commit 652620d12f3afe6845e41d9762b52d23f44fd557
Author: Phil Day <email address hidden>
Date: Fri Nov 29 23:24:51 2013 +0000
Fix Neutron Authentication for Metadata Service
A recent change to the way Nova creates a Neutron client
51e5f52e4cb60e266ccde71f205c91eb8c97b48b changed the conditions
under which it re-authenticates using the neutron admin credentials
from "if admin" to "if admin or context.is_admin". However this
meant that any user with admin role in Nova interacted with Neutron
as a different tenant, preventing them from non-admin actions such
as allocating floating IPS.
This was then addressed by 1c1371c78b990447aeaa4377b512f8887e6ff3ce
which only reauthenticated as admin on the explicit use of
"admin=True" parameter to neutonv2.get_client().
However the metadata service does not explicitly create the neutron
client so it has to pass in a context created by
context.get_admin_context() which has is_admin=True but no auth_token.
This change therefore accepts this combination of context values
as a valid reason to re-authenticate as admin, while still allowing
users with the admin role to use their own token.
As a tidy up two tests for getting an admin client are moved from
TestNeutonClient to join the other admin client tests in
TestNeutronClientForAdminScenarios
Reviewed: https:/ /review. openstack. org/59243 github. com/openstack/ nova/commit/ 652620d12f3afe6 845e41d9762b52d 23f44fd557
Committed: http://
Submitter: Jenkins
Branch: master
commit 652620d12f3afe6 845e41d9762b52d 23f44fd557
Author: Phil Day <email address hidden>
Date: Fri Nov 29 23:24:51 2013 +0000
Fix Neutron Authentication for Metadata Service
A recent change to the way Nova creates a Neutron client 60e266ccde71f20 5c91eb8c97b48b changed the conditions
51e5f52e4cb
under which it re-authenticates using the neutron admin credentials
from "if admin" to "if admin or context.is_admin". However this
meant that any user with admin role in Nova interacted with Neutron
as a different tenant, preventing them from non-admin actions such
as allocating floating IPS.
This was then addressed by 1c1371c78b99044 7aeaa4377b512f8 887e6ff3ce get_client( ).
which only reauthenticated as admin on the explicit use of
"admin=True" parameter to neutonv2.
However the metadata service does not explicitly create the neutron get_admin_ context( ) which has is_admin=True but no auth_token.
client so it has to pass in a context created by
context.
This change therefore accepts this combination of context values
as a valid reason to re-authenticate as admin, while still allowing
users with the admin role to use their own token.
As a tidy up two tests for getting an admin client are moved from lient to join the other admin client tests in ClientForAdminS cenarios
TestNeutonC
TestNeutron
Change-Id: Ic2a6f383a85f6b b606d8d65feaefa 0d23329adb9
Closes-Bug: 1255577