yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1163469] Re: no obvious way to delete incorrect security rules (added to the default nova security group)

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>
Date: Thu, 18 Dec 2014 20:00:07 -0000
Reply-to: Bug 1163469 <1163469@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
** Changed in: nova
       Status: Fix Committed => Fix Released

** Changed in: nova
    Milestone: None => kilo-1

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1163469

Title:
  no obvious way to delete incorrect security rules (added to the
  default nova security group)

Status in OpenStack Compute (Nova):
  Fix Released

Bug description:
  Try to add an incorrect security rules, like
    1] adding an icmp rule without providing cidr to the default nova security group
      - also, ICMP doesn't run on ports (so providing arbitrary ports for ICMP should be disabled ?)
    2] add an ssh rule, without cidr

  And there appears to be no way to delete these  incorrect rules

  A small test:

  =======
  (~(keystone_admin)$ nova secgroup-list
  +---------+-------------+
  | Name    | Description |
  +---------+-------------+
  | default | default     |
  +---------+-------------+

  (~(keystone_admin)$  nova secgroup-list-rules default

  (~(keystone_admin)$

  
  (~(keystone_user1)]$ nova secgroup-add-group-rule default default icmp -1 -1
  +-------------+-----------+---------+----------+--------------+
  | IP Protocol | From Port | To Port | IP Range | Source Group |
  +-------------+-----------+---------+----------+--------------+
  | icmp        | -1        | -1      |          | default      |
  +-------------+-----------+---------+----------+--------------+

  (~(keystone_user1)]$ nova secgroup-add-group-rule default default icmp 22 22
  +-------------+-----------+---------+----------+--------------+
  | IP Protocol | From Port | To Port | IP Range | Source Group |
  +-------------+-----------+---------+----------+--------------+
  | icmp        | 22        | 22      |          | default      |
  +-------------+-----------+---------+----------+--------------+

  (~(keystone_user1)]$ nova secgroup-list-rules default
  +-------------+-----------+---------+----------+--------------+
  | IP Protocol | From Port | To Port | IP Range | Source Group |
  +-------------+-----------+---------+----------+--------------+
  | icmp        | -1        | -1      |          | default      |
  | icmp        | 22        | 22      |          | default      |
  +-------------+-----------+---------+----------+--------------+
  =======

  -> Now attempt to delete:
  =======
  (~(keystone_user1)]$ nova secgroup-delete-rule default icmp 22 22 
  usage: nova secgroup-delete-rule <secgroup> <ip-proto> <from-port> <to-port>
                                   <cidr>
  error: too few arguments
  =======
  (~(keystone_user1)]$ nova secgroup-delete-rule default icmp 22 22 0.0.0.0/0
  ERROR: 'cidr'
  =======

  
  -> For reference, correct way to add rules:
  =========================================
  (~(keystone_user1)]$ nova secgroup-add-rule default tcp 22 22 0.0.0.0/0
  +-------------+-----------+---------+-----------+--------------+
  | IP Protocol | From Port | To Port | IP Range  | Source Group |
  +-------------+-----------+---------+-----------+--------------+
  | tcp         | 22        | 22      | 0.0.0.0/0 |              |
  +-------------+-----------+---------+-----------+--------------+
  (~(keystone_user1)]$ nova secgroup-add-rule default icmp -1 -1 0.0.0.0/0
  +-------------+-----------+---------+-----------+--------------+
  | IP Protocol | From Port | To Port | IP Range  | Source Group |
  +-------------+-----------+---------+-----------+--------------+
  | icmp        | -1        | -1      | 0.0.0.0/0 |              |
  +-------------+-----------+---------+-----------+--------------+
  (~(keystone_user1)]$ 

  
  -> Now, I end up with an inconsistent set of rules:
  =============
  (~(keystone_user1)]$ nova secgroup-list-rules default
  +-------------+-----------+---------+-----------+--------------+
  | IP Protocol | From Port | To Port | IP Range  | Source Group |
  +-------------+-----------+---------+-----------+--------------+
  | icmp        | -1        | -1      |           | default      |
  | icmp        | -1        | -1      | 0.0.0.0/0 |              |
  | icmp        | 22        | 22      |           | default      |
  | tcp         | 22        | 22      | 0.0.0.0/0 |              |
  +-------------+-----------+---------+-----------+--------------+
  (~(keystone_user1)]$
  =============

  
  Actual results:
  Incorrect/invalid rules can be created.

  Expected results:
  Incorrect/invalid rules should be sanitized. In case they're allowed, there should be a way to delete them.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1163469/+subscriptions