This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 975338 - "quantum security-group-rule-list" from the "admin" tenant shows the security group rules of all tenants
"quantum security-group-rule-list" from the "admin" tenant shows the security...
Status: CLOSED NOTABUG
Product: Red Hat OpenStack
Classification: Red Hat
Component: python-cliff (Show other bugs)
3.0
Unspecified Unspecified
unspecified Severity medium
: ---
: 4.0
Assigned To: lpeer
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-06-18 03:14 EDT by Rami Vaknin
Modified: 2016-04-26 12:48 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-12-06 17:08:08 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Rami Vaknin 2013-06-18 03:14:20 EDT
Version:
Grizzly on rhel6.4 with openstack-quantum-2013.1.2-3.el6ost and python-cliff-1.3-1.el6ost (puddle 2013-06-13.2).

Description:
"quantum security-group-rule-list" running in the "admin" user context show security group rules of all tenants while it should show security group rules of the admin tenant.
The list of all security group rules should appear only when the "--all-tenant" argument is in use.

[root ~(keystone_admin)]# quantum security-group-rule-list
+--------------------------------------+----------------+-----------+----------+------------------+--------------+
| id                                   | security_group | direction | protocol | remote_ip_prefix | remote_group |
+--------------------------------------+----------------+-----------+----------+------------------+--------------+
| 04b69c0e-4fe1-44ba-b772-794d844e5101 | default        | ingress   | tcp      | 0.0.0.0/0        |              |
| 19d17912-2e20-46d0-bf8d-1fc6c52220ce | default        | egress    |          |                  |              |
| 1f158243-cb24-4950-803a-e19025e1ac9f | default        | egress    |          |                  |              |
| 5acf9b3d-347c-483b-9ab4-e79f4d044918 | default        | ingress   |          |                  | default      |
| 5bb0e605-3bab-45ae-bedd-898f484daec0 | default        | ingress   | icmp     | 0.0.0.0/0        |              |
| 5cccde9b-ebae-450a-8590-5d36797ddd9c | default        | ingress   |          |                  | default      |
| 6b5b5d71-123e-41ff-9b93-0b1db724b540 | default        | egress    |          |                  |              |
| 7057ea12-44c1-4090-a93c-dd80ae1c6414 | default        | egress    |          |                  |              |
| 8c53ad7b-565e-433b-809c-b69b40518ad3 | default        | ingress   |          |                  | default      |
| 9bccf920-2da7-4566-b590-eb2fb091f0b2 | default        | ingress   |          |                  | default      |
| af095e7f-55d1-4d90-ac29-7741424ade57 | default        | egress    |          |                  |              |
| b7d7742d-11c3-428f-835f-6191b4303d15 | default        | egress    |          |                  |              |
| ce1708e0-db0b-41f2-894f-d630d63069fe | default        | ingress   |          |                  | default      |
| dc4cd283-6aa1-49a4-ac2d-9d1fd2296e1d | default        | ingress   |          |                  | default      |
| e221c58f-f08b-4b18-a501-7d88c2b6fa27 | default        | ingress   | icmp     | 0.0.0.0/0        |              |
| e77e4065-37a8-4f0d-ac06-4e826328e218 | default        | ingress   | tcp      | 0.0.0.0/0        |              |
+--------------------------------------+----------------+-----------+----------+------------------+--------------+
[root ~(keystone_admin)]# . keystonerc_vlan_186 
[root ~(keystone_vlan_186)]$ quantum security-group-rule-list
+--------------------------------------+----------------+-----------+----------+------------------+--------------+
| id                                   | security_group | direction | protocol | remote_ip_prefix | remote_group |
+--------------------------------------+----------------+-----------+----------+------------------+--------------+
| 19d17912-2e20-46d0-bf8d-1fc6c52220ce | default        | egress    |          |                  |              |
| 9bccf920-2da7-4566-b590-eb2fb091f0b2 | default        | ingress   |          |                  | default      |
| b7d7742d-11c3-428f-835f-6191b4303d15 | default        | egress    |          |                  |              |
| dc4cd283-6aa1-49a4-ac2d-9d1fd2296e1d | default        | ingress   |          |                  | default      |
| e221c58f-f08b-4b18-a501-7d88c2b6fa27 | default        | ingress   | icmp     | 0.0.0.0/0        |              |
| e77e4065-37a8-4f0d-ac06-4e826328e218 | default        | ingress   | tcp      | 0.0.0.0/0        |              |
+--------------------------------------+----------------+-----------+----------+------------------+--------------+

For instance, security group rule id "e77e4065-37a8-4f0d-ac06-4e826328e218" appears in the output of "quantum security-group-rule-list" command while running it from both the "admin" tenant and other non-admin tenant.
Comment 2 Bob Kukura 2013-12-06 16:52:03 EST
I propose to close this as NOTABUG. 

All operations in neutron invoked with admin credentials return information for all tenants by default. Changing this behaviour (and adding a --all-tenants parameter to override it) just for security-group-rule-list would make this operation inconsistent with the rest of the neutron API, and lead to confusion. 

Whether the entire neutron API should be modified to require admins to pass --all-tenants to see resources belonging to tenants other than admin can be raised as a separate issue. Such a change would break compatibility with previous versions, and would most likely need to be part of a future major API version upgrade.

Finally, its can't be assumed that names (such as 'default') are unique. To see the security_group_id rather than its name in the output, use "neutron security-group-rule-list --no-nameconv". To see only the rules in a specific security group, use "neutron security-group-rule-list --security_group_id=<security_group_id>".

Note You need to log in before you can comment on or make changes to this bug.