Comment 3 for bug 1200585

Jian Wen (wenjianhn) wrote :

We don't need to validate the tenant_id for each api call. Only tenant_id
set by admin in the command is needed to validate against keystone by neutron.
Mostly, neutron server gets tenant_id from keystone by using the X-Auth-Token
http header.
We can always get a valid tenant_id by using context.tenant_id.

For example, an admin creating a network for a non-existent tenant_id 111.
REQ: curl -i http://192.168.11.3:9696/v2.0/floatingips.json -X POST -H "X-Auth-Token: ..." -H "Content-Type: application/json" -H "Accept: application/json" -H "User-Agent: python-quantumclient" -d '{"floatingip": {"floating_network_id": "05fa4ce3-b834-40d1-bf9b-4794f057f40b", "tenant_id": "111"}}'

Neutron server is able to get the admin tenant_id by using context.tenant_id which is valid.
The tenant_id that we need to validate separately is 111 in the request body.
we need to tell the admin if he is doing something wrong.

affected commands:
floatingip-create, lb-member-create, lb-pool-create, lb-vip-create, net-create,
port-create, security-group-create, security-group-rule-create,
subnet-create and quota-update.