If users belong to the same tenant, the security groups and the rules
within them are shared between all the users in this tenant, which means
anyone in this tenant can get, update or delete the rules created by
anyone in this tenant.
If users belong to different tenants, the security groups and the rules
within them are not shared across different tenants.
The user needs to specify the security group's name to delete the rule
within it. "Security group not found" will be returned, if User B in
Tenant B tries to delete a security group created by User A in Tenant A.
The same result will be returned, if User B in Tenant B tries to delete
a rule created by User A in Tenant A for the security group.
** Changed in: nova
Status: Confirmed => Opinion
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1001118
Title:
DELETE request for 'Security group rule' of another user is throwing
error code 500
Status in OpenStack Compute (Nova):
Opinion
Bug description:
When security group rule of user is tried to be deleted with another
user who is not the ower of Rule, error code of 500 is thrown.
Steps to reproduce:
1. Create two users A and B
2. Create a security group and assign rule 'R' using credentials of A
3. Try to DELETE rule 'R' using credentials of B
Expected Result:
The error message should indicate that Rule is not found i.e error code of
404 should be returned indicating NotFound exception
Actual Result:
novaclient.exceptions.ClientException: The server has either erred or is
incapable of performing the requested operation. (HTTP 500)
LOG:
rajalakshmi_ganesan@pshys0183~tests:-)>./apitool.py GET os-security-groups
REQ: curl -i http://10.233.52.27:5000/v2.0/tokens -X POST -H "Content-Type:
application/json" -H "User-Agent: python-novaclient"
REQ BODY: {"auth": {"tenantName": "demo", "passwordCredentials":
{"username": "demo", "password": "muralik"}}}
RESP:{'date': 'Fri, 18 May 2012 12:37:23 GMT', 'content-type':
'application/json', 'content-length': '2149', 'status': '200', 'vary':
'X-Auth-Token'} {"access": {"token": {"expires":
"2012-05-19T12:37:23Z", "id": "a7d2c1801e0547419f7aa928d4c54629",
"tenant": {"enabled": true, "id": "732001bbd21942f1bec893c67c850066",
"name": "demo", "description": null}}, "serviceCatalog":
[{"endpoints": [{"adminURL":
"http://10.233.52.27:8774/v2/732001bbd21942f1bec893c67c850066";,
"region": "RegionOne", "publicURL":
"http://10.233.52.27:8774/v2/732001bbd21942f1bec893c67c850066";,
"internalURL":
"http://10.233.52.27:8774/v2/732001bbd21942f1bec893c67c850066"}],
"endpoints_links": [], "type": "compute", "name": "Compute Service"},
{"endpoints": [{"adminURL": "http://10.233.52.27:3333";, "region":
"RegionOne", "publicURL": "http://10.233.52.27:3333";, "internalURL":
"http://10.233.52.27:3333"}], "endpoints_links": [], "type": "s3",
"name": "S3 Service"}, {"endpoints": [{"adminURL":
"http://10.233.52.27:9292/v1";, "region": "RegionOne", "publicURL":
"http://10.233.52.27:9292/v1";, "internalURL":
"http://10.233.52.27:9292/v1"}], "endpoints_links": [], "type":
"image", "name": "Image Service"}, {"endpoints": [{"adminURL":
"http://10.233.52.27:8776/v1/732001bbd21942f1bec893c67c850066";,
"region": "RegionOne", "publicURL":
"http://10.233.52.27:8776/v1/732001bbd21942f1bec893c67c850066";,
"internalURL":
"http://10.233.52.27:8776/v1/732001bbd21942f1bec893c67c850066"}],
"endpoints_links": [], "type": "volume", "name": "Volume Service"},
{"endpoints": [{"adminURL": "http://10.233.52.27:8773/services/Admin";,
"region": "RegionOne", "publicURL":
"http://10.233.52.27:8773/services/Cloud";, "internalURL":
"http://10.233.52.27:8773/services/Cloud"}], "endpoints_links": [],
"type": "ec2", "name": "EC2 Service"}, {"endpoints": [{"adminURL":
"http://10.233.52.27:35357/v2.0";, "region": "RegionOne", "publicURL":
"http://10.233.52.27:5000/v2.0";, "internalURL":
"http://10.233.52.27:5000/v2.0"}], "endpoints_links": [], "type":
"identity", "name": "Identity Service"}], "user": {"username": "demo",
"roles_links": [], "id": "ea25a32fa3b941fdb18e09d696b842eb", "roles":
[{"id": "0b2f9dbc2e484ca1a425cae0188ec5c7", "name": "Member"}, {"id":
"84494358fd4c47d69127dd7befb3367b", "name": "anotherrole"}], "name":
