security group does not verify the tenant id

Bug #1912747 reported by zhanghao
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Confirmed
High
Unassigned

Bug Description

how to reproduce the problem:
1.source admin-openrc
2.list security groups with tenant_id, tenant_id does not actually exist
curl -g -i -X GET http://192.168.40.66:9696/v2.0/security-groups?tenant_id=99977aaf8d7a466aaa8c16895cfad666 -H "Accept: application/json" -H "User-Agent: python-neutronclient" -H "X-Auth-Token: gAAAAABgCn8d4Ju6VHm76-d5uMS49mPU7NbgcVkj_U6xesxwanhxFTjN36hyEkxVBV8X_2mx2cXRbbLkcmGpk79G157GaOHowre0SQMWEsRKHzKDH_NgXAYWAwfDSC--mmibs85n7Wt9gWJaMKykLnuM0Yw9yLFvYpmzHkM96WM0dI5QJwriG2U"
3.query the security group in the database
MariaDB [neutron]> select * from securitygroups where project_id='99977aaf8d7a466aaa8c16895cfad666';
+----------------------------------+--------------------------------------+---------+------------------+----------+
| project_id | id | name | standard_attr_id | stateful |
+----------------------------------+--------------------------------------+---------+------------------+----------+
| 99977aaf8d7a466aaa8c16895cfad666 | 4eec88c3-678e-467b-ba4c-702611180699 | default | 589 | 1 |
+----------------------------------+--------------------------------------+---------+------------------+----------+

zhanghao (zhanghao2)
Changed in neutron:
assignee: nobody → zhanghao (zhanghao2)
Revision history for this message
Bence Romsics (bence-romsics) wrote :
Download full text (17.5 KiB)

While I'm not sure what exactly you considered to be the error, it seems to me there are multiple problems around here:

source openrc demo demo ; export TOKEN="$( openstack token issue -f value -c id )"

curl -s -H "Content-Type: application/json" -H "X-Auth-Token: $TOKEN" -X GET http://127.0.0.1:9696/v2.0/security-groups
works as expected

curl -s -H "Content-Type: application/json" -H "X-Auth-Token: $TOKEN" -X GET http://127.0.0.1:9696/v2.0/security-groups?tenant_id=$( openstack project show demo -f value -c id )
works as expected

curl -s -H "Content-Type: application/json" -H "X-Auth-Token: $TOKEN" -X GET http://127.0.0.1:9696/v2.0/security-groups?tenant_id=foobar
no response, client hangs

curl -s -H "Content-Type: application/json" -H "X-Auth-Token: $TOKEN" -X GET http://127.0.0.1:9696/v2.0/security-groups?tenant_id=$( uuid | tr -d - )
internal server error

source openrc admin admin ; export TOKEN="$( openstack token issue -f value -c id )"

curl -s -H "Content-Type: application/json" -H "X-Auth-Token: $TOKEN" -X GET http://127.0.0.1:9696/v2.0/security-groups
works as expected

curl -s -H "Content-Type: application/json" -H "X-Auth-Token: $TOKEN" -X GET http://127.0.0.1:9696/v2.0/security-groups?tenant_id=$( openstack project show admin -f value -c id )
works as expected

curl -s -H "Content-Type: application/json" -H "X-Auth-Token: $TOKEN" -X GET http://127.0.0.1:9696/v2.0/security-groups?tenant_id=foobar
echoes foobar in the response

curl -s -H "Content-Type: application/json" -H "X-Auth-Token: $TOKEN" -X GET http://127.0.0.1:9696/v2.0/security-groups?tenant_id=$( uuid | tr -d - )
echoes the random uuid in the response

I would say the 1) no response, 2) internal server error and 3) unvalidated echo cases are all bugs.

