OpenStack Compute (nova)

Users with admin role in Nova should not re-authenticate with Neutron

Bug #1250763 reported by Phil Day on 2013-11-13

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Compute (nova)	Fix Released	High	Phil Day	OpenStack Compute (nova) 2014.1 "icehouse"
	Havana	Fix Released	High	Matt Riedemann	OpenStack Compute (nova) 2013.2.3

Bug Description

A recent change to the way Nova creates a Neutron client https://review.openstack.org/#/c/52954/4
changed the conditions under which it re-authenticates using the neutron admin credentials from
“if admin” to “if admin or context.is_admin”.

This means that any user with admin role in Nova now interacts with Neutron as a different tenant.
Not only does this cause an unnecessary re-authentication (The user may/should also have an admin
role in Neutron) it means that they can no longer allocate and assign a floating IP to their instance
via Nova (as the floating ip will now always be allocated in the context of neutron_admin_tenant).

The context_is_admin part of this change should be reverted.

Tags:

Revision history for this message

Matt Riedemann (mriedem) wrote on 2013-11-17:

Patch is here: https://review.openstack.org/#/c/56174/

tags:	added: network
Changed in nova:
status:	New → In Progress
assignee:	nobody → Phil Day (philip-day)

Matt Riedemann (mriedem) on 2013-11-17

Changed in nova:
importance:	Undecided → High

Davanum Srinivas (DIMS) (dims-v) on 2013-11-25

Changed in nova:
status:	In Progress → Fix Committed
status:	Fix Committed → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-11-26: Fix merged to nova (master)

Reviewed: https://review.openstack.org/56174
Committed: http://github.com/openstack/nova/commit/1c1371c78b990447aeaa4377b512f8887e6ff3ce
Submitter: Jenkins
Branch: master

commit 1c1371c78b990447aeaa4377b512f8887e6ff3ce
Author: Phil Day <email address hidden>
Date: Wed Nov 13 09:39:47 2013 +0000

Users with admin role in Nova should not re-auth with Neutron

    A recent change to the way Nova creates a Neutron clients
    https://review.openstack.org/#/c/52954/4 changed the conditions
    under which it re-authenticates using the neutron admin credentials
    from "if admin" to "if admin or context.is_admin".

    This means that any user with admin role in Nova now interacts
    with Neutron as a different tenant. Not only does this cause an
    unnecessary re-authentication (The user may/should also have an admin
    role in Neutron) it means that they can no longer allocate and assign
    a floating IP to their instance via Nova (as the floating ip will now
    always be allocated in the context of neutron_admin_tenant).

    This change removes the context.is_admin check to revert to the
    previous behaviour where the used of admin creds is determined just
    on the explicit use of "admin=True" parameter to get_client().

Change-Id: Ib1720420c778960bc90c5b7d703de936ebb7d6b5
Closes-Bug: 1250763

Changed in nova:
status:	In Progress → Fix Committed

Russell Bryant (russellb) on 2013-12-03

Changed in nova:
milestone:	none → icehouse-1

Thierry Carrez (ttx) on 2013-12-04

Changed in nova:
status:	Fix Committed → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-03-28: Fix merged to nova (stable/havana)

Reviewed: https://review.openstack.org/54736
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=bdc7519862299e43af55d7a7a221669de905d15c
Submitter: Jenkins
Branch: stable/havana

commit bdc7519862299e43af55d7a7a221669de905d15c
Author: Drew Thorstensen <email address hidden>
Date: Mon Oct 21 09:52:28 2013 -0500

Pass thru credentials to allow re-authentication

This is a backport of 4 fixes squashed into one because:

    1. They need to all be merged together as they build on each
       other as problems were found in each change after it was
       merged on master.
    2. The 3rd change won't pass Jenkins on it's own so it has
       to be squashed with the 4th and final change, so I'm just
       going to squash the entire topic branch together.

The change bugs fixed and cherry pick commit hashes are left
intact for each change.

Closes-Bug: #1241275
(cherry picked from commit 51e5f52e4cb60e266ccde71f205c91eb8c97b48b)

Cache Neutron Client for Admin Scenarios

Closes-Bug: #1250580
(cherry picked from commit 85332012dede96fa6729026c2a90594ea0502ac5)

Users with admin role in Nova should not re-auth with Neutron

Closes-Bug: 1250763
(cherry picked from commit 1c1371c78b990447aeaa4377b512f8887e6ff3ce)

Fix Neutron Authentication for Metadata Service

Closes-Bug: 1255577
(cherry picked from commit 652620d12f3afe6845e41d9762b52d23f44fd557)

============

Change-Id: I2858562b180f3e058a2da9d67bef02af80927177

tags:

added: in-stable-havana

Thierry Carrez (ttx) on 2014-04-17

Changed in nova:
milestone:	icehouse-1 → 2014.1

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.