Use elevated context when getting default SG for tenant

With new scopes, when e.g. project admin context is used to ensure default SG for different tenant, elevated context needs to be used to make db query. Otherwise default SG will not be found and attempt to create it in DB may fail with DuplicateDbEntry error. Closes-Bug: #1938910 Change-Id: Ib884be6aa12bd0d3faf83f3e753f8e7aad503b68
2021-08-04 17:02:14 +02:00 · 2021-08-04 17:02:14 +02:00 · e6c3686cd8
parent 0985c7c29c
commit e6c3686cd8
1 changed files with 4 additions and 1 deletions
--- a/neutron/db/securitygroups_db.py
+++ b/neutron/db/securitygroups_db.py
@ -910,8 +910,11 @@ class SecurityGroupDbMixin(ext_sg.SecurityGroupPluginBase,
                                       security_groups else [])

    def _get_default_sg_id(self, context, tenant_id):
+        # NOTE(slaweq): With new system/project scopes it may happen that
+        # project admin will try to find default SG for different
+        # project. In such case elevated context needs to be used.
        default_group = sg_obj.DefaultSecurityGroup.get_object(
-            context,
+            context.elevated(),
            project_id=tenant_id,
        )
        if default_group: