cluster: fix bug when using custom SSH permissions

The cluster_group property applies all user-specified permissions when
creating or fetching the cluster's security group. If the user
customizes the SSH permissions StarCluster removes the public CIDR_IP
permission in order to accomodate stricter CIDR_IP settings (e.g.
limiting access to a single IP). This is needed because in general
all CIDR_IPs for a given security group rule are allowed access which
means if 0.0.0.0/0 is in the list then *all* users have access
regardless of other CIDR_IPs.

The previous logic would remove 0.0.0.0/0 from the CIDR_IP list if *any*
ssh rule was specified by the user. This is fine except when users dont
specify a custom CIDR_IP - in this case the code ends up removing the
SSH rule completely given that only a single CIDR_IP (0.0.0.0/0) exists
and it's blindly removed. Updated this logic to remove the public CIDR_IP
(0.0.0.0/0) from the SSH rule *only* if the custom SSH permission
explicitly specifies a CIDR_IP other than the public CIDR_IP. This
avoids ever removing the SSH rule entirely and prevents locking users
out of their cluster(s).

closes gh-91

starcluster/cluster.py

@@ -623,7 +623,9 @@ def cluster_group(self):
                     log.info("Opening %s port range %s-%s for CIDR %s" %
                              (ip_protocol, from_port, to_port, cidr_ip))
                     sg.authorize(ip_protocol, from_port, to_port, cidr_ip)
-                if ip_protocol == 'tcp' and from_port <= ssh_port <= to_port:
+                includes_ssh = from_port <= ssh_port <= to_port
+                open_to_world = cidr_ip == static.WORLD_CIDRIP
+                if ip_protocol == 'tcp' and includes_ssh and not open_to_world:
                     sg.revoke(ip_protocol, ssh_port, ssh_port,
                               static.WORLD_CIDRIP)
             self._cluster_group = sg