os-attach-interface returns a 500 when neutron policy forbids port creation

Bug #1603592 reported by Matt Riedemann on 2016-07-15
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)

Bug Description

From a test on our internal CI against mitaka:

root@uat-dal09-compute-316:~# nova-manage version

The tempest test failure:


The attach_interface operation is an RPC call from nova-api to nova-compute. In our case, neutron policy was such that port creation failed:


The Forbidden from neutron isn't handled in nova-api so we get a 500 back instead of a 403.

This is somewhat related to bug 1571722 and patch https://review.openstack.org/#/c/312014/ but that's fixing a 401 and a misconfiguration issue.

Matt Riedemann (mriedem) on 2016-07-16
Changed in nova:
status: New → Confirmed
importance: Undecided → Medium
Liyingjun (liyingjun) on 2016-07-21
Changed in nova:
assignee: nobody → Liyingjun (liyingjun)

Fix proposed to branch: master
Review: https://review.openstack.org/345223

Changed in nova:
status: Confirmed → In Progress

Reviewed: https://review.openstack.org/345223
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=ead6597274c088712b3992222d27faa663c67647
Submitter: Jenkins
Branch: master

commit ead6597274c088712b3992222d27faa663c67647
Author: liyingjun <email address hidden>
Date: Thu Jul 21 15:49:37 2016 +0800

    network: handle forbidden exception from neutron

    Neutron will raise a forbidden exception when the neutron policy is not
    allowed to for some operation like create_port. The operation is an RPC
    call from nova-api to nova-compute. The Forbidden from neutron isn't
    handled in nova-api so we get a 500 back instead of a 403. It should be
    a 403 in this case.

    Change-Id: Iea4feaeb7ea6860e892ef57a4443e814a74b1d9e
    Closes-bug: #1603592

Changed in nova:
status: In Progress → Fix Released

This issue was fixed in the openstack/nova development milestone.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers