[OVN] Use elevated context to retrieve subnet in router port configuration

The method ``_get_nets_and_ipv6_ra_confs_for_router_port`` can be called from a non-admin user request, when updating or creating a local router port. If the router external gateway network is "external" (as it should be) but is not explicitly shared (a network RBAC with action "access_as_shared"), the user won't retrieve the corresponding subnet. NOTE: is is *not* needed to apply both "access_as_shared" and "access_as_external" RBACs to a network. Please read c#1 in the LP bug for more context. Related-Bug: #2051831 Change-Id: I161f1a6021c0da2d0063f8cb249b3bb9d7b6d5ae (cherry picked from commit 70e51eb2ba)
2024-01-29 23:25:44 +00:00 · 2024-01-29 23:25:44 +00:00 · 68542c04a1
parent ce640c8f6b
commit 68542c04a1
1 changed files with 7 additions and 1 deletions
--- a/neutron/plugins/ml2/drivers/ovn/mech_driver/ovsdb/ovn_client.py
+++ b/neutron/plugins/ml2/drivers/ovn/mech_driver/ovsdb/ovn_client.py
@ -1203,7 +1203,13 @@ class OVNClient(object):

        for fixed_ip in port_fixed_ips:
            subnet_id = fixed_ip['subnet_id']
-            subnet = self._plugin.get_subnet(context, subnet_id)
+            # NOTE(ralonsoh): it is needed to use the "admin" context here to
+            # retrieve the subnet. The subnet object is not handling correctly
+            # the RBAC filtering because is not filtering by
+            # "access_as_external", as network object is doing in
+            # ``_network_filter_hook``. See LP#2051831.
+            # TODO(ralonsoh): once LP#2051831 is fixed, remove "elevated()".
+            subnet = self._plugin.get_subnet(context.elevated(), subnet_id)
            cidr = netaddr.IPNetwork(subnet['cidr'])
            networks.add("%s/%s" % (fixed_ip['ip_address'],
                                    str(cidr.prefixlen)))