x/vmware-nsx
Code Issues Proposed changes

Security groups: prevent race for default security group creation

Browse Source 
When a VM is booted via the Nova the client connection is created
with an admin user. This causes problems when creating the neutron
port. That is, there may be a race for the creation of the default
security group for the tenant.
The problem was introduced by commit acf44dba26

Change-Id: Ie0199c71231a322704f1f49995facde09c92da25
Closes-bug: #1372570
This commit is contained in:
Gary Kotton 2014-09-22 10:03:37 -07:00
parent ec3d40cba1
commit 20f2b9fd0b
2 changed files with 21 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
neutron/db/securitygroups_db.py
View File

@ -147,7 +147,12 @@ class SecurityGroupDbMixin(ext_sg.SecurityGroupPluginBase):
# because all the unit tests do not explicitly set the context on # because all the unit tests do not explicitly set the context on
# GETS. TODO(arosen) context handling can probably be improved here. # GETS. TODO(arosen) context handling can probably be improved here.
if not default_sg and context.tenant_id: if not default_sg and context.tenant_id:
self._ensure_default_security_group(context, context.tenant_id) tenant_id = filters.get('tenant_id')
if tenant_id:
tenant_id = tenant_id[0]
else:
tenant_id = context.tenant_id
self._ensure_default_security_group(context, tenant_id)
marker_obj = self._get_marker_obj(context, 'security_group', limit, marker_obj = self._get_marker_obj(context, 'security_group', limit,
marker) marker)
return self._get_collection(context, return self._get_collection(context,
@ -518,9 +523,13 @@ class SecurityGroupDbMixin(ext_sg.SecurityGroupPluginBase):
return return
port_sg = p.get(ext_sg.SECURITYGROUPS, []) port_sg = p.get(ext_sg.SECURITYGROUPS, [])
filters = {'id': port_sg}
tenant_id = p.get('tenant_id')
if tenant_id:
filters['tenant_id'] = [tenant_id]
valid_groups = set(g['id'] for g in valid_groups = set(g['id'] for g in
self.get_security_groups(context, fields=['id'], self.get_security_groups(context, fields=['id'],
filters={'id': port_sg})) filters=filters))
requested_groups = set(port_sg) requested_groups = set(port_sg)
port_sg_missing = requested_groups - valid_groups port_sg_missing = requested_groups - valid_groups

10
neutron/tests/unit/test_extension_security_group.py
View File

@ -573,6 +573,16 @@ class TestSecurityGroups(SecurityGroupDBTestCase):
neutron_context=neutron_context).get('security_groups') neutron_context=neutron_context).get('security_groups')
self.assertEqual(len(sg), 1) self.assertEqual(len(sg), 1)
def test_security_group_port_create_creates_default_security_group(self):
res = self._create_network(self.fmt, 'net1', True,
tenant_id='not_admin',
set_context=True)
net1 = self.deserialize(self.fmt, res)
res = self._create_port(self.fmt, net1['network']['id'],
tenant_id='not_admin', set_context=True)
sg = self._list('security-groups').get('security_groups')
self.assertEqual(len(sg), 1)
def test_default_security_group_rules(self): def test_default_security_group_rules(self):
with self.network(): with self.network():
res = self.new_list_request('security-groups') res = self.new_list_request('security-groups')