Comment 9 for bug 1243327

Hi Akihiro,

Thanks for reviewing! On second thought I think that my patch does break/change a current behavior. Currently in neutron we support (or maybe not intentionally but ... but the api accepts it...) as the admin user can attach other tenants subnets to routers. With my patch this functionality no longer works for plugins using the L3 agent. I'm not sure we really want to support this type of thing though. We have this same issue all over though.

For example, as admin a tenant can attach another tenants security_group to another tenants ports (thus that tenant won't be able to see the rules in the profile.) Same with floatingips.

I personally think we should remove this type of functionality though. I'm not sure there is a large use case for two different tenants to be connected to the same router (though I think others would probably disagree).

An alternative approach we can use to solve this problem is to not allow create/update_port to be called with device_owner=("network:router_interface") in order to do this though we'll have to add another param to create/update_port to account for when the create port call comes from router-interface-add.

 What are you thoughts?