Link to os-security-groups in server-create response
The Nova API adds the 'default' security group to a server-create request even if the user didn't request that security group. This is problematic when using Neutron as the network service and the network that we are using has port_security_
The fix for that is: https:/
One issue with the fix is it doesn't address that we return a list of security groups with the server create response:
When using neutron, we don't know what security groups are going to be applied to an instance (port/network) from the Nova API, and defaulting to 'default' in the response when no specific security groups are requested can be wrong.
This blueprint is meant to change the server POST response to replace the security_groups list in the response body with a bookmark link to the os-security-groups API which has the accurate details on security groups for the server instance.
For example, this is a server POST from a Tempest run in a Neutron job:
2016-04-01 18:32:16.136 27388 INFO tempest.
2016-04-01 18:32:16.136 27388 DEBUG tempest.
Body: {"server": {"name": "tempest-
Response - Headers: {'x-openstack-
Body: {"server": {"security_groups": [{"name": "default"}], "OS-DCF:
The response body contains:
"security_groups": [{"name": "default"}]
That will be changed to something like:
"security_groups": [{"href": "http://
More details and discussion are in the openstack-dev mailing list thread here:
http://
Blueprint information
- Status:
- Not started
- Approver:
- None
- Priority:
- Low
- Drafter:
- Matt Riedemann
- Direction:
- Needs approval
- Assignee:
- None
- Definition:
- Drafting
- Series goal:
- None
- Implementation:
- Unknown
- Milestone target:
- None
- Started by
- Completed by
Related branches
Related bugs
Bug #1175464: should not add default security group to quantum unless api-request had it | Fix Released |
Sprints
Whiteboard
Gerrit topic: https:/
Addressed by: https:/
Link to os-security-groups in server-create response