Public bug reported: Nova provides a proxy for Neutron security groups API. `addSecurityGroup` and `removeSecurityGroup` server actions help the end-user to assign and remove security groups from all the ports of the server.
Nova and Neutron have separate policies for security group manipulations. If Neutron's policies are more strict, i.e., the request passes Nova's validation, but fails with 403 error on Neutron side, Nova raises 500 Internal Error, which hides the root cause from end-user. Expected result would be re-raising 403 error from Neutron to give more visibility to end-user. In addition, handling of Neutron's 400 BadRequest is different in `addSecurityGroup` and `removeSecurityGroup` server actions. `addSecurityGroup` propagates the error to the end-user, versus `removeSecurityGroup` raises 500 InternalError. addSecurityGroup behaviour https://github.com/openstack/nova/blob/73012258e772b8beaf9cee92ac785268a2bb906b/nova/network/security_group_api.py#L635-L638 + https://github.com/openstack/nova/blob/73012258e772b8beaf9cee92ac785268a2bb906b/nova/api/openstack/compute/security_groups.py#L429-L430 removeSecurityGroup behaviour https://github.com/openstack/nova/blob/73012258e772b8beaf9cee92ac785268a2bb906b/nova/network/security_group_api.py#L695-L699 ** Affects: nova Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/2074085 Title: addSecurityGroup and removeSecurityGroup server actions hide 403 from Neutron Status in OpenStack Compute (nova): New Bug description: Nova provides a proxy for Neutron security groups API. `addSecurityGroup` and `removeSecurityGroup` server actions help the end-user to assign and remove security groups from all the ports of the server. Nova and Neutron have separate policies for security group manipulations. If Neutron's policies are more strict, i.e., the request passes Nova's validation, but fails with 403 error on Neutron side, Nova raises 500 Internal Error, which hides the root cause from end-user. Expected result would be re-raising 403 error from Neutron to give more visibility to end-user. In addition, handling of Neutron's 400 BadRequest is different in `addSecurityGroup` and `removeSecurityGroup` server actions. `addSecurityGroup` propagates the error to the end-user, versus `removeSecurityGroup` raises 500 InternalError. addSecurityGroup behaviour https://github.com/openstack/nova/blob/73012258e772b8beaf9cee92ac785268a2bb906b/nova/network/security_group_api.py#L635-L638 + https://github.com/openstack/nova/blob/73012258e772b8beaf9cee92ac785268a2bb906b/nova/api/openstack/compute/security_groups.py#L429-L430 removeSecurityGroup behaviour https://github.com/openstack/nova/blob/73012258e772b8beaf9cee92ac785268a2bb906b/nova/network/security_group_api.py#L695-L699 To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/2074085/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
