<div dir="ltr"><span style="font-family:arial,sans-serif;font-size:13px">Hi guys,</span><div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">As you may know :</div>
<div style="font-family:arial,sans-serif;font-size:13px">* with Quantum, secgroups are uniquely identified by UUID.</div><div style="font-family:arial,sans-serif;font-size:13px">* with Nova-Net, secgroups are uniquely identified by numerical ID. </div>
<div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">At the moment Nova-api, before calling Nova-Net or Quantum,(see nova/api/openstack/compute/contrib/security_group*) performs some calls to validate_id(), defined in :</div>
<div style="font-family:arial,sans-serif;font-size:13px">* nova/network/security_group/quantum_drive.py for Quantum</div><div style="font-family:arial,sans-serif;font-size:13px">* nova/compute/api.py for Nova-Net</div><div style="font-family:arial,sans-serif;font-size:13px">
<br></div><div style="font-family:arial,sans-serif;font-size:13px">Validate_id() raises an HTTPBadRequest in case the identifier is not an UUID for Quantum or an ID for Nova-Net.</div><div style="font-family:arial,sans-serif;font-size:13px">
<br></div><div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">The first thing to notice is that : (1) It's Nova-API that performs identifier validation and raises the exception.</div>
<div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">This API mismatch breaks 4 Tempest tests (see <a href="http://bugs.launchpad.net/tempest/+bug/1182384" target="_blank">bugs.launchpad.net/tempest/+bug/1182384</a>) and could be confusing to the user as Sean Dague reported in this bug report.</div>
<div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">I see several approaches to deal with this :</div><div style="font-family:arial,sans-serif;font-size:13px">
1) This API change can't be hidden, clients (and Tempest) must refer to security groups by their specific identifier. Ie Clients must be aware of the backing network implementation. (see <a href="http://review.openstack.org/#/c/29899/" target="_blank">review.openstack.org/#/c/29899/</a>)</div>
<div style="font-family:arial,sans-serif;font-size:13px">2) Encapsulate all calls to validate_id() in a try/catch HTTPBadRequest and raise a HTTPNotFound instead (exception translation)</div><div style="font-family:arial,sans-serif;font-size:13px">
3) Don't do any kind of validation neither for Nova-Net not Quantum. Some unit tests in test_quantum_security_groups.TestQuantumSecurityGroups must be adapted/removed. (see <a href="http://review.openstack.org/#/c/35285/" target="_blank">review.openstack.org/#/c/35285/</a> patchset 2 and 4 for 2 different approaches). Let Quantum and Nova-Net deal with malformed inputs.</div>
<div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">What do you think ? </div><div style="font-family:arial,sans-serif;font-size:13px">Thanks a lot !</div>
<div style="font-family:arial,sans-serif;font-size:13px">Jordan</div></div>