC
Red Hat Issue Tracker	OSP-635	None	None	None	2022-03-24 13:38:58 UTC
Red Hat Product Errata	RHEA-2022:6543	None	None	None	2022-09-21 12:11:54 UTC

Description Yadnesh Kulkarni 2020-09-10 03:11:47 UTC

+++ This bug was initially created as a clone of Bug #1877630 +++

Description of problem:

(overcloud) [stack@director13 ~]$ openstack project list
+----------------------------------+---------+
| ID                               | Name    |
+----------------------------------+---------+
| 640cd3931ff248ae94c79ec12f8f28d6 | service |
| 78c82decabc14c1493b1647bc8bf6791 | admin   |
+----------------------------------+---------+

(overcloud) [stack@director13 ~]$ neutron security-group-list 
neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.
+--------------------------------------+---------+----------------------------------+----------------------------------------------------------------------+
| id                                   | name    | tenant_id                        | security_group_rules                                                 |
+--------------------------------------+---------+----------------------------------+----------------------------------------------------------------------+
| c1b0edd0-24db-48b8-b83b-638b09642abf | default | 78c82decabc14c1493b1647bc8bf6791 | egress, IPv4                                                         |
|                                      |         |                                  | egress, IPv6                                                         |
|                                      |         |                                  | ingress, IPv4, remote_group_id: c1b0edd0-24db-48b8-b83b-638b09642abf |
|                                      |         |                                  | ingress, IPv6, remote_group_id: c1b0edd0-24db-48b8-b83b-638b09642abf |
+--------------------------------------+---------+----------------------------------+----------------------------------------------------------------------+

Using neutron cli to list sec grps in a tenant which does not exist.
~~~
(overcloud) [stack@director13 ~]$ neutron security-group-list --tenant-id some-fake-tenant
neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.
+--------------------------------------+---------+------------------+----------------------------------------------------------------------+
| id                                   | name    | tenant_id        | security_group_rules                                                 |
+--------------------------------------+---------+------------------+----------------------------------------------------------------------+
| a610f02f-7b37-468f-ae03-0b328c2364c5 | default | some-fake-tenant | egress, IPv4                                                         |
|                                      |         |                  | egress, IPv6                                                         |
|                                      |         |                  | ingress, IPv4, remote_group_id: a610f02f-7b37-468f-ae03-0b328c2364c5 |
|                                      |         |                  | ingress, IPv6, remote_group_id: a610f02f-7b37-468f-ae03-0b328c2364c5 |
+--------------------------------------+---------+------------------+----------------------------------------------------------------------+
~~~

(overcloud) [stack@director13 ~]$ neutron security-group-list 
neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.
+--------------------------------------+---------+----------------------------------+----------------------------------------------------------------------+
| id                                   | name    | tenant_id                        | security_group_rules                                                 |
+--------------------------------------+---------+----------------------------------+----------------------------------------------------------------------+
| 5d33a0f2-e7d4-4ccc-a0f7-11d0a165d9ce | default | some-fake-tenant                 | egress, IPv4                                                         |
|                                      |         |                                  | egress, IPv6                                                         |
|                                      |         |                                  | ingress, IPv4, remote_group_id: 5d33a0f2-e7d4-4ccc-a0f7-11d0a165d9ce |
|                                      |         |                                  | ingress, IPv6, remote_group_id: 5d33a0f2-e7d4-4ccc-a0f7-11d0a165d9ce |
| c1b0edd0-24db-48b8-b83b-638b09642abf | default | 78c82decabc14c1493b1647bc8bf6791 | egress, IPv4                                                         |
|                                      |         |                                  | egress, IPv6                                                         |
|                                      |         |                                  | ingress, IPv4, remote_group_id: c1b0edd0-24db-48b8-b83b-638b09642abf |
|                                      |         |                                  | ingress, IPv6, remote_group_id: c1b0edd0-24db-48b8-b83b-638b09642abf |
+--------------------------------------+---------+----------------------------------+----------------------------------------------------------------------+


Version-Release number of selected component (if applicable):
puppet-neutron-15.5.1-0.20200514103419.0a45ec7.el8ost.noarch
python3-neutron-lib-1.29.1-0.20200310214054.4ef4b71.el8ost.noarch
python3-neutronclient-6.14.0-0.20200310192910.115f60f.el8ost.noarch


How reproducible:
100%

Actual results:
When using "--tenant-id", existence of a project is not validated and new sec grp is created

Expected results:
Using "--tenant-id" should first check whether the project exists or not and only list sec grps in that tenant and certainly should not create new sec grps.


Additional info:

Comment 15 errata-xmlrpc 2022-09-21 12:11:25 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Release of components for Red Hat OpenStack Platform 17.0 (Wallaby)), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2022:6543

Note You need to log in before you can comment on or make changes to this bug.