[OVN] Use elevated context to retrieve subnet in router port configuration
The method ``_get_nets_and_ipv6_ra_confs_for_router_port`` can be called
from a non-admin user request, when updating or creating a local router
port. If the router external gateway network is "external" (as it should
be) but is not explicitly shared (a network RBAC with action
"access_as_shared"), the user won't retrieve the corresponding subnet.
NOTE: is is *not* needed to apply both "access_as_shared" and
"access_as_external" RBACs to a network. Please read c#1 in the LP bug
for more context.
Related-Bug: #2051831
Change-Id: I161f1a6021c0da2d0063f8cb249b3bb9d7b6d5ae
(cherry picked from commit 70e51eb2ba
)
This commit is contained in:
parent
ce640c8f6b
commit
68542c04a1
|
@ -1203,7 +1203,13 @@ class OVNClient(object):
|
|||
|
||||
for fixed_ip in port_fixed_ips:
|
||||
subnet_id = fixed_ip['subnet_id']
|
||||
subnet = self._plugin.get_subnet(context, subnet_id)
|
||||
# NOTE(ralonsoh): it is needed to use the "admin" context here to
|
||||
# retrieve the subnet. The subnet object is not handling correctly
|
||||
# the RBAC filtering because is not filtering by
|
||||
# "access_as_external", as network object is doing in
|
||||
# ``_network_filter_hook``. See LP#2051831.
|
||||
# TODO(ralonsoh): once LP#2051831 is fixed, remove "elevated()".
|
||||
subnet = self._plugin.get_subnet(context.elevated(), subnet_id)
|
||||
cidr = netaddr.IPNetwork(subnet['cidr'])
|
||||
networks.add("%s/%s" % (fixed_ip['ip_address'],
|
||||
str(cidr.prefixlen)))
|
||||
|
|
Loading…
Reference in New Issue