"demo"}}}
REQ: curl -i
http://10.233.52.27:8774/v2/732001bbd21942f1bec893c67c850066/os-
security-groups?fresh=1337324897.0 -X GET -H "X-Auth-Project-Id: demo"
-H "User-Agent: python-novaclient" -H "X-Auth-Token:
a7d2c1801e0547419f7aa928d4c54629"
REQ: curl -i
http://10.233.52.27:8774/v2/732001bbd21942f1bec893c67c850066/os-
security-groups?fresh=1337324897.0 -X GET -H "X-Auth-Project-Id: demo"
-H "User-Agent: python-novaclient" -H "X-Auth-Token:
a7d2c1801e0547419f7aa928d4c54629"
RESP:{'status': '200', 'content-length': '859', 'content-location':
u'http://10.233.52.27:8774/v2/732001bbd21942f1bec893c67c850066/os-
security-groups?fresh=1337324897.0', 'x-compute-request-id': 'req-
a6be085b-44f4-4a63-9586-daaaa9bb2c94', 'date': 'Fri, 18 May 2012
12:37:23 GMT', 'content-type': 'application/json'} {"security_groups":
[{"rules": [{"from_port": -1, "group": {}, "ip_protocol": "icmp",
"to_port": -1, "parent_group_id": 1, "ip_range": {"cidr":
"10.2.3.124/24"}, "id": 1}], "tenant_id":
"732001bbd21942f1bec893c67c850066", "id": 1, "name": "default",
"description": "default"}, {"rules": [], "tenant_id":
"732001bbd21942f1bec893c67c850066", "id": 22, "name":
"security10040667922", "description": "description4023195252"},
{"rules": [], "tenant_id": "732001bbd21942f1bec893c67c850066", "id":
2, "name": "security11097385858", "description":
"description69093779700"}, {"rules": [], "tenant_id":
"732001bbd21942f1bec893c67c850066", "id": 21, "name":
"security17221182272", "description": "description57904094488"},
{"rules": [], "tenant_id": "732001bbd21942f1bec893c67c850066", "id":
23, "name": "security68637896404", "description":
"description25025327179"}]}
RESP:{'status': '200', 'content-length': '859', 'content-location':
u'http://10.233.52.27:8774/v2/732001bbd21942f1bec893c67c850066/os-
security-groups?fresh=1337324897.0', 'x-compute-request-id': 'req-
a6be085b-44f4-4a63-9586-daaaa9bb2c94', 'date': 'Fri, 18 May 2012
12:37:23 GMT', 'content-type': 'application/json'} {"security_groups":
[{"rules": [{"from_port": -1, "group": {}, "ip_protocol": "icmp",
"to_port": -1, "parent_group_id": 1, "ip_range": {"cidr":
"10.2.3.124/24"}, "id": 1}], "tenant_id":
"732001bbd21942f1bec893c67c850066", "id": 1, "name": "default",
"description": "default"}, {"rules": [], "tenant_id":
"732001bbd21942f1bec893c67c850066", "id": 22, "name":
"security10040667922", "description": "description4023195252"},
{"rules": [], "tenant_id": "732001bbd21942f1bec893c67c850066", "id":
2, "name": "security11097385858", "description":
"description69093779700"}, {"rules": [], "tenant_id":
"732001bbd21942f1bec893c67c850066", "id": 21, "name":
"security17221182272", "description": "description57904094488"},
{"rules": [], "tenant_id": "732001bbd21942f1bec893c67c850066", "id":
23, "name": "security68637896404", "description":
"description25025327179"}]}
--- START OF RESPONSE ---
{ u'security_groups': [ { u'description': u'default',
u'id': 1,
u'name': u'default',
u'rules': [ { u'from_port': -1,
u'group': { },
u'id': 1,
u'ip_protocol': u'icmp',
u'ip_range': { u'cidr':
u'10.2.3.124/24'},
u'parent_group_id': 1,
u'to_port': -1}],
u'tenant_id':
u'732001bbd21942f1bec893c67c850066'},
{ u'description': u'description4023195252',
u'id': 22,
u'name': u'security10040667922',
u'rules': [],
u'tenant_id':
u'732001bbd21942f1bec893c67c850066'},
{ u'description': u'description69093779700',
u'id': 2,
u'name': u'security11097385858',
u'rules': [],
u'tenant_id':
u'732001bbd21942f1bec893c67c850066'},
{ u'description': u'description57904094488',
u'id': 21,
u'name': u'security17221182272',
u'rules': [],
u'tenant_id':
u'732001bbd21942f1bec893c67c850066'},
{ u'description': u'description25025327179',
u'id': 23,
u'name': u'security68637896404',
u'rules': [],
u'tenant_id':
u'732001bbd21942f1bec893c67c850066'}]}
--- ENF OF RESPONSE ---
********************************
rajalakshmi_ganesan@pshys0183~tests:-)>./apitool.py DELETE
os-security-group-rules/1
REQ: curl -i http://10.233.52.27:5000/v2.0/tokens -X POST -H "Content-Type:
application/json" -H "User-Agent: python-novaclient"
REQ BODY: {"auth": {"tenantName": "admin", "passwordCredentials":
{"username": "raj", "password": "raj"}}}
