yahoo-eng-team team mailing list archive

Thread
Date

[Bug 2074085] [NEW] addSecurityGroup and removeSecurityGroup server actions hide 403 from Neutron

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Andriy Kurilin <2074085@xxxxxxxxxxxxxxxxxx>
Date: Thu, 25 Jul 2024 13:52:25 -0000
Reply-to: Bug 2074085 <2074085@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Public bug reported:

Nova provides a proxy for Neutron security groups API.
`addSecurityGroup` and `removeSecurityGroup` server actions help the
end-user to assign and remove security groups from all the ports of the
server.

Nova and Neutron have separate policies for security group manipulations.
If Neutron's policies are more strict, i.e., the request passes Nova's validation, but fails with 403 error on Neutron side, Nova raises 500 Internal Error, which hides the root cause from end-user.

Expected result would be re-raising 403 error from Neutron to give more
visibility to end-user.

In addition, handling of Neutron's 400 BadRequest is different in
`addSecurityGroup` and `removeSecurityGroup` server actions.
`addSecurityGroup` propagates the error to the end-user, versus
`removeSecurityGroup` raises 500 InternalError.

addSecurityGroup behaviour
https://github.com/openstack/nova/blob/73012258e772b8beaf9cee92ac785268a2bb906b/nova/network/security_group_api.py#L635-L638
+
https://github.com/openstack/nova/blob/73012258e772b8beaf9cee92ac785268a2bb906b/nova/api/openstack/compute/security_groups.py#L429-L430

removeSecurityGroup behaviour
https://github.com/openstack/nova/blob/73012258e772b8beaf9cee92ac785268a2bb906b/nova/network/security_group_api.py#L695-L699

** Affects: nova
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/2074085

Title:
  addSecurityGroup and removeSecurityGroup server actions hide 403 from
  Neutron

Status in OpenStack Compute (nova):
  New

Bug description:
  Nova provides a proxy for Neutron security groups API.
  `addSecurityGroup` and `removeSecurityGroup` server actions help the
  end-user to assign and remove security groups from all the ports of
  the server.

  Nova and Neutron have separate policies for security group manipulations.
  If Neutron's policies are more strict, i.e., the request passes Nova's validation, but fails with 403 error on Neutron side, Nova raises 500 Internal Error, which hides the root cause from end-user.

  Expected result would be re-raising 403 error from Neutron to give
  more visibility to end-user.

  In addition, handling of Neutron's 400 BadRequest is different in
  `addSecurityGroup` and `removeSecurityGroup` server actions.
  `addSecurityGroup` propagates the error to the end-user, versus
  `removeSecurityGroup` raises 500 InternalError.

  addSecurityGroup behaviour
  https://github.com/openstack/nova/blob/73012258e772b8beaf9cee92ac785268a2bb906b/nova/network/security_group_api.py#L635-L638
  +
  https://github.com/openstack/nova/blob/73012258e772b8beaf9cee92ac785268a2bb906b/nova/api/openstack/compute/security_groups.py#L429-L430

  removeSecurityGroup behaviour
  https://github.com/openstack/nova/blob/73012258e772b8beaf9cee92ac785268a2bb906b/nova/network/security_group_api.py#L695-L699

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/2074085/+subscriptions