OpenStack Compute (nova)

Neutron SecGroup API should validate group name

Bug #1161411 reported by Phil Day on 2013-03-28

This bug affects 4 people

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Compute (nova)	Opinion	Wishlist	Unassigned

Bug Description

The validation of names and groups comes from the security group API driver validate_property() method, and the NativeNovaSecurityGroupAPI and NativeQuantumSecurityGroupAPI in Nova have different rules (Nova blocks empty names and descriptions and quantum does no validation).

Normally an empty name is not an issue, since all SG APIs are based on the ID of the group. However the action to add an instance to a security group takes a name not an ID - and will not accept an empty name. Hence for consistency with Nova behavior the QuantumSecurityGroupAPI should perform the same validation as Nova.

Vish Ishaya (vishvananda) on 2013-04-04

Changed in nova:
status:	New → Triaged
importance:	Undecided → Medium
milestone:	none → havana-1

Russell Bryant (russellb) on 2013-05-21

Changed in nova:
milestone:	havana-1 → havana-2

Revision history for this message

melanie witt (melwitt) wrote on 2013-05-31:

I'm not sure this is needed if "API to add instance to a SecGroup should take ID not Name" (https://bugs.launchpad.net/nova/+bug/1161473) gets done.

Revision history for this message

Phil Day (philip-day) wrote on 2013-05-31:

I think its still worth fixing as a bug in the current API. Any change from names to uuids would presumably need to be part of v3

Revision history for this message

melanie witt (melwitt) wrote on 2013-05-31:

Understood. You're right, the bug I linked will be part of v3.

Revision history for this message

Ala Rezmerita (arezmerita) wrote on 2013-06-24:

I was preparing the patch in order to add validation to QuantumSecurityGroupAPI that actually consist in moving the validate_property method from nova/compute/api.py to nova/network/security_group/security_group_base.py.

This modification imposes those two tests functions must be changed:
1.nova.tests.api.openstack.compute.contrib.test_quantum_security_groups.TestQuantumSecurityGroups.test_get_instance_security_groups (commit https://github.com/openstack/nova/commit/afeb95dfc924ed7e768d76bc5ae4bd4c55e9dcb3
2. nova.tests.api.openstack.compute.contrib.test_quantum_security_groups.TestQuantumSecurityGroups.test_get_instances_security_groups_bindings (commit https://github.com/openstack/nova/commit/5d40fb635b1abac3828245124e392a4c9af52f60)

The primal goal of these two tests is to not test the empty names or descriptions, but to return all the instance_id's and security groups for a given tenant.

Also if I add validation to QuantumSecurityGroupAPI there are several tests functions concerning empty/nonstring names in nova/tests/api/openstack/compute/contrib/test_quantum_security_groups.py that must be also updated (that are empty now)

So what do you think? I’m new in this community so I would like to have your opinion before committing the patch

Revision history for this message

Phil Day (philip-day) wrote on 2013-06-24:

Hi,

I don't see why you need to move the validate_property() method - isn't it more just a question of modifying the (currently null) validate_property method in networks/quantumv2/security_group/quantum_driver.py ?

Updating unit tests when a new constraint is added is to be expected - I recently added a constraint to the vm_state checks for launched_at which meant that lot of data used in unrelated unit tests had to be modified. The tests weren't wrong, they just didn't factor in this new constraint.

Revision history for this message

Ala Rezmerita (arezmerita) wrote on 2013-06-25:

Hi,
thank you Phil for your comment
so the idea to move the validation method is to avoid code replication: the two SecurityGroupAPI classes of nova-network and quantum are derived from SecurityGroupBase (defined in nova/network/security_group/security_group_base.py).

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-06-26: Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/34559

Changed in nova:
assignee:	nobody → Ala Rezmerita (arezmerita)
status:	Triaged → In Progress

Russell Bryant (russellb) on 2013-07-17

Changed in nova:
milestone:	havana-2 → havana-3

Revision history for this message

Matt Riedemann (mriedem) wrote on 2013-08-07: Re: Quantum SecGroup API should validate group name

A patch is up in tempest to skip the tests until this is fixed in nova (since the nova review was abandoned):

https://review.openstack.org/#/c/40666/

Thierry Carrez (ttx) on 2013-09-05

Changed in nova:
milestone:	havana-3 → havana-rc1

Russell Bryant (russellb) on 2013-09-11

Changed in nova:
milestone:	havana-rc1 → none
status:	In Progress → Incomplete

Sean Dague (sdague) on 2014-09-16

summary:

- Quantum SecGroup API should validate group name
+ Neutron SecGroup API should validate group name

Revision history for this message

Sean Dague (sdague) wrote on 2014-09-16:

Talking with Phil today on IRC. Because you can now reference by UUID he said this wasn't really an issue they were into digging into any more. I'm changing to Opinion / Wishlist in case someone wants to make this part better in the future.

Changed in nova:
status:	Incomplete → Opinion
importance:	Medium → Wishlist
status:	Opinion → Confirmed

Ala Rezmerita (arezmerita) on 2014-09-17

Changed in nova:
assignee:	Ala Rezmerita (arezmerita) → nobody

Revision history for this message

Markus Zoeller (markus_z) (mzoeller) wrote on 2016-05-17:

#10

See comment #9 (the reset to "confirmed" was by mistake)

Changed in nova:
status:	Confirmed → Opinion

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.