RESP:{'date': 'Fri, 18 May 2012 12:45:07 GMT', 'content-type':
'application/json', 'content-length': '2021', 'status': '200', 'vary':
'X-Auth-Token'} {"access": {"token": {"expires":
"2012-05-19T12:45:07Z", "id": "d9351206bcc7412eb4c09ab833d41f75",
"tenant": {"enabled": true, "id": "cefa64d0ceeb49979c014dfb3af18642",
"name": "admin", "description": null}}, "serviceCatalog":
[{"endpoints": [{"adminURL":
"http://10.233.52.27:8774/v2/cefa64d0ceeb49979c014dfb3af18642";,
"region": "RegionOne", "publicURL":
"http://10.233.52.27:8774/v2/cefa64d0ceeb49979c014dfb3af18642";,
"internalURL":
"http://10.233.52.27:8774/v2/cefa64d0ceeb49979c014dfb3af18642"}],
"endpoints_links": [], "type": "compute", "name": "Compute Service"},
{"endpoints": [{"adminURL": "http://10.233.52.27:3333";, "region":
"RegionOne", "publicURL": "http://10.233.52.27:3333";, "internalURL":
"http://10.233.52.27:3333"}], "endpoints_links": [], "type": "s3",
"name": "S3 Service"}, {"endpoints": [{"adminURL":
"http://10.233.52.27:9292/v1";, "region": "RegionOne", "publicURL":
"http://10.233.52.27:9292/v1";, "internalURL":
"http://10.233.52.27:9292/v1"}], "endpoints_links": [], "type":
"image", "name": "Image Service"}, {"endpoints": [{"adminURL":
"http://10.233.52.27:8776/v1/cefa64d0ceeb49979c014dfb3af18642";,
"region": "RegionOne", "publicURL":
"http://10.233.52.27:8776/v1/cefa64d0ceeb49979c014dfb3af18642";,
"internalURL":
"http://10.233.52.27:8776/v1/cefa64d0ceeb49979c014dfb3af18642"}],
"endpoints_links": [], "type": "volume", "name": "Volume Service"},
{"endpoints": [{"adminURL": "http://10.233.52.27:8773/services/Admin";,
"region": "RegionOne", "publicURL":
"http://10.233.52.27:8773/services/Cloud";, "internalURL":
"http://10.233.52.27:8773/services/Cloud"}], "endpoints_links": [],
"type": "ec2", "name": "EC2 Service"}, {"endpoints": [{"adminURL":
"http://10.233.52.27:35357/v2.0";, "region": "RegionOne", "publicURL":
"http://10.233.52.27:5000/v2.0";, "internalURL":
"http://10.233.52.27:5000/v2.0"}], "endpoints_links": [], "type":
"identity", "name": "Identity Service"}], "user": {"username": "raj",
"roles_links": [], "id": "53aa2d5f3c5240078917405f35269eeb", "roles":
[], "name": "raj"}}}
REQ: curl -i
http://10.233.52.27:8774/v2/cefa64d0ceeb49979c014dfb3af18642/os-
security-group-rules/1 DELETE -H "X-Auth-Project-Id: admin" -H "User-
Agent: python-novaclient" -H "X-Auth-Token:
d9351206bcc7412eb4c09ab833d41f75"
REQ: curl -i
http://10.233.52.27:8774/v2/cefa64d0ceeb49979c014dfb3af18642/os-
security-group-rules/1 DELETE -H "X-Auth-Project-Id: admin" -H "User-
Agent: python-novaclient" -H "X-Auth-Token:
d9351206bcc7412eb4c09ab833d41f75"
RESP:{'date': 'Fri, 18 May 2012 12:45:07 GMT', 'status': '500',
'content-length': '128', 'content-type': 'application/json;
charset=UTF-8', 'x-compute-request-id': 'req-dc10a4d8-35f8-4111-ad5f-
9ea4e0d4a847'} {"computeFault": {"message": "The server has either
erred or is incapable of performing the requested operation.", "code":
500}}
RESP:{'date': 'Fri, 18 May 2012 12:45:07 GMT', 'status': '500',
'content-length': '128', 'content-type': 'application/json;
charset=UTF-8', 'x-compute-request-id': 'req-dc10a4d8-35f8-4111-ad5f-
9ea4e0d4a847'} {"computeFault": {"message": "The server has either
erred or is incapable of performing the requested operation.", "code":
500}}
Traceback (most recent call last):
File "./apitool.py", line 75, in <module>
resp, body = get_action_func(nclient, args.verb[0])(path)
File
"/usr/local/lib/python2.7/dist-packages/python_novaclient-2.6.8-py2.7.egg/novaclient/client.py",
line 143, in delete
return self._cs_request(url, 'DELETE', **kwargs)
File
"/usr/local/lib/python2.7/dist-packages/python_novaclient-2.6.8-py2.7.egg/novaclient/client.py",
line 121, in _cs_request
**kwargs)
File
"/usr/local/lib/python2.7/dist-packages/python_novaclient-2.6.8-py2.7.egg/novaclient/client.py",
line 104, in request
raise exceptions.from_response(resp, body)
novaclient.exceptions.ClientException: The server has either erred or is
incapable of performing the requested operation. (HTTP 500)
rajalakshmi_ganesan@pshys0183~tests:-( >
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1001118/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
