← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1446074] [NEW] FWaaS - Missing tenant_id validation between firewall and firewall_policy in creating/updating firewall

 

Public bug reported:

In creating/updating firewall, it is not implemented tenant_id check in validation.
Therefore,  when executing following operation with admin privilege,
the error continues to tracing into neutron's log even the firewall has created.

[Operation]
1. Create firewall-policy(shared=False) in alt_demo tenant.
  $ source devstack/openrc alt_demo alt_demo
2. Change privilege from alt_demo to admin(in demo tenant)
  $ source devstack/openrc admin demo
3. Create firewall using firweall-policy in alt_demo tenant.
  $ neutron firewall-create <firewall-policy-in-alt_demo> --name my_fw

[Result]
Created a new firewall:
+--------------------+--------------------------------------+
| Field              | Value                                |
+--------------------+--------------------------------------+
| admin_state_up     | True                                 |
| description        |                                      |
| firewall_policy_id | 40648e44-2175-4ad7-b190-93179900ac63 |
| id                 | fff7cbc0-1896-4b6c-8dee-633df68624c2 |
| name               | my_fw                                |
| router_ids         | cab4d01f-053b-4e07-a764-d829e66a3f6e |
| status             | PENDING_CREATE                       |
| tenant_id          | 65ecf5dfa6f8484f81027d3b25af1dbc     |
+--------------------+--------------------------------------+

[Error log] continues to tracing...
ERROR oslo_messaging.rpc.dispatcher [req-bedc6d68-268d-4be0-8e68-9c14bf659390 None 65ecf5dfa6f8484f81027d3b25af1dbc] Exception during message handling: Firewall Policy 40648e44-2175-4ad7-b190-93179900ac63 could not be found.
TRACE oslo_messaging.rpc.dispatcher Traceback (most recent call last):
TRACE oslo_messaging.rpc.dispatcher   File "/usr/local/lib/python2.7/dist-packages/oslo_messaging/rpc/dispatcher.py", line 142, in _dispatch_and_reply
TRACE oslo_messaging.rpc.dispatcher     executor_callback))
TRACE oslo_messaging.rpc.dispatcher   File "/usr/local/lib/python2.7/dist-packages/oslo_messaging/rpc/dispatcher.py", line 186, in _dispatch
TRACE oslo_messaging.rpc.dispatcher     executor_callback)
TRACE oslo_messaging.rpc.dispatcher   File "/usr/local/lib/python2.7/dist-packages/oslo_messaging/rpc/dispatcher.py", line 130, in _do_dispatch
TRACE oslo_messaging.rpc.dispatcher     result = func(ctxt, **new_args)
TRACE oslo_messaging.rpc.dispatcher   File "/opt/stack/neutron-fwaas/neutron_fwaas/services/firewall/fwaas_plugin.py", line 85, in get_firewalls_for_tenant
TRACE oslo_messaging.rpc.dispatcher     context, fw['id'])
TRACE oslo_messaging.rpc.dispatcher   File "/opt/stack/neutron-fwaas/neutron_fwaas/db/firewall/firewall_db.py", line 169, in _make_firewall_dict_with_rules
TRACE oslo_messaging.rpc.dispatcher     fw_policy = self.get_firewall_policy(context, fw_policy_id)
TRACE oslo_messaging.rpc.dispatcher   File "/opt/stack/neutron-fwaas/neutron_fwaas/db/firewall/firewall_db.py", line 395, in get_firewall_policy
TRACE oslo_messaging.rpc.dispatcher     fwp = self._get_firewall_policy(context, id)
TRACE oslo_messaging.rpc.dispatcher   File "/opt/stack/neutron-fwaas/neutron_fwaas/db/firewall/firewall_db.py", line 103, in _get_firewall_policy
TRACE oslo_messaging.rpc.dispatcher     raise fw_ext.FirewallPolicyNotFound(firewall_policy_id=id)
TRACE oslo_messaging.rpc.dispatcher FirewallPolicyNotFound: Firewall Policy 40648e44-2175-4ad7-b190-93179900ac63 could not be found.
TRACE oslo_messaging.rpc.dispatcher
ERROR oslo_messaging._drivers.common [req-bedc6d68-268d-4be0-8e68-9c14bf659390 None 65ecf5dfa6f8484f81027d3b25af1dbc] Returning exception Firewall Policy 40648e44-2175-4ad7-b190-93179900ac63 could not be found. to caller
ERROR oslo_messaging._drivers.common [req-bedc6d68-268d-4be0-8e68-9c14bf659390 None 65ecf5dfa6f8484f81027d3b25af1dbc] ['Traceback (most recent call last):\n', '  File "/usr/local/lib/python2.7/dist-packages/oslo_messaging/rpc/dispatcher.py", line 142, in _dispatch_and_reply\n    executor_callback))\n', '  File "/usr/local/lib/python2.7/dist-packages/oslo_messaging/rpc/dispatcher.py", line 186, in _dispatch\n    executor_callback)\n', '  File "/usr/local/lib/python2.7/dist-packages/oslo_messaging/rpc/dispatcher.py", line 130, in _do_dispatch\n    result = func(ctxt, **new_args)\n', '  File "/opt/stack/neutron-fwaas/neutron_fwaas/services/firewall/fwaas_plugin.py", line 85, in get_firewalls_for_tenant\n    context, fw[\'id\'])\n', '  File "/opt/stack/neutron-fwaas/neutron_fwaas/db/firewall/firewall_db.py", line 169, in _make_firewall_dict_with_rules\n    fw_policy = self.get_firewall_policy(context, fw_policy_id)\n', '  File "/opt/stack/neutron-fwaas/neutron_fwaas/db/firewall/firewall_db.py", line 395, in get_firewall_policy\n    fwp = self._get_firewall_policy(context, id)\n', '  File "/opt/stack/neutron-fwaas/neutron_fwaas/db/firewall/firewall_db.py", line 103, in _get_firewall_policy\n    raise fw_ext.FirewallPolicyNotFound(firewall_policy_id=id)\n', 'FirewallPolicyNotFound: Firewall Policy 40648e44-2175-4ad7-b190-93179900ac63 could not be found.\n']

