yahoo-eng-team team mailing list archive

[Launchpad Bug Tracker <1263997@xxxxxxxxxxxxxxxxxx>]

[Expired for neutron because there has been no activity for 60 days.]

** Changed in: neutron
       Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1263997

Title:
  Admin cannot create or get default security group for projects

Status in neutron:
  Expired

Bug description:
  The default security group is created lazily the first time it is
  requested via a GET. However, this functionality is dependent upon
  pulling the tenant_id from the token.

  This means that an admin user cannot get or create the default
  security group for arbitrary tenant X. Attempting to do something like
  GET /security-groups?tenant_id=X yields an empty result. And
  attempting to create the default group via POST /security-groups
  {'name': 'default'} results in a 409 even though the default security
  group does not actually exist.

  Note that if an admin user creates a non-default security group for an
  arbitrary project (ie any security group where the name is not
  'default'), the default security group will be created as a side
  affect.

  Another side effect of this lazy creation is that when an admin user
  is attempting to get security groups for another project (via GET
  security-groups?tenant_id=X), the default security group may be
  created for the admin project (because it is tenant that is acutally
  scoped in the token).

  Warning, personal opinion below:
  Generally speaking, I think the lazy and silent creation of the default security group causes a lot of problems for the integrity of the API. Now a GET is creating something (and thus is technically no longer idempotent) and a POST to create an arbitrary security group may also silently create the default security group.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1263997/+subscriptions