Fix segment-aware scheduling permissions error

Resolves a bug encountered when setting the Nova scheduler to
be aware of Neutron routed provider network segments, by using
'query_placement_for_routed_network_aggregates'.

Non-admin users attempting to access the 'segment_id' attribute
of a subnet caused a traceback, resulting in instance creation
failure.

This patch ensures the Neutron client is initialised with an
administrative context no matter what the requesting user's
permissions are.

Change-Id: Ic0f25e4d2395560fc2b68f3b469e266ac59abaa2
Closes-Bug: #1970383
This commit is contained in:
Andrew Bonney 2022-04-26 11:35:38 +01:00
parent 56b5aed08c
commit ee32934f34
3 changed files with 25 additions and 4 deletions

View File

@ -3855,7 +3855,7 @@ class API:
either Segment extension isn't enabled in Neutron or if the network
isn't configured for routing.
"""
client = get_client(context)
client = get_client(context, admin=True)
if not self.has_segment_extension(client=client):
return []
@ -3886,7 +3886,7 @@ class API:
extension isn't enabled in Neutron or the provided subnet doesn't
have segments (if the related network isn't configured for routing)
"""
client = get_client(context)
client = get_client(context, admin=True)
if not self.has_segment_extension(client=client):
return None

View File

@ -7026,13 +7026,17 @@ class TestAPI(TestAPIBase):
req_lvl_params.same_subtree,
)
def test_get_segment_ids_for_network_no_segment_ext(self):
@mock.patch.object(neutronapi, 'get_client')
def test_get_segment_ids_for_network_no_segment_ext(self, mock_client):
mocked_client = mock.create_autospec(client.Client)
mock_client.return_value = mocked_client
with mock.patch.object(
self.api, 'has_segment_extension', return_value=False,
):
self.assertEqual(
[], self.api.get_segment_ids_for_network(self.context,
uuids.network_id))
mock_client.assert_called_once_with(self.context, admin=True)
@mock.patch.object(neutronapi, 'get_client')
def test_get_segment_ids_for_network_passes(self, mock_client):
@ -7046,6 +7050,7 @@ class TestAPI(TestAPIBase):
res = self.api.get_segment_ids_for_network(
self.context, uuids.network_id)
self.assertEqual([uuids.segment_id], res)
mock_client.assert_called_once_with(self.context, admin=True)
mocked_client.list_subnets.assert_called_once_with(
network_id=uuids.network_id, fields='segment_id')
@ -7061,6 +7066,7 @@ class TestAPI(TestAPIBase):
res = self.api.get_segment_ids_for_network(
self.context, uuids.network_id)
self.assertEqual([], res)
mock_client.assert_called_once_with(self.context, admin=True)
mocked_client.list_subnets.assert_called_once_with(
network_id=uuids.network_id, fields='segment_id')
@ -7076,14 +7082,19 @@ class TestAPI(TestAPIBase):
self.assertRaises(exception.InvalidRoutedNetworkConfiguration,
self.api.get_segment_ids_for_network,
self.context, uuids.network_id)
mock_client.assert_called_once_with(self.context, admin=True)
def test_get_segment_id_for_subnet_no_segment_ext(self):
@mock.patch.object(neutronapi, 'get_client')
def test_get_segment_id_for_subnet_no_segment_ext(self, mock_client):
mocked_client = mock.create_autospec(client.Client)
mock_client.return_value = mocked_client
with mock.patch.object(
self.api, 'has_segment_extension', return_value=False,
):
self.assertIsNone(
self.api.get_segment_id_for_subnet(self.context,
uuids.subnet_id))
mock_client.assert_called_once_with(self.context, admin=True)
@mock.patch.object(neutronapi, 'get_client')
def test_get_segment_id_for_subnet_passes(self, mock_client):
@ -7097,6 +7108,7 @@ class TestAPI(TestAPIBase):
res = self.api.get_segment_id_for_subnet(
self.context, uuids.subnet_id)
self.assertEqual(uuids.segment_id, res)
mock_client.assert_called_once_with(self.context, admin=True)
mocked_client.show_subnet.assert_called_once_with(uuids.subnet_id)
@mock.patch.object(neutronapi, 'get_client')
@ -7111,6 +7123,7 @@ class TestAPI(TestAPIBase):
self.assertIsNone(
self.api.get_segment_id_for_subnet(self.context,
uuids.subnet_id))
mock_client.assert_called_once_with(self.context, admin=True)
@mock.patch.object(neutronapi, 'get_client')
def test_get_segment_id_for_subnet_fails(self, mock_client):
@ -7124,6 +7137,7 @@ class TestAPI(TestAPIBase):
self.assertRaises(exception.InvalidRoutedNetworkConfiguration,
self.api.get_segment_id_for_subnet,
self.context, uuids.subnet_id)
mock_client.assert_called_once_with(self.context, admin=True)
@mock.patch.object(neutronapi.LOG, 'debug')
def test_get_port_pci_dev(self, mock_debug):

View File

@ -0,0 +1,7 @@
---
fixes:
- |
`Bug #1970383 <https://bugs.launchpad.net/nova/+bug/1970383>`_: Fixes a
permissions error when using the
'query_placement_for_routed_network_aggregates' scheduler variable, which
caused a traceback on instance creation for non-admin users.