← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1716219] [NEW] cannot list "default" security group with Neutron API

 

Public bug reported:

Copying from mailing list so it doesn't get lost:
http://lists.openstack.org/pipermail/openstack/2017-June/045114.html

Hello,

I'm trying to add some rules to the "default" security group of a
newly-created project, using the Neutron API 2.0.

However, it seems that the "default" security group is automatically
created but it is not returned by Neutron client's
`list_security_groups()` API call.  My code works just fine if I use any
security group name other than "default".

This is an example interaction, which shows that there is no security
group returned for the project::

    >>> project.id
    u'b26ed1aa29e64c3abeade0a47867eee3'
    >>> response = self.neutron.list_security_groups()  # self.neutron is a neutron_client.v2.Client instance
    >>> secgroups = response['security_groups']
    >>> all_sg_ids = [(sg['id'], sg['tenant_id']) for sg in secgroups]
    >>> all_sg_ids
    [(u'01de4e38-55ea-4b82-8583-274b1bded41a', u'0ff1f3d07fbd4d41892cdf85d7a7d1a9'), ... ]
    >>> len(all_sg_ids)
    17
    >>> project_sg_ids = [(sg['id'], sg['tenant_id']) for sg in secgroups if sg['tenant_id'] == project.id]
    >>> project_sg_ids
    []

Shouldn't the "default" security group be listed there?

In more details, this is the code I'm using (which, again, works as
expected if I use any security group name other than "default")::

    class Projects(object):
        def __init__(self):
            self.session = get_session()
            self.keystone = keystone_client.Client(session=self.session)
            self.neutron = neutron_client.Client(session=self.session)
            self.nova = nova_client('2', session=self.session)
            # ...

        # ...

        def create(self, form):
            domain = self.keystone.domains.get(config.os_project_domain_id)
            project = self.keystone.projects.create(
                form.name.data,
                domain,
                description=form.description.data,
                enabled=False,  # will enable after configuring it
                # ...
            )
            try:
                response = self.neutron.create_security_group({
                    'security_group': {
                        'tenant_id': project.id,
                        'name': 'default',  # works if I change to e.g. 'TEST'
                        'description': "Default security group",
                    }
                })
            except Conflict:
                # security group already exists, fetch it
                # `find_security_group_by_name()` is a small filter
                # for `list_security_groups()` results
                default_sg = find_security_group_by_name(self.neutron, project.id, 'default')
            # ... do something with the sec group ...

What am I doing wrong?

Thanks,
Riccardo

** Affects: neutron
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1716219

Title:
  cannot list "default" security group with Neutron API

Status in neutron:
  New

Bug description:
  Copying from mailing list so it doesn't get lost:
  http://lists.openstack.org/pipermail/openstack/2017-June/045114.html

  Hello,

  I'm trying to add some rules to the "default" security group of a
  newly-created project, using the Neutron API 2.0.

  However, it seems that the "default" security group is automatically
  created but it is not returned by Neutron client's
  `list_security_groups()` API call.  My code works just fine if I use any
  security group name other than "default".

  This is an example interaction, which shows that there is no security
  group returned for the project::

      >>> project.id
      u'b26ed1aa29e64c3abeade0a47867eee3'
      >>> response = self.neutron.list_security_groups()  # self.neutron is a neutron_client.v2.Client instance
      >>> secgroups = response['security_groups']
      >>> all_sg_ids = [(sg['id'], sg['tenant_id']) for sg in secgroups]
      >>> all_sg_ids
      [(u'01de4e38-55ea-4b82-8583-274b1bded41a', u'0ff1f3d07fbd4d41892cdf85d7a7d1a9'), ... ]
      >>> len(all_sg_ids)
      17
      >>> project_sg_ids = [(sg['id'], sg['tenant_id']) for sg in secgroups if sg['tenant_id'] == project.id]
      >>> project_sg_ids
      []

  Shouldn't the "default" security group be listed there?

  In more details, this is the code I'm using (which, again, works as
  expected if I use any security group name other than "default")::

      class Projects(object):
          def __init__(self):
              self.session = get_session()
              self.keystone = keystone_client.Client(session=self.session)
              self.neutron = neutron_client.Client(session=self.session)
              self.nova = nova_client('2', session=self.session)
              # ...

          # ...

          def create(self, form):
              domain = self.keystone.domains.get(config.os_project_domain_id)
              project = self.keystone.projects.create(
                  form.name.data,
                  domain,
                  description=form.description.data,
                  enabled=False,  # will enable after configuring it
                  # ...
              )
              try:
                  response = self.neutron.create_security_group({
                      'security_group': {
                          'tenant_id': project.id,
                          'name': 'default',  # works if I change to e.g. 'TEST'
                          'description': "Default security group",
                      }
                  })
              except Conflict:
                  # security group already exists, fetch it
                  # `find_security_group_by_name()` is a small filter
                  # for `list_security_groups()` results
                  default_sg = find_security_group_by_name(self.neutron, project.id, 'default')
              # ... do something with the sec group ...

  What am I doing wrong?

  Thanks,
  Riccardo

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1716219/+subscriptions


Follow ups