Merge "Change default security group protocol to 'any'"

2019-06-22 21:39:31 +00:00 · 2019-06-22 21:39:31 +00:00 · 3258b9e5e3
commit 3258b9e5e3
parent 1a21f02bc7 33a255612c
5 changed files with 31 additions and 10 deletions
--- a/doc/source/cli/command-objects/security-group-rule.rst
+++ b/doc/source/cli/command-objects/security-group-rule.rst
@ -61,8 +61,8 @@ Create a new security group rule
    IP protocol (ah, dccp, egp, esp, gre, icmp, igmp,
    ipv6-encap, ipv6-frag, ipv6-icmp, ipv6-nonxt,
    ipv6-opts, ipv6-route, ospf, pgm, rsvp, sctp, tcp,
-    udp, udplite, vrrp and integer representations [0-255];
-    default: tcp)
+    udp, udplite, vrrp and integer representations [0-255]
+    or any; default: any (all protocols))

    *Network version 2*

@ -157,7 +157,7 @@ List security group rules
    List rules by the IP protocol (ah, dhcp, egp, esp, gre, icmp, igmp,
    ipv6-encap, ipv6-frag, ipv6-icmp, ipv6-nonxt,ipv6-opts, ipv6-route,
    ospf, pgm, rsvp, sctp, tcp, udp, udplite, vrrp and integer
-    representations [0-255])
+    representations [0-255] or any; default: any (all protocols))

    *Network version 2*

--- a/openstackclient/network/v2/security_group_rule.py
+++ b/openstackclient/network/v2/security_group_rule.py
@ -155,7 +155,7 @@ class CreateSecurityGroupRule(common.NetworkAndComputeShowOne):
                   "ipv6-encap, ipv6-frag, ipv6-icmp, ipv6-nonxt, "
                   "ipv6-opts, ipv6-route, ospf, pgm, rsvp, sctp, tcp, "
                   "udp, udplite, vrrp and integer representations [0-255] "
-                   "or any; default: tcp)")
+                   "or any; default: any (all protocols))")
        )
        protocol_group.add_argument(
            '--proto',
@ -220,8 +220,8 @@ class CreateSecurityGroupRule(common.NetworkAndComputeShowOne):
        )
        return parser

-    def _get_protocol(self, parsed_args):
-        protocol = 'tcp'
+    def _get_protocol(self, parsed_args, default_protocol='any'):
+        protocol = default_protocol
        if parsed_args.protocol is not None:
            protocol = parsed_args.protocol
        if parsed_args.proto is not None:
@ -324,7 +324,7 @@ class CreateSecurityGroupRule(common.NetworkAndComputeShowOne):

    def take_action_compute(self, client, parsed_args):
        group = client.api.security_group_find(parsed_args.group)
-        protocol = self._get_protocol(parsed_args)
+        protocol = self._get_protocol(parsed_args, default_protocol='tcp')
        if protocol == 'icmp':
            from_port, to_port = -1, -1
        else:
@ -415,8 +415,8 @@ class ListSecurityGroupRule(common.NetworkAndComputeLister):
                   "ah, dhcp, egp, esp, gre, icmp, igmp, "
                   "ipv6-encap, ipv6-frag, ipv6-icmp, ipv6-nonxt, "
                   "ipv6-opts, ipv6-route, ospf, pgm, rsvp, sctp, tcp, "
-                   "udp, udplite, vrrp and integer representations [0-255])."
-                   )
+                   "udp, udplite, vrrp and integer representations [0-255] "
+                   "or any; default: any (all protocols))")
        )
        direction_group = parser.add_mutually_exclusive_group()
        direction_group.add_argument(
--- a/openstackclient/tests/unit/network/v2/fakes.py
+++ b/openstackclient/tests/unit/network/v2/fakes.py
@ -1305,7 +1305,7 @@ class FakeSecurityGroupRule(object):
            'id': 'security-group-rule-id-' + uuid.uuid4().hex,
            'port_range_max': None,
            'port_range_min': None,
-            'protocol': 'tcp',
+            'protocol': None,
            'remote_group_id': None,
            'remote_ip_prefix': '0.0.0.0/0',
            'security_group_id': 'security-group-id-' + uuid.uuid4().hex,
--- a/openstackclient/tests/unit/network/v2/test_security_group_rule_network.py
+++ b/openstackclient/tests/unit/network/v2/test_security_group_rule_network.py
@ -168,10 +168,12 @@ class TestCreateSecurityGroupRuleNetwork(TestSecurityGroupRuleNetwork):

    def test_create_default_rule(self):
        self._setup_security_group_rule({
+            'protocol': 'tcp',
            'port_range_max': 443,
            'port_range_min': 443,
        })
        arglist = [
+            '--protocol', 'tcp',
            '--dst-port', str(self._security_group_rule.port_range_min),
            self._security_group.id,
        ]
@ -258,10 +260,12 @@ class TestCreateSecurityGroupRuleNetwork(TestSecurityGroupRuleNetwork):

    def test_create_remote_group(self):
        self._setup_security_group_rule({
+            'protocol': 'tcp',
            'port_range_max': 22,
            'port_range_min': 22,
        })
        arglist = [
+            '--protocol', 'tcp',
            '--dst-port', str(self._security_group_rule.port_range_min),
            '--ingress',
            '--remote-group', self._security_group.name,
--- a/releasenotes/notes/bug-1716789-abfae897b7e61246.yaml
+++ b/releasenotes/notes/bug-1716789-abfae897b7e61246.yaml
@ -0,0 +1,17 @@
+---
+features:
+  - |
+    Change to use ``any`` as the default ``--protocol`` option to
+    ``security group rule create`` command when using the Neutron v2 API.
+    [Bug `1716789 <https://bugs.launchpad.net/bugs/1716789>`_]
+fixes:
+  - |
+    The default protocol used to create a security rule was changed to
+    ``tcp``, which was a regression from the neutron client when using
+    the Neutron v2 API.  Change it back to ``any``, which skips sending
+    the protocol to the API server entirely.
+upgrade:
+  - |
+    Users that had been creating rules without specifying a protocol
+    and expecting ``tcp`` need to change to use ``--protocol tcp``
+    explicitly when using the Neutron v2 API.