Short Story - Roman has a working patch.

Long Story (discussion on IRC)

[11:05] <dansmith> derekh: yeah, I know, not intending to blame you or anyone
[11:05] <rpodolyaka> dims: so it's called from code that has no idea, if admin=True must be set
[11:05] <dansmith> derekh: but it's clearly pretty fragile so I just think something more complicated must be going on and I think folks familiar with neutronapi should be taking a pretty deep look before we freak out this time
[11:06] <dims> rpodolyaka, i see that the "special" admin context is created here - get_metadata_by_address
[11:07] <dims> rpodolyaka, will you be able to try something (give me 10 mins)?
[11:07] <rpodolyaka> dims: sure!
[11:12] <rpodolyaka> dims: yeah, it's kind of special. What I want to say, is that PhilD's patch is all about making sure we pass admin=True to get_client() explicitly (and it's cool :) ), but e.g. the code of get_fixed_ip_by_address() have no idea about passing admin=True (and it seems, that it should not have, because it can be called to handle the request of a regular user too)
[11:12] * garyk has quit (Quit: Leaving.)
[11:12] <dansmith> yep
[11:12] <dims> rpodolyaka, i know. try this - http://paste.openstack.org/show/54078/
[11:13] <dims> rpodolyaka, i had mentioned this in the review for Phil's patch
[11:13] * rpodolyaka is applying the patch and restarting nova
[11:17] <rpodolyaka> dims: http://paste.openstack.org/show/54080/
[11:17] <rpodolyaka> dims: looking at the patch itself now :)
[11:18] <dansmith> change the context param,
[11:18] <dims> rpodolyaka, heh :) yes please
[11:18] <dansmith> so that it doesn't conflict with the context module
[11:18] <dansmith> s/context/ctxt/ in that method
[11:18] <dims> +1 to dansmith 
[11:20] <rpodolyaka> dims: dansmith: that was an easy one :)
[11:20] <rpodolyaka> voila!
[11:21] <dansmith> dims: can you explain why this fixes it?
[11:21] <rpodolyaka> dims:  looks likes it works, thanks!
[11:21] <dansmith> I don't have the context, but this seems sketchy to me
[11:21] <rpodolyaka> it makes the admin context really special now, I think :)
[11:21] <dims> rpodolyaka, nice
[11:21] <dims> rpodolyaka, right
[11:21] <rpodolyaka> not by is_admin=True
[11:22] <dims> yep
[11:22] <rpodolyaka> but making it a new type
[11:22] <dansmith> heh, I can read :)
[11:22] <dansmith> isinstance() and foo.is_admin==True is roughly equivalent
[11:23] <dims> we have admin contexts we create by hand and there are contexts from users who are really admins
[11:23] <dims> there only flag is is_admin for both cases
[11:23] <dims> here we are adding another way to distinguish between the two
[11:24] <dansmith> and that's a good thing why?
[11:24] <dims> if it is an admin context created by hand, we use the neutron credentials in nova.conf 
[11:24] <dansmith> because this seems like a good way to be confused in a few months
[11:24] <dims> dansmith, if you peek at phil's original patch you will see the issue
[11:25] <rpodolyaka> not sure, if it's the best to do that, but must distinguish them somethow
[11:25] <rpodolyaka> *we
[11:26] <dansmith> is the problem that if the user is an admin we use his credentials instead of the neutron credentials when talking to nova?
[11:26] <dansmith> er, talking to neutron
[11:29] <dims> dansmith, we created a fake context marking it as is_admin and we were trying to use that to talk to neutron
[11:30] * dansmith gives up
[11:32] <rpodolyaka> dims: the thing that worries me is that how this passed the gate, aren't we testing the case when nova + neutron boot an instance which makes requests to Metadata API?
[11:32] <dims> rpodolyaka, apparently not :(
[11:33] <rpodolyaka> dims: I mean, this seems to kind of a 'core' feature of compute API