yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1896588] [NEW] [Security Groups] When using neutron CLI, if non-existing project is given when listing the SGs, a default SG is created

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Rodolfo Alonso <1896588@xxxxxxxxxxxxxxxxxx>
Date: Tue, 22 Sep 2020 09:18:51 -0000
Reply-to: Bug 1896588 <1896588@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

When using the Neutron CLI, if the SGs are listed and a project is
passed (as filter), even if the project does not exist, a default SG is
created for this project.

This is happening when the user has admin permissions.

Example: http://paste.openstack.org/show/798194/

This is not happening with the OSC because the filter parameters are tested. Example:
  stack@dev18:/opt/stack$ openstack security group list --project wrong_project_2
  No project with a name or ID of 'wrong_project_2' exists.

Checking if the project exists, when this argument is passed, is
expensive (a call to keystone must be done). This is also happening only
when using the deprecated Neutron CLI. Instead of making this check
inline, I would propose an api-paste method to check, in any API call,
the existence of the project if the argument is passed. This check can
be disabled only removing this filter from the api-paste config.

** Affects: neutron
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1896588

Title:
  [Security Groups] When using neutron CLI, if non-existing project is
  given when listing the SGs, a default SG is created

Status in neutron:
  New

Bug description:
  When using the Neutron CLI, if the SGs are listed and a project is
  passed (as filter), even if the project does not exist, a default SG
  is created for this project.

  This is happening when the user has admin permissions.

  Example: http://paste.openstack.org/show/798194/

  This is not happening with the OSC because the filter parameters are tested. Example:
    stack@dev18:/opt/stack$ openstack security group list --project wrong_project_2
    No project with a name or ID of 'wrong_project_2' exists.

  Checking if the project exists, when this argument is passed, is
  expensive (a call to keystone must be done). This is also happening
  only when using the deprecated Neutron CLI. Instead of making this
  check inline, I would propose an api-paste method to check, in any API
  call, the existence of the project if the argument is passed. This
  check can be disabled only removing this filter from the api-paste
  config.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1896588/+subscriptions

Follow ups

[Bug 1896588] Re: [Security Groups] When using neutron CLI, if non-existing project is given when listing the SGs, a default SG is created
From: Rodolfo Alonso, 2023-01-04