Merge "Fix system scoped manageable node network failure"

This commit is contained in:
Zuul 2024-01-10 04:43:23 +00:00 committed by Gerrit Code Review
commit d8613e54ae
3 changed files with 18 additions and 1 deletions

View File

@ -70,7 +70,11 @@ def get_client(token=None, context=None, auth_from_config=False):
user_auth = None
if (not auth_from_config and CONF.neutron.auth_type != 'none'
and context.auth_token):
and context.auth_token and not context.system_scope):
# If we have a token, we *should* use the user's auth, however we
# can only do so *if* it is a project scoped request. If it is
# system scoped, we cannot leverage user auth data to make the next
# request.
user_auth = keystone.get_service_auth(context, endpoint, service_auth)
sess = keystone.get_session('neutron', timeout=CONF.neutron.timeout,

View File

@ -75,6 +75,7 @@ class TestNeutronClient(base.TestCase):
mock_auth, mock_sauth):
mock_ctxt.return_value = ctxt = mock.Mock()
ctxt.auth_token = 'test-token-123'
ctxt.system_scope = None
neutron.get_client(token='test-token-123')
mock_ctxt.assert_called_once_with(auth_token='test-token-123')
mock_client_init.assert_called_once_with(oslo_conf=mock.ANY,

View File

@ -0,0 +1,12 @@
---
fixes:
- |
Fixes an issue where a System Scoped user could not trigger a node into
a ``manageable`` state with cleaning enabled, as the Neutron client would
attempt to utilize their user's token to create the Neutron port for the
cleaning operation, as designed. This is because with requests made in the
``system`` scope, there is no associated project and the request fails.
Ironic now checks if the request has been made with a ``system`` scope,
and if so it utilizes the internal credential configuration to communicate
with Neutron.