Re: [Openstack] [neutron] cannot list "default" security group with Neutron API?

2017-07-23 Thread Kevin Benton 
Hi,

This sounds like it may be a bug. My guess is that when we switched to
project ID a hook was not updated to create the default security group when
a project ID is passed instead of a tenant ID (this logic [1] in
particular).

Can you please file a bug on launchpad and reference this email thread and
we should be able to get it fixed pretty quickly.

1.
https://github.com/openstack/neutron/blob/71d9aab87e37b5162ef09b8cbe3b72709fc88a8b/neutron/db/securitygroups_db.py#L146-L153

Cheers,
Kevin Benton

On Tue, Jun 27, 2017 at 3:30 AM, Riccardo Murri 
wrote:

> Hello,
>
> I'm trying to add some rules to the "default" security group of a
> newly-created project, using the Neutron API 2.0.
>
> However, it seems that the "default" security group is automatically
> created but it is not returned by Neutron client's
> `list_security_groups()` API call.  My code works just fine if I use any
> security group name other than "default".
>
> This is an example interaction, which shows that there is no security
> group returned for the project::
>
> >>> project.id
> u'b26ed1aa29e64c3abeade0a47867eee3'
> >>> response = self.neutron.list_security_groups()  # self.neutron is
> a neutron_client.v2.Client instance
> >>> secgroups = response['security_groups']
> >>> all_sg_ids = [(sg['id'], sg['tenant_id']) for sg in secgroups]
> >>> all_sg_ids
> [(u'01de4e38-55ea-4b82-8583-274b1bded41a', u'
> 0ff1f3d07fbd4d41892cdf85d7a7d1a9'), ... ]
> >>> len(all_sg_ids)
> 17
> >>> project_sg_ids = [(sg['id'], sg['tenant_id']) for sg in secgroups
> if sg['tenant_id'] == project.id]
> >>> project_sg_ids
> []
>
> Shouldn't the "default" security group be listed there?
>
> In more details, this is the code I'm using (which, again, works as
> expected if I use any security group name other than "default")::
>
> class Projects(object):
> def __init__(self):
> self.session = get_session()
> self.keystone = keystone_client.Client(session=self.session)
> self.neutron = neutron_client.Client(session=self.session)
> self.nova = nova_client('2', session=self.session)
> # ...
>
> # ...
>
> def create(self, form):
> domain = self.keystone.domains.get(
> config.os_project_domain_id)
> project = self.keystone.projects.create(
> form.name.data,
> domain,
> description=form.description.data,
> enabled=False,  # will enable after configuring it
> # ...
> )
> try:
> response = self.neutron.create_security_group({
> 'security_group': {
> 'tenant_id': project.id,
> 'name': 'default',  # works if I change to e.g.
> 'TEST'
> 'description': "Default security group",
> }
> })
> except Conflict:
> # security group already exists, fetch it
> # `find_security_group_by_name()` is a small filter
> # for `list_security_groups()` results
> default_sg = find_security_group_by_name(self.neutron,
> project.id, 'default')
> # ... do something with the sec group ...
>
> What am I doing wrong?
>
> Thanks,
> Riccardo
>
> --
> Riccardo Murri
> http://www.s3it.uzh.ch/about/team/#Riccardo.Murri
>
> S3IT: Services and Support for Science IT
> University of Zurich
> Winterthurerstrasse 190, CH-8057 Zürich (Switzerland)
>
> Tel: +41 44 635 4208
> Fax: +41 44 635 6888
>
> ___
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/
> openstack
> Post to : openstack@lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/
> openstack
>
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

[Openstack] [neutron] cannot list "default" security group with Neutron API?

2017-06-27 Thread Riccardo Murri 
Hello,

I'm trying to add some rules to the "default" security group of a
newly-created project, using the Neutron API 2.0.

However, it seems that the "default" security group is automatically
created but it is not returned by Neutron client's
`list_security_groups()` API call.  My code works just fine if I use any
security group name other than "default".

This is an example interaction, which shows that there is no security
group returned for the project::

>>> project.id
u'b26ed1aa29e64c3abeade0a47867eee3'
>>> response = self.neutron.list_security_groups()  # self.neutron is a 
neutron_client.v2.Client instance
>>> secgroups = response['security_groups']
>>> all_sg_ids = [(sg['id'], sg['tenant_id']) for sg in secgroups]
>>> all_sg_ids
[(u'01de4e38-55ea-4b82-8583-274b1bded41a', 
u'0ff1f3d07fbd4d41892cdf85d7a7d1a9'), ... ]
>>> len(all_sg_ids)
17
>>> project_sg_ids = [(sg['id'], sg['tenant_id']) for sg in secgroups if 
sg['tenant_id'] == project.id]
>>> project_sg_ids
[]

Shouldn't the "default" security group be listed there?

In more details, this is the code I'm using (which, again, works as
expected if I use any security group name other than "default")::

class Projects(object):
def __init__(self):
self.session = get_session()
self.keystone = keystone_client.Client(session=self.session)
self.neutron = neutron_client.Client(session=self.session)
self.nova = nova_client('2', session=self.session)
# ...

# ...

def create(self, form):
domain = self.keystone.domains.get(config.os_project_domain_id)
project = self.keystone.projects.create(
form.name.data,
domain,
description=form.description.data,
enabled=False,  # will enable after configuring it
# ...
)
try:
response = self.neutron.create_security_group({
'security_group': {
'tenant_id': project.id,
'name': 'default',  # works if I change to e.g. 'TEST'
'description': "Default security group",
}
})
except Conflict:
# security group already exists, fetch it
# `find_security_group_by_name()` is a small filter
# for `list_security_groups()` results
default_sg = find_security_group_by_name(self.neutron, 
project.id, 'default')
# ... do something with the sec group ...

What am I doing wrong?

Thanks,
Riccardo

-- 
Riccardo Murri
http://www.s3it.uzh.ch/about/team/#Riccardo.Murri

S3IT: Services and Support for Science IT
University of Zurich
Winterthurerstrasse 190, CH-8057 Zürich (Switzerland)

Tel: +41 44 635 4208
Fax: +41 44 635 6888

___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack