From 68542c04a11a5585986571dac15fd72e11fb8f73 Mon Sep 17 00:00:00 2001 From: Rodolfo Alonso Hernandez Date: Mon, 29 Jan 2024 23:25:44 +0000 Subject: [PATCH] [OVN] Use elevated context to retrieve subnet in router port configuration The method ``_get_nets_and_ipv6_ra_confs_for_router_port`` can be called from a non-admin user request, when updating or creating a local router port. If the router external gateway network is "external" (as it should be) but is not explicitly shared (a network RBAC with action "access_as_shared"), the user won't retrieve the corresponding subnet. NOTE: is is *not* needed to apply both "access_as_shared" and "access_as_external" RBACs to a network. Please read c#1 in the LP bug for more context. Related-Bug: #2051831 Change-Id: I161f1a6021c0da2d0063f8cb249b3bb9d7b6d5ae (cherry picked from commit 70e51eb2baac3c891d735aa5ffbeb4fca425f29b) --- .../ml2/drivers/ovn/mech_driver/ovsdb/ovn_client.py | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/neutron/plugins/ml2/drivers/ovn/mech_driver/ovsdb/ovn_client.py b/neutron/plugins/ml2/drivers/ovn/mech_driver/ovsdb/ovn_client.py index b376f32feb5..c5b932a6bb6 100644 --- a/neutron/plugins/ml2/drivers/ovn/mech_driver/ovsdb/ovn_client.py +++ b/neutron/plugins/ml2/drivers/ovn/mech_driver/ovsdb/ovn_client.py @@ -1203,7 +1203,13 @@ class OVNClient(object): for fixed_ip in port_fixed_ips: subnet_id = fixed_ip['subnet_id'] - subnet = self._plugin.get_subnet(context, subnet_id) + # NOTE(ralonsoh): it is needed to use the "admin" context here to + # retrieve the subnet. The subnet object is not handling correctly + # the RBAC filtering because is not filtering by + # "access_as_external", as network object is doing in + # ``_network_filter_hook``. See LP#2051831. + # TODO(ralonsoh): once LP#2051831 is fixed, remove "elevated()". + subnet = self._plugin.get_subnet(context.elevated(), subnet_id) cidr = netaddr.IPNetwork(subnet['cidr']) networks.add("%s/%s" % (fixed_ip['ip_address'], str(cidr.prefixlen)))