Change default security group protocol to 'any'

The default protocol used to create a security rule was changed to
``tcp``, which was a regression from the neutron client.  Change it
back to ``any``, which skips sending the protocol to the API
server entirely when using the Neutron v2 API.

Users that had been creating rules without specifying a protocol
and expecting ``tcp`` need to change to use ``--protocol tcp``
explicitly.

Change-Id: Iedaa027240e00dced551513d8fa828564386b79f
Closes-bug: #1716789

doc/source/cli/command-objects/security-group-rule.rst

@@ -61,8 +61,8 @@ Create a new security group rule
     IP protocol (ah, dccp, egp, esp, gre, icmp, igmp,
     ipv6-encap, ipv6-frag, ipv6-icmp, ipv6-nonxt,
     ipv6-opts, ipv6-route, ospf, pgm, rsvp, sctp, tcp,
-    udp, udplite, vrrp and integer representations [0-255];
-    default: tcp)
+    udp, udplite, vrrp and integer representations [0-255]
+    or any; default: any (all protocols))
 
     *Network version 2*
 
@@ -157,7 +157,7 @@ List security group rules
     List rules by the IP protocol (ah, dhcp, egp, esp, gre, icmp, igmp,
     ipv6-encap, ipv6-frag, ipv6-icmp, ipv6-nonxt,ipv6-opts, ipv6-route,
     ospf, pgm, rsvp, sctp, tcp, udp, udplite, vrrp and integer
-    representations [0-255])
+    representations [0-255] or any; default: any (all protocols))
 
     *Network version 2*
 

openstackclient/network/v2/security_group_rule.py

@@ -168,7 +168,7 @@ class CreateSecurityGroupRule(common.NetworkAndComputeShowOne):
                    "ipv6-encap, ipv6-frag, ipv6-icmp, ipv6-nonxt, "
                    "ipv6-opts, ipv6-route, ospf, pgm, rsvp, sctp, tcp, "
                    "udp, udplite, vrrp and integer representations [0-255] "
-                   "or any; default: tcp)")
+                   "or any; default: any (all protocols))")
         )
         protocol_group.add_argument(
             '--proto',
@@ -233,8 +233,8 @@ class CreateSecurityGroupRule(common.NetworkAndComputeShowOne):
         )
         return parser
 
-    def _get_protocol(self, parsed_args):
-        protocol = 'tcp'
+    def _get_protocol(self, parsed_args, default_protocol='any'):
+        protocol = default_protocol
         if parsed_args.protocol is not None:
             protocol = parsed_args.protocol
         if parsed_args.proto is not None:
@@ -355,7 +355,7 @@ class CreateSecurityGroupRule(common.NetworkAndComputeShowOne):
 
     def take_action_compute(self, client, parsed_args):
         group = client.api.security_group_find(parsed_args.group)
-        protocol = self._get_protocol(parsed_args)
+        protocol = self._get_protocol(parsed_args, default_protocol='tcp')
         if protocol == 'icmp':
             from_port, to_port = -1, -1
         else:
@@ -462,8 +462,8 @@ class ListSecurityGroupRule(common.NetworkAndComputeLister):
                    "ah, dhcp, egp, esp, gre, icmp, igmp, "
                    "ipv6-encap, ipv6-frag, ipv6-icmp, ipv6-nonxt, "
                    "ipv6-opts, ipv6-route, ospf, pgm, rsvp, sctp, tcp, "
-                   "udp, udplite, vrrp and integer representations [0-255])."
-                   )
+                   "udp, udplite, vrrp and integer representations [0-255] "
+                   "or any; default: any (all protocols))")
         )
         direction_group = parser.add_mutually_exclusive_group()
         direction_group.add_argument(

openstackclient/tests/unit/network/v2/fakes.py

@@ -1305,7 +1305,7 @@ class FakeSecurityGroupRule(object):
             'id': 'security-group-rule-id-' + uuid.uuid4().hex,
             'port_range_max': None,
             'port_range_min': None,
-            'protocol': 'tcp',
+            'protocol': None,
             'remote_group_id': None,
             'remote_ip_prefix': '0.0.0.0/0',
             'security_group_id': 'security-group-id-' + uuid.uuid4().hex,

openstackclient/tests/unit/network/v2/test_security_group_rule_network.py

@@ -177,10 +177,12 @@ class TestCreateSecurityGroupRuleNetwork(TestSecurityGroupRuleNetwork):
 
     def test_create_default_rule(self):
         self._setup_security_group_rule({
+            'protocol': 'tcp',
             'port_range_max': 443,
             'port_range_min': 443,
         })
         arglist = [
+            '--protocol', 'tcp',
             '--dst-port', str(self._security_group_rule.port_range_min),
             self._security_group.id,
         ]
@@ -267,11 +269,13 @@ class TestCreateSecurityGroupRuleNetwork(TestSecurityGroupRuleNetwork):
 
     def test_create_remote_group(self):
         self._setup_security_group_rule({
+            'protocol': 'tcp',
             'port_range_max': 22,
             'port_range_min': 22,
             'remote_group_id': self._security_group.id,
         })
         arglist = [
+            '--protocol', 'tcp',
             '--dst-port', str(self._security_group_rule.port_range_min),
             '--ingress',
             '--src-group', self._security_group.name,

releasenotes/notes/bug-1716789-abfae897b7e61246.yaml

@@ -0,0 +1,17 @@
+---
+features:
+  - |
+    Change to use ``any`` as the default ``--protocol`` option to
+    ``security group rule create`` command when using the Neutron v2 API.
+    [Bug `1716789 <https://bugs.launchpad.net/bugs/1716789>`_]
+fixes:
+  - |
+    The default protocol used to create a security rule was changed to
+    ``tcp``, which was a regression from the neutron client when using
+    the Neutron v2 API.  Change it back to ``any``, which skips sending
+    the protocol to the API server entirely.
+upgrade:
+  - |
+    Users that had been creating rules without specifying a protocol
+    and expecting ``tcp`` need to change to use ``--protocol tcp``
+    explicitly when using the Neutron v2 API.