Admin or Provider tenant to own implicit SCIs

Whenever a Redirect action is provided/consumed GBP, the
implicitly created SCI could be owned by different tenants
depending on the actor triggering it.
To make this consistent, this patch proposes to have a single
configurable admin tenant that will own all the chain resources.
When the said tenant is not configured, the provider PTG's
tenant will be used instead.

Change-Id: I4862b87c41b48344a53dbf72c004a8dc18c2aa99
Closes-Bug: 1432816

gbpservice/neutron/services/servicechain/plugins/msc/drivers/simplechain_driver.py

@@ -15,6 +15,7 @@ import time
 
 from heatclient import client as heat_client
 from heatclient import exc as heat_exc
+from keystoneclient.v2_0 import client as keyclient
 from neutron.common import log
 from neutron.db import model_base
 from neutron import manager
@@ -416,11 +417,16 @@ class HeatClient:
 
     def __init__(self, context, password=None):
         api_version = "1"
-        endpoint = "%s/%s" % (cfg.CONF.simplechain.heat_uri, context.tenant)
+        self.tenant = context.tenant
+
+        self._keystone = None
+        endpoint = "%s/%s" % (cfg.CONF.simplechain.heat_uri, self.tenant)
         kwargs = {
-            'token': context.auth_token,
+            'token': self._get_auth_token(self.tenant),
             'username': context.user_name,
-            'password': password
+            'password': password,
+            'cacert': cfg.CONF.simplechain.heat_ca_certificates_file,
+            'insecure': cfg.CONF.simplechain.heat_api_insecure
         }
         self.client = heat_client.Client(api_version, endpoint, **kwargs)
         self.stacks = self.client.stacks
@@ -445,3 +451,25 @@ class HeatClient:
 
     def get(self, stack_id):
         return self.stacks.get(stack_id)
+
+    @property
+    def keystone(self):
+        if not self._keystone:
+            keystone_conf = cfg.CONF.keystone_authtoken
+            if keystone_conf.get('auth_uri'):
+                auth_url = keystone_conf.auth_uri
+            else:
+                auth_url = ('%s://%s:%s/v2.0/' % (
+                    keystone_conf.auth_protocol,
+                    keystone_conf.auth_host,
+                    keystone_conf.auth_port))
+            user = (keystone_conf.get('admin_user') or keystone_conf.username)
+            pw = (keystone_conf.get('admin_password') or
+                  keystone_conf.password)
+            self._keystone = keyclient.Client(
+                username=user, password=pw, auth_url=auth_url,
+                tenant_id=self.tenant)
+        return self._keystone
+
+    def _get_auth_token(self, tenant):
+        return self.keystone.get_token(tenant)

gbpservice/neutron/services/servicechain/plugins/ncp/context.py

@@ -10,10 +10,10 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
-from neutron import context as n_context
 from neutron import manager
 from neutron.plugins.common import constants as pconst
 
+from gbpservice.common import utils
 from gbpservice.neutron.services.servicechain.plugins.ncp import model
 
 
@@ -23,26 +23,26 @@ def get_gbp_plugin():
 
 def get_node_driver_context(sc_plugin, context, sc_instance,
                             current_node, original_node=None,
-                            service_targets=None):
+                            management_group=None, service_targets=None):
+    admin_context = utils.admin_context(context)
     specs = sc_plugin.get_servicechain_specs(
-        context, filters={'id': sc_instance['servicechain_specs']})
+        admin_context, filters={'id': sc_instance['servicechain_specs']})
     position = _calculate_node_position(specs, current_node['id'])
     provider, _ = _get_ptg_or_ep(
-        context, sc_instance['provider_ptg_id'])
+        admin_context, sc_instance['provider_ptg_id'])
     consumer, is_consumer_external = _get_ptg_or_ep(
-        context, sc_instance['consumer_ptg_id'])
+        admin_context, sc_instance['consumer_ptg_id'])
     management, _ = _get_ptg_or_ep(context, sc_instance['management_ptg_id'])
     classifier = get_gbp_plugin().get_policy_classifier(
-        context, sc_instance['classifier_id'])
-
+        admin_context, sc_instance['classifier_id'])
     current_profile = sc_plugin.get_service_profile(
-        context, current_node['service_profile_id'])
+        admin_context, current_node['service_profile_id'])
     original_profile = sc_plugin.get_service_profile(
-        context,
+        admin_context,
         original_node['service_profile_id']) if original_node else None
     if not service_targets:
         service_targets = model.get_service_targets(
-            context.session, servicechain_instance_id=sc_instance['id'],
+            admin_context.session, servicechain_instance_id=sc_instance['id'],
             position=position, servicechain_node_id=current_node['id'])
 
     return NodeDriverContext(sc_plugin=sc_plugin,
@@ -147,7 +147,7 @@ class NodeDriverContext(object):
     @property
     def admin_context(self):
         if not self._admin_context:
-            self._admin_context = n_context.get_admin_context()
+            self._admin_context = utils.admin_context(self.plugin_context)
         return self._admin_context
 
     @property

gbpservice/neutron/services/servicechain/plugins/ncp/plugin.py

@@ -283,7 +283,9 @@ class NodeCompositionPlugin(servicechain_db.ServiceChainDbPlugin,
         self._update_chains_pt_modified(context, policy_target, 'removed')
 
     def _update_chains_pt_modified(self, context, policy_target, action):
-        scis = self._get_instances_from_policy_target(context, policy_target)
+        admin_context = utils.admin_context(context)
+        scis = self._get_instances_from_policy_target(
+            admin_context, policy_target)
 
         for sci in scis:
             updaters = self._get_scheduled_drivers(context, sci, 'update')
@@ -317,6 +319,7 @@ class NodeCompositionPlugin(servicechain_db.ServiceChainDbPlugin,
                             "failed, %s"), ex.message)
 
     def _get_instance_nodes(self, context, instance):
+        context = utils.admin_context(context)
         if not instance['servicechain_specs']:
             return []
         specs = self.get_servicechain_spec(
@@ -324,6 +327,7 @@ class NodeCompositionPlugin(servicechain_db.ServiceChainDbPlugin,
         return self.get_servicechain_nodes(context, {'id': specs['nodes']})
 
     def _get_node_instances(self, context, node):
+        context = utils.admin_context(context)
         specs = self.get_servicechain_specs(
             context, {'id': node['servicechain_specs']})
         result = []

gbpservice/neutron/services/servicechain/plugins/ncp/plumber_base.py

@@ -113,8 +113,8 @@ class NodePlumberBase(object):
 
         for pt in pts:
             try:
-                gbp_plugin.delete_policy_target(context, pt.policy_target_id,
-                                                notify_sc=False)
+                gbp_plugin.delete_policy_target(
+                    context.elevated(), pt.policy_target_id, notify_sc=False)
             except group_policy.PolicyTargetNotFound as ex:
                 LOG.debug(ex.message)
 
@@ -134,7 +134,7 @@ class NodePlumberBase(object):
                                                          instance['id']),
                     'name': '', 'port_id': None}
             data.update(target)
-            pt = gbp_plugin.create_policy_target(context,
+            pt = gbp_plugin.create_policy_target(context.elevated(),
                                                  {'policy_target': data},
                                                  notify_sc=False)
             model.set_service_target(part_context, pt['id'], relationship)