[Yahoo-eng-team] [Bug 1263997] Re: Admin cannot create or get default security group for projects

Tue, 10 May 2016 21:34:19 -0700 

[Expired for neutron because there has been no activity for 60 days.]

** Changed in: neutron
       Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1263997

Title:
  Admin cannot create or get default security group for projects

Status in neutron:
  Expired

Bug description:
  The default security group is created lazily the first time it is
  requested via a GET. However, this functionality is dependent upon
  pulling the tenant_id from the token.

  This means that an admin user cannot get or create the default
  security group for arbitrary tenant X. Attempting to do something like
  GET /security-groups?tenant_id=X yields an empty result. And
  attempting to create the default group via POST /security-groups
  {'name': 'default'} results in a 409 even though the default security
  group does not actually exist.

  Note that if an admin user creates a non-default security group for an
  arbitrary project (ie any security group where the name is not
  'default'), the default security group will be created as a side
  affect.

  Another side effect of this lazy creation is that when an admin user
  is attempting to get security groups for another project (via GET
  security-groups?tenant_id=X), the default security group may be
  created for the admin project (because it is tenant that is acutally
  scoped in the token).

  Warning, personal opinion below:
  Generally speaking, I think the lazy and silent creation of the default 
security group causes a lot of problems for the integrity of the API. Now a GET 
is creating something (and thus is technically no longer idempotent) and a POST 
to create an arbitrary security group may also silently create the default 
security group.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1263997/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

Reply via email to