[jira] [Created] (JCLOUDS-1234) openstack-nova - Indeterminate/invalid group reference created in ingress rule if duplicate groups in region

[Geoff Macartney (JIRA)]

Geoff Macartney created JCLOUDS-1234:
----------------------------------------

             Summary: openstack-nova - Indeterminate/invalid group reference 
created in ingress rule if duplicate groups in region
                 Key: JCLOUDS-1234
                 URL: https://issues.apache.org/jira/browse/JCLOUDS-1234
             Project: jclouds
          Issue Type: Bug
          Components: jclouds-compute
    Affects Versions: 2.0.0
            Reporter: Geoff Macartney


When converting a Nova security group to its jclouds representation, the class 
{{FindSecurityGroupWithNameAndReturnTrue}} is used to find a security group in 
the list of groups in a location by matching on name with a “query object”:

https://github.com/apache/jclouds/blob/rel/jclouds-2.0.0/apis/openstack-nova/src/main/java/org/jclouds/openstack/nova/v2_0/predicates/FindSecurityGroupWithNameAndReturnTrue.java#L66-L73

{code}
        SecurityGroup returnVal = Iterables.find(api.get().list(), new 
Predicate<SecurityGroup>() {

            @Override
            public boolean apply(SecurityGroup input) {
               return input.getName().equals(securityGroupInRegion.getName());
            }

         });
{code}

However, it is possible for there to be duplicate group names among the 
security groups in a location. Say we have a location with two groups, G1 and 
G2, both with name “foobar”. In such a case, if a security group G3 has ingress 
rules permitting access from “foobar”, then it is not possible with the Nova 
{{/v2/12345/os-security-groups}} API to know which group is intended, as the 
only  information it returns about referred groups is the tenant id and name:
{code}
                        "group": {
                           "tenant_id": "12345abcde12345abcde12345abcde",
                           "name": "foobar"
                        },
{code}

With this definition of the API the ingress rule is ambiguous. The code for 
{{FindSecurityGroupWithNameAndReturnTrue}} above implicitly assumes that group 
names are distinct, and so it will arbitrarily assign the security access to 
whichever of G1 and G2 it encounters first in the {{find}}, possibly the wrong 
group, thus mapping the rule incorrectly.

The fix for this is probably to switch to using the v3 security groups API in 
Neutron, which returns the actual security group id in the definitions of 
ingress rules and not just the name.







--
This message was sent by Atlassian JIRA
(v6.3.15#6346)