neutron server log for the no response case:

jan 22 15:13:06 devstack0 neutron-server[342671]: DEBUG neutron_lib.db.api [None req-f63b9ee0-bb5c-4e19-9150-3e0dd18a01b7 demo demo] Retry wrapper got retriable exception: Failed to create a duplicate DefaultSecurityGroup: for attribute(s) ['default_security_group.PRIMARY'] with value(s) foobar {{(pid=342671) wrapped /opt/stack/neutron-lib/neutron_lib/db/api.py:183}}

neutron server log for the internal server error:

jan 22 15:15:25 devstack0 neutron-server[342672]: ERROR neutron.api.v2.resource [None req-160228f5-d91d-4fc3-81a1-729056507e49 demo demo] index failed: No details.: TypeError: 'NoneType' object is not subscriptable
jan 22 15:15:25 devstack0 neutron-server[342672]: ERROR neutron.api.v2.resource Traceback (most recent call last):
jan 22 15:15:25 devstack0 neutron-server[342672]: ERROR neutron.api.v2.resource File "/opt/stack/neutron/neutron/api/v2/resource.py", line 98, in resource
jan 22 15:15:25 devstack0 neutron-server[342672]: ERROR neutron.api.v2.resource result = method(request=request, **args)
jan 22 15:15:25 devstack0 neutron-server[342672]: ERROR neutron.api.v2.resource File "/opt/stack/neutron-lib/neutron_lib/db/api.py", line 139, in wrapped
jan 22 15:15:25 devstack0 neutron-server[342672]: ERROR neutron.api.v2.resource setattr(e, '_RETRY_EXCEEDED', True)
jan 22 15:15:25 devstack0 neutron-server[342672]: ERROR neutron.api.v2.resource F...

Changed in neutron:
status: New → Confirmed
importance: Undecided → High
Revision history for this message
Slawek Kaplonski (slaweq) wrote :
Revision history for this message
zhanghao (zhanghao2) wrote :

Hi Bence:
Thank you for your verification. All the problems you mentioned exist, and I think they can be resolved after adding tenant_id check.

Revision history for this message
zhanghao (zhanghao2) wrote :

Hi Slawek:
I merged this patch(https://review.opendev.org/c/openstack/neutron/+/753053) in my environment, but the problem still exists.

Revision history for this message
Bence Romsics (bence-romsics) wrote :

Hi Slawek,

I believe the fix you mentioned (https://review.opendev.org/c/openstack/neutron/+/753053) was already present in the environment of comment #1. Therefore I don't think the problems presented here were fixed previously.

Revision history for this message
Bence Romsics (bence-romsics) wrote :

We shortly discussed this on the weekly neutron meeting:

http://eavesdrop.openstack.org/meetings/networking/2021/networking.2021-01-26-14.00.log.html#l-110

I got the suggestion that the fix to the previous bug (https://bugs.launchpad.net/neutron/+bug/1896588) needs some configuration in addition to the patch (https://review.opendev.org/c/openstack/neutron/+/753053).

I believe we need this extra wsgi filter:
https://review.opendev.org/c/openstack/neutron/+/753053/6/etc/api-paste.ini

This was already present in my environment, since this was part of Rodolfo's merged patch.

Rodolfo also said that 'nova user should have "system" role'. This was not the case in my default devstack environment, so this is what I did. Did I understand it correctly?

openstack role add --user nova --system all reader

Having this too, I still see the same errors as in comment #1. What am I missing?

Revision history for this message
Slawek Kaplonski (slaweq) wrote : auto-abandon-script

This bug has had a related patch abandoned and has been automatically un-assigned due to inactivity. Please re-assign yourself if you are continuing work or adjust the state as appropriate if it is no longer valid.

Changed in neutron:
assignee: zhanghao (zhanghao2) → nobody
tags: added: timeout-abandon
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on neutron (master)

Change abandoned by "Slawek Kaplonski <email address hidden>" on branch: master
Review: https://review.opendev.org/c/openstack/neutron/+/771947
Reason: This review is > 4 weeks without comment, and failed Zuul jobs the last time it was checked. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and leaving a 'recheck' comment to get fresh test results.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.