** Affects: neutron
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1446074

Title:
  FWaaS - Missing tenant_id validation between firewall and
  firewall_policy in creating/updating firewall

Status in OpenStack Neutron (virtual network service):
  New

Bug description:
  In creating/updating firewall, it is not implemented tenant_id check in validation.
  Therefore,  when executing following operation with admin privilege,
  the error continues to tracing into neutron's log even the firewall has created.

  [Operation]
  1. Create firewall-policy(shared=False) in alt_demo tenant.
    $ source devstack/openrc alt_demo alt_demo
  2. Change privilege from alt_demo to admin(in demo tenant)
    $ source devstack/openrc admin demo
  3. Create firewall using firweall-policy in alt_demo tenant.
    $ neutron firewall-create <firewall-policy-in-alt_demo> --name my_fw

  [Result]
  Created a new firewall:
  +--------------------+--------------------------------------+
  | Field              | Value                                |
  +--------------------+--------------------------------------+
  | admin_state_up     | True                                 |
  | description        |                                      |
  | firewall_policy_id | 40648e44-2175-4ad7-b190-93179900ac63 |
  | id                 | fff7cbc0-1896-4b6c-8dee-633df68624c2 |
  | name               | my_fw                                |
  | router_ids         | cab4d01f-053b-4e07-a764-d829e66a3f6e |
  | status             | PENDING_CREATE                       |
  | tenant_id          | 65ecf5dfa6f8484f81027d3b25af1dbc     |
  +--------------------+--------------------------------------+

