OpenStack Compute (nova)

Link to os-security-groups in server-create response

Registered by Matt Riedemann on 2016-04-04

The Nova API adds the 'default' security group to a server-create request even if the user didn't request that security group. This is problematic when using Neutron as the network service and the network that we are using has port_security_enabled=False.

The fix for that is: https://review.openstack.org/#/c/284095/

One issue with the fix is it doesn't address that we return a list of security groups with the server create response:

https://github.com/openstack/nova/blob/f8a01ccdffc13403df77148867ef3821100b5edb/nova/api/openstack/compute/security_groups.py#L475

When using neutron, we don't know what security groups are going to be applied to an instance (port/network) from the Nova API, and defaulting to 'default' in the response when no specific security groups are requested can be wrong.

This blueprint is meant to change the server POST response to replace the security_groups list in the response body with a bookmark link to the os-security-groups API which has the accurate details on security groups for the server instance.

For example, this is a server POST from a Tempest run in a Neutron job:

2016-04-01 18:32:16.136 27388 INFO tempest.lib.common.rest_client [req-52aa5c0e-5cf6-4154-a075-9eaf5515fbd6 ] Request (AggregatesAdminTestJSON:test_aggregate_add_host_create_server_with_az): 202 POST http://127.0.0.1:8774/v2.1/f3203f02b9ec4c2faf6d0fd77a2f78bf/servers 0.475s
2016-04-01 18:32:16.136 27388 DEBUG tempest.lib.common.rest_client [req-52aa5c0e-5cf6-4154-a075-9eaf5515fbd6 ] Request - Headers: {'X-Auth-Token': '<omitted>', 'Accept': 'application/json', 'Content-Type': 'application/json'}
        Body: {"server": {"name": "tempest-test_server-1787535030", "imageRef": "defe9732-8ea6-483a-b439-dcbb0c4682cd", "availability_zone": "tempest-test_az-1109470789", "flavorRef": "42"}}
    Response - Headers: {'x-openstack-nova-api-version': '2.1', 'date': 'Fri, 01 Apr 2016 18:32:16 GMT', 'content-length': '436', 'x-compute-request-id': 'req-52aa5c0e-5cf6-4154-a075-9eaf5515fbd6', 'status': '202', 'content-type': 'application/json', 'vary': 'X-OpenStack-Nova-API-Version', 'connection': 'close', 'location': 'http://127.0.0.1:8774/v2.1/f3203f02b9ec4c2faf6d0fd77a2f78bf/servers/762c6a19-2097-4910-9af6-4ec8b19d0b6d'}
        Body: {"server": {"security_groups": [{"name": "default"}], "OS-DCF:diskConfig": "MANUAL", "id": "762c6a19-2097-4910-9af6-4ec8b19d0b6d", "links": [{"href": "http://127.0.0.1:8774/v2.1/f3203f02b9ec4c2faf6d0fd77a2f78bf/servers/762c6a19-2097-4910-9af6-4ec8b19d0b6d", "rel": "self"}, {"href": "http://127.0.0.1:8774/f3203f02b9ec4c2faf6d0fd77a2f78bf/servers/762c6a19-2097-4910-9af6-4ec8b19d0b6d", "rel": "bookmark"}], "adminPass": "5osjMWVeUokF"}} _log_request_full tempest/lib/common/rest_client.py:414

The response body contains:

"security_groups": [{"name": "default"}]

That will be changed to something like:

"security_groups": [{"href": "http://127.0.0.1:8774/f3203f02b9ec4c2faf6d0fd77a2f78bf/servers/762c6a19-2097-4910-9af6-4ec8b19d0b6d/os-security-groups", "rel": "bookmark"}]

More details and discussion are in the openstack-dev mailing list thread here:

http://lists.openstack.org/pipermail/openstack-dev/2016-April/091162.html

Read the full specification

Blueprint information

Status:: Not started

Approver:: None

Priority:: Low

Drafter:: Matt Riedemann

Direction:: Needs approval

Assignee:: None

Definition:: Drafting

Series goal:: None

Implementation:: Unknown

Milestone target:: None

Related branches

Fix Released

Sprints

Whiteboard

Gerrit topic: https://review.openstack.org/#q,topic:bp/server-create-secgroups-response-link,n,z

Addressed by: https://review.openstack.org/301372 <--- SPEC
Link to os-security-groups in server-create response

(?)

Work Items

This blueprint contains Public information

Everyone can see this information.

Subscribers

No subscribers.