yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1408236] Re: FWaaS - incorrect behavior in creating firewall with unavailable firewall_policy

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>
Date: Wed, 24 Jun 2015 20:15:03 -0000
Reply-to: Bug 1408236 <1408236@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: neutron
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1408236

Title:
  FWaaS - incorrect behavior in creating firewall with unavailable
  firewall_policy

Status in OpenStack Neutron (virtual network service):
  Fix Released

Bug description:
  When creating firewall with following conditions, current neutron
  behaves as follows:

  [How to reproduce]
      step1. Create firewall-policy with following attributes(CLI/REST-API):
        => shared : false
        => tenant_id : admin-tenant
        ex.
        $ source openrc admin admin
        $ neutron firewall-policy-create policy-admin

    step2. Create firewall with following attributes(execute REST-API):
        => tenant_id : general-user-tenant
        => firewall_policy_id : specify the id which is created at step1.

        ex.
        $ source openrc demo demo
        $ export TOKEN=`keystone token-get | grep ' id ' | get_field 2`
        $ curl -i -X POST -d '{"firewall":{"firewall_policy_id": "05b28301-d7f8-4dbe-9cf0-ef33b6648ae8", "name":"firewall-demo"}}'  -H "content-type: application/json" -H "x-auth-token: $TOKEN" http://localhost:9696/v2.0/fw/firewalls

  [Response]
    {
      "NeutronError": {
        "message": "Firewall Policy 05b28301-d7f8-4dbe-9cf0-ef33b6648ae8 could not be found.",
        "type": "FirewallPolicyNotFound",
        "detail": ""
      }
    }

  Response is the above.  That is, general-user doesn't have the authorizations to refer
  the firewall-policy exists on admin tenant.
  BUT, the firewall is created at general-user-tenant.

  [Status]
  $ source openrc demo demo
  $ neutron firewall-show firewall-demo
  +--------------------+--------------------------------------+
  | Field              | Value                                |
  +--------------------+--------------------------------------+
  | admin_state_up     | True                                 |
  | description        |                                      |
  | firewall_policy_id | 05b28301-d7f8-4dbe-9cf0-ef33b6648ae8 |
  | id                 | cdfbbcb5-7d2f-4819-ad60-e73cb8de02ad |
  | name               | firewall-demo                        |
  | router_ids         |                                      |
  | status             | PENDING_CREATE                       |
  | tenant_id          | 8241aeed3bf84489b545a3329a6f54b8     |
  +--------------------+--------------------------------------+

  And that, only the user who has the access authorizations into the firewall_policy can delete this resource.
  In the above case, the general user can not delete the firewall resource.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1408236/+subscriptions

References

[Bug 1408236] [NEW] incorrect behavior in creating firewall with unavailable firewall_policy
From: Yushiro FURUKAWA, 2015-01-07