  [Error log] continues to tracing...
  ERROR oslo_messaging.rpc.dispatcher [req-bedc6d68-268d-4be0-8e68-9c14bf659390 None 65ecf5dfa6f8484f81027d3b25af1dbc] Exception during message handling: Firewall Policy 40648e44-2175-4ad7-b190-93179900ac63 could not be found.
  TRACE oslo_messaging.rpc.dispatcher Traceback (most recent call last):
  TRACE oslo_messaging.rpc.dispatcher   File "/usr/local/lib/python2.7/dist-packages/oslo_messaging/rpc/dispatcher.py", line 142, in _dispatch_and_reply
  TRACE oslo_messaging.rpc.dispatcher     executor_callback))
  TRACE oslo_messaging.rpc.dispatcher   File "/usr/local/lib/python2.7/dist-packages/oslo_messaging/rpc/dispatcher.py", line 186, in _dispatch
  TRACE oslo_messaging.rpc.dispatcher     executor_callback)
  TRACE oslo_messaging.rpc.dispatcher   File "/usr/local/lib/python2.7/dist-packages/oslo_messaging/rpc/dispatcher.py", line 130, in _do_dispatch
  TRACE oslo_messaging.rpc.dispatcher     result = func(ctxt, **new_args)
  TRACE oslo_messaging.rpc.dispatcher   File "/opt/stack/neutron-fwaas/neutron_fwaas/services/firewall/fwaas_plugin.py", line 85, in get_firewalls_for_tenant
  TRACE oslo_messaging.rpc.dispatcher     context, fw['id'])
  TRACE oslo_messaging.rpc.dispatcher   File "/opt/stack/neutron-fwaas/neutron_fwaas/db/firewall/firewall_db.py", line 169, in _make_firewall_dict_with_rules
  TRACE oslo_messaging.rpc.dispatcher     fw_policy = self.get_firewall_policy(context, fw_policy_id)
  TRACE oslo_messaging.rpc.dispatcher   File "/opt/stack/neutron-fwaas/neutron_fwaas/db/firewall/firewall_db.py", line 395, in get_firewall_policy
  TRACE oslo_messaging.rpc.dispatcher     fwp = self._get_firewall_policy(context, id)
  TRACE oslo_messaging.rpc.dispatcher   File "/opt/stack/neutron-fwaas/neutron_fwaas/db/firewall/firewall_db.py", line 103, in _get_firewall_policy
  TRACE oslo_messaging.rpc.dispatcher     raise fw_ext.FirewallPolicyNotFound(firewall_policy_id=id)
  TRACE oslo_messaging.rpc.dispatcher FirewallPolicyNotFound: Firewall Policy 40648e44-2175-4ad7-b190-93179900ac63 could not be found.
  TRACE oslo_messaging.rpc.dispatcher
  ERROR oslo_messaging._drivers.common [req-bedc6d68-268d-4be0-8e68-9c14bf659390 None 65ecf5dfa6f8484f81027d3b25af1dbc] Returning exception Firewall Policy 40648e44-2175-4ad7-b190-93179900ac63 could not be found. to caller
  ERROR oslo_messaging._drivers.common [req-bedc6d68-268d-4be0-8e68-9c14bf659390 None 65ecf5dfa6f8484f81027d3b25af1dbc] ['Traceback (most recent call last):\n', '  File "/usr/local/lib/python2.7/dist-packages/oslo_messaging/rpc/dispatcher.py", line 142, in _dispatch_and_reply\n    executor_callback))\n', '  File "/usr/local/lib/python2.7/dist-packages/oslo_messaging/rpc/dispatcher.py", line 186, in _dispatch\n    executor_callback)\n', '  File "/usr/local/lib/python2.7/dist-packages/oslo_messaging/rpc/dispatcher.py", line 130, in _do_dispatch\n    result = func(ctxt, **new_args)\n', '  File "/opt/stack/neutron-fwaas/neutron_fwaas/services/firewall/fwaas_plugin.py", line 85, in get_firewalls_for_tenant\n    context, fw[\'id\'])\n', '  File "/opt/stack/neutron-fwaas/neutron_fwaas/db/firewall/firewall_db.py", line 169, in _make_firewall_dict_with_rules\n    fw_policy = self.get_firewall_policy(context, fw_policy_id)\n', '  File "/opt/stack/neutron-fwaas/neutron_fwaas/db/firewall/firewall_db.py", line 395, in get_firewall_policy\n    fwp = self._get_firewall_policy(context, id)\n', '  File "/opt/stack/neutron-fwaas/neutron_fwaas/db/firewall/firewall_db.py", line 103, in _get_firewall_policy\n    raise fw_ext.FirewallPolicyNotFound(firewall_policy_id=id)\n', 'FirewallPolicyNotFound: Firewall Policy 40648e44-2175-4ad7-b190-93179900ac63 could not be found.\n']

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1446074/+subscriptions


Follow ups

References