diff options
| author | Gary Kotton <gkotton@vmware.com> | 2014-09-22 10:03:37 -0700 |
|---|---|---|
| committer | Gary Kotton <gkotton@vmware.com> | 2014-09-23 01:55:54 -0700 |
| commit | 32ea2e349decd750e25cb00a8c907b8f73f795f3 (patch) | |
| tree | f56097ffd1a2dbff76c9a639f8b89b233d1ec810 | |
| parent | 9d5bd529cd21a73a6697992e708d712801c78e39 (diff) | |
| download | neutron-32ea2e349decd750e25cb00a8c907b8f73f795f3.tar.gz | |
Security groups: prevent race for default security group creation
When a VM is booted via the Nova the client connection is created
with an admin user. This causes problems when creating the neutron
port. That is, there may be a race for the creation of the default
security group for the tenant.
The problem was introduced by commit acf44dba26ca8dca47bfb5fb2916807f9f4e2060
Change-Id: Ie0199c71231a322704f1f49995facde09c92da25
Closes-bug: #1372570
| -rw-r--r-- | neutron/db/securitygroups_db.py | 13 | ||||
| -rw-r--r-- | neutron/tests/unit/test_extension_security_group.py | 10 |
2 files changed, 21 insertions, 2 deletions
diff --git a/neutron/db/securitygroups_db.py b/neutron/db/securitygroups_db.py index e10d29e6f3..23b5c80cb1 100644 --- a/neutron/db/securitygroups_db.py +++ b/neutron/db/securitygroups_db.py @@ -147,7 +147,12 @@ class SecurityGroupDbMixin(ext_sg.SecurityGroupPluginBase): # because all the unit tests do not explicitly set the context on # GETS. TODO(arosen) context handling can probably be improved here. if not default_sg and context.tenant_id: - self._ensure_default_security_group(context, context.tenant_id) + tenant_id = filters.get('tenant_id') + if tenant_id: + tenant_id = tenant_id[0] + else: + tenant_id = context.tenant_id + self._ensure_default_security_group(context, tenant_id) marker_obj = self._get_marker_obj(context, 'security_group', limit, marker) return self._get_collection(context, @@ -518,9 +523,13 @@ class SecurityGroupDbMixin(ext_sg.SecurityGroupPluginBase): return port_sg = p.get(ext_sg.SECURITYGROUPS, []) + filters = {'id': port_sg} + tenant_id = p.get('tenant_id') + if tenant_id: + filters['tenant_id'] = [tenant_id] valid_groups = set(g['id'] for g in self.get_security_groups(context, fields=['id'], - filters={'id': port_sg})) + filters=filters)) requested_groups = set(port_sg) port_sg_missing = requested_groups - valid_groups diff --git a/neutron/tests/unit/test_extension_security_group.py b/neutron/tests/unit/test_extension_security_group.py index 478d4a31dd..4f52ba0807 100644 --- a/neutron/tests/unit/test_extension_security_group.py +++ b/neutron/tests/unit/test_extension_security_group.py @@ -573,6 +573,16 @@ class TestSecurityGroups(SecurityGroupDBTestCase): neutron_context=neutron_context).get('security_groups') self.assertEqual(len(sg), 1) + def test_security_group_port_create_creates_default_security_group(self): + res = self._create_network(self.fmt, 'net1', True, + tenant_id='not_admin', + set_context=True) + net1 = self.deserialize(self.fmt, res) + res = self._create_port(self.fmt, net1['network']['id'], + tenant_id='not_admin', set_context=True) + sg = self._list('security-groups').get('security_groups') + self.assertEqual(len(sg), 1) + def test_default_security_group_rules(self): with self.network(): res = self.new_list_request('security-groups') |