From b01923cb8d117476dc643e6c93e3ab1805b06f2d Mon Sep 17 00:00:00 2001
From: Brent Eagles <beagles@redhat.com>
Date: Fri, 22 Feb 2013 13:26:45 -0330
Subject: Prevent default security group deletion.

This patch adds a check to confirm that a security group name
is not among a list of 'special' group names before proceeding
with security group deletion.

Fixes: bug 1131830

Change-Id: I5656e01b4ed3fd9c22abe6a731edaef7203d97c4
---
 nova/compute/api.py | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/nova/compute/api.py b/nova/compute/api.py
index f917e379d..c677d9ed1 100644
--- a/nova/compute/api.py
+++ b/nova/compute/api.py
@@ -100,6 +100,7 @@ CONF.import_opt('enable', 'nova.cells.opts', group='cells')
 
 MAX_USERDATA_SIZE = 65535
 QUOTAS = quota.QUOTAS
+RO_SECURITY_GROUPS = ['default']
 
 
 def check_instance_state(vm_state=None, task_state=(None,)):
@@ -2881,6 +2882,11 @@ class SecurityGroupAPI(base.Base, security_group_base.SecurityGroupBase):
         return groups
 
     def destroy(self, context, security_group):
+        if security_group['name'] in RO_SECURITY_GROUPS:
+            msg = _("Unable to delete system group '%s'") % \
+                    security_group['name']
+            self.raise_invalid_group(msg)
+
         if self.db.security_group_in_use(context, security_group['id']):
             msg = _("Security group is still in use")
             self.raise_invalid_group(msg)
-- 
cgit