Fix segment-aware scheduling permissions error

Resolves a bug encountered when setting the Nova scheduler to be aware of Neutron routed provider network segments, by using 'query_placement_for_routed_network_aggregates'. Non-admin users attempting to access the 'segment_id' attribute of a subnet caused a traceback, resulting in instance creation failure. This patch ensures the Neutron client is initialised with an administrative context no matter what the requesting user's permissions are. Conflicts: nova/network/neutron.py nova/tests/unit/network/test_neutron.py Both conflicts are due to I8058902df167239fa455396d3595a56bcf472b2b We just picked the needed modifications then. Change-Id: Ic0f25e4d2395560fc2b68f3b469e266ac59abaa2 Closes-Bug: #1970383 (cherry picked from commit ee32934f34) (cherry picked from commit 60548e8042)
2022-04-26 11:35:38 +01:00
parent 61bd4582c9
commit 28f94eb69a
3 changed files with 15 additions and 2 deletions
--- a/nova/network/neutron.py
+++ b/nova/network/neutron.py
@@ -3764,7 +3764,7 @@ class API:
        if not self._has_segment_extension(context):
            return []

-        client = get_client(context)
+        client = get_client(context, admin=True)
        try:
            # NOTE(sbauza): We can't use list_segments() directly because the
            # API is borked and returns both segments but also segmentation IDs
@@ -3794,7 +3794,7 @@ class API:
        if not self._has_segment_extension(context):
            return None

-        client = get_client(context)
+        client = get_client(context, admin=True)
        try:
            subnet = client.show_subnet(subnet_id)['subnet']
        except neutron_client_exc.NeutronClientException as e:
--- a/nova/tests/unit/network/test_neutron.py
+++ b/nova/tests/unit/network/test_neutron.py
@@ -7342,6 +7342,7 @@ class TestAPI(TestAPIBase):
            res = self.api.get_segment_ids_for_network(
                self.context, uuids.network_id)
        self.assertEqual([uuids.segment_id], res)
+        mock_client.assert_called_once_with(self.context, admin=True)
        mocked_client.list_subnets.assert_called_once_with(
            network_id=uuids.network_id, fields='segment_id')

@@ -7357,6 +7358,7 @@ class TestAPI(TestAPIBase):
            res = self.api.get_segment_ids_for_network(
                self.context, uuids.network_id)
        self.assertEqual([], res)
+        mock_client.assert_called_once_with(self.context, admin=True)
        mocked_client.list_subnets.assert_called_once_with(
            network_id=uuids.network_id, fields='segment_id')

@@ -7372,6 +7374,7 @@ class TestAPI(TestAPIBase):
            self.assertRaises(exception.InvalidRoutedNetworkConfiguration,
                              self.api.get_segment_ids_for_network,
                              self.context, uuids.network_id)
+            mock_client.assert_called_once_with(self.context, admin=True)

    def test_get_segment_id_for_subnet_no_segment_ext(self):
        with mock.patch.object(
@@ -7393,6 +7396,7 @@ class TestAPI(TestAPIBase):
            res = self.api.get_segment_id_for_subnet(
                self.context, uuids.subnet_id)
        self.assertEqual(uuids.segment_id, res)
+        mock_client.assert_called_once_with(self.context, admin=True)
        mocked_client.show_subnet.assert_called_once_with(uuids.subnet_id)

    @mock.patch.object(neutronapi, 'get_client')
@@ -7407,6 +7411,7 @@ class TestAPI(TestAPIBase):
            self.assertIsNone(
                self.api.get_segment_id_for_subnet(self.context,
                                                   uuids.subnet_id))
+            mock_client.assert_called_once_with(self.context, admin=True)

    @mock.patch.object(neutronapi, 'get_client')
    def test_get_segment_id_for_subnet_fails(self, mock_client):
@@ -7420,6 +7425,7 @@ class TestAPI(TestAPIBase):
            self.assertRaises(exception.InvalidRoutedNetworkConfiguration,
                              self.api.get_segment_id_for_subnet,
                              self.context, uuids.subnet_id)
+            mock_client.assert_called_once_with(self.context, admin=True)

    @mock.patch.object(neutronapi.LOG, 'debug')
    def test_get_port_pci_dev(self, mock_debug):
--- a/releasenotes/notes/bug-1970383-segment-scheduling-permissions-92ba907b10a9eb1c.yaml
+++ b/releasenotes/notes/bug-1970383-segment-scheduling-permissions-92ba907b10a9eb1c.yaml
@@ -0,0 +1,7 @@
+---
+fixes:
+  - |
+    `Bug #1970383 <https://bugs.launchpad.net/nova/+bug/1970383>`_: Fixes a
+    permissions error when using the
+    'query_placement_for_routed_network_aggregates' scheduler variable, which
+    caused a traceback on instance creation for non-admin users.