← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #64272

[Bug 1658682] Re: port-security can't be disabled if security groups are not enabled

  Thread PreviousDate PreviousThread Next 
Reviewed:  https://review.openstack.org/466158
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=b4687b235fd95d041f419fecda6bc93202699148
Submitter: Jenkins
Branch:    master

commit b4687b235fd95d041f419fecda6bc93202699148
Author: Armando Migliaccio <armamig@xxxxxxxxx>
Date:   Thu May 18 19:52:47 2017 -0700

    Allow port security updates even without security-groups enabled
    
    Port security is useful to enforce anti-spoofing rules, and
    those can operate even in the absence of security groups.
    
    This patch alters the existing code path to allow port_update
    operations even when the admin disables security_groups from
    the deployment.
    
    Closes-bug: 1658682
    
    Change-Id: If1d9a662e362639798ad93ff06d820852b0f0c99


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1658682

Title:
  port-security can't be disabled if security groups are not enabled

Status in neutron:
  Fix Released

Bug description:
  If ml2 have settings

  [DEFAULT]
  extension_drivers = port_security

  [securitygroup]
  enable_security_group = False

  and one is trying to disable port-security on a given port, he/she
  will fail:

  neutron port-update fad58638-3568-4bcb-8742-d857d138056d --port-
  security-enabled=False

  Port has security group associated. Cannot disable port security or ip address until security group is removed
  Neutron server returns request_ids: ['req-12cd8a70-88ad-4d2b-bc3c-fcf574b088c4']

  At the same time there is no way to use
  neutron port-update fad58638-3568-4bcb-8742-d857d138056d --no-security-groups
  :
  Unrecognized attribute(s) 'security_groups'
  Neutron server returns request_ids: ['req-1d2227c6-40a0-41e9-92a3-410168462635'

  This cause drastic inconvenience for administrators who run openstack
  with disabled security groups: to disable port security one ought to
  disable security group on the same port, and forced to to enable
  security group on server just to disable security group on the port.

  Version: 8.3 (mitaka).

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1658682/+subscriptions

References

  Thread PreviousDate PreviousThread Next