Use elevated context to get default SG from database

With new system/project scopes it may happen that project admin will try to list security groups for different project and during that call Neutron will ensure that default security group is created. In such case elevated context needs to be used to get SG object from the database otherwise, SG will not be found and error 500 will be returned through the API. Use of elevated context is fine here as if user don't have access to the SG, it will be filtered out by policy mechanism and it will not be returned through API. Closes-Bug: #1934115 Change-Id: I0ca07d1a1aaf05c1992aea9e29575580d7933324
2021-06-30 11:28:36 +02:00
parent 25207ed9c0
commit f6c3747cae
1 changed files with 8 additions and 1 deletions
--- a/neutron/db/securitygroups_db.py
+++ b/neutron/db/securitygroups_db.py
@@ -141,7 +141,14 @@ class SecurityGroupDbMixin(ext_sg.SecurityGroupPluginBase,
                                            reservation.reservation_id)

            # fetch sg from db to load the sg rules with sg model.
-            sg = sg_obj.SecurityGroup.get_object(context, id=sg.id)
+            # NOTE(slaweq): With new system/project scopes it may happen that
+            # project admin will try to list security groups for different
+            # project and during that call Neutron will ensure that default
+            # security group is created. In such case elevated context needs to
+            # be used here otherwise, SG will not be found and error 500 will
+            # be returned through the API
+            get_context = context.elevated() if default_sg else context
+            sg = sg_obj.SecurityGroup.get_object(get_context, id=sg.id)
            secgroup_dict = self._make_security_group_dict(sg)
            self._registry_notify(resources.SECURITY_GROUP,
                                  events.PRECOMMIT_CREATE,