[openstack-dev] How Nova-api should deal with secgroup identifier being UUID in Quantum ?

Jordan Pittier jpittier at octo.com
Thu Jul 4 14:36:59 UTC 2013

Hi guys,

As you may know :
* with Quantum, secgroups are uniquely identified by UUID.
* with Nova-Net, secgroups are uniquely identified by numerical ID.

At the moment Nova-api, before calling Nova-Net or Quantum,(see
nova/api/openstack/compute/contrib/security_group*) performs some calls to
validate_id(), defined in :
* nova/network/security_group/quantum_drive.py for Quantum
* nova/compute/api.py for Nova-Net

Validate_id() raises an HTTPBadRequest in case the identifier is not an
UUID for Quantum or an ID for Nova-Net.

The first thing to notice is that : (1) It's Nova-API that performs
identifier validation and raises the exception.

This API mismatch breaks 4 Tempest tests (see
bugs.launchpad.net/tempest/+bug/1182384) and could be confusing to the user
as Sean Dague reported in this bug report.

I see several approaches to deal with this :
1) This API change can't be hidden, clients (and Tempest) must refer to
security groups by their specific identifier. Ie Clients must be aware of
the backing network implementation. (see review.openstack.org/#/c/29899/)
2) Encapsulate all calls to validate_id() in a try/catch HTTPBadRequest and
raise a HTTPNotFound instead (exception translation)
3) Don't do any kind of validation neither for Nova-Net not Quantum. Some
unit tests in test_quantum_security_groups.TestQuantumSecurityGroups must
be adapted/removed. (see review.openstack.org/#/c/35285/ patchset 2 and 4
for 2 different approaches). Let Quantum and Nova-Net deal with malformed

What do you think ?
Thanks a lot !
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130704/fa3e7b5f/attachment.html>

More information about the OpenStack-dev mailing list