VNF Package onboarding fails due to vnfd_id conflict across tenants
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| tacker |
New
|
Undecided
|
Unassigned | ||
Bug Description
## Summary
In the current Tacker implementation, a VNFD ID is treated as globally unique across all projects.
As a result, it is not possible for multiple projects to onboard VNF packages that contain the same vnfdId,
even if those projects are logically separated tenants.
This behavior is inconsistent with the expected multi-tenant model, where each tenant should be able
to onboard and use the same VNF package independently.
## Current behavior
When there are two projects (for example, Project A and Project B),
and both try to onboard a VNF package that contains the same vnfdId:
- Project A can successfully onboard the VNF package.
- Project B tries to onboard a different VNF package that contains the same vnfdId.
- The onboarding for Project B fails with VnfPackageVnfdI
remains in CREATED instead of changing to ONBOARDED.
Project A:
```
$ openstack vnf p list
+------
| Id | Vnf Product Name | Onboarding State | Usage State | Operational State | Links |
+------
| a1cf34b0-
| | | | | | "self": { |
| | | | | | "href": "/vnfpkgm/
| | | | | | }, |
| | | | | | "packageContent": { |
| | | | | | "href": "/vnfpkgm/
| | | | | | } |
| | | | | | } |
+------
$ openstack vnf p show a1cf34b0-
+------
| Field | Value |
+------
| VNFD ID | c922dbf4-
+------
```
Project B:
The status remains `CREATED` instead of changing to `ONBOARDED`.
```
$ openstack vnf p list
+------
| Id | Vnf Product Name | Onboarding State | Usage State | Operational State | Links |
+------
| 390b0bc9-
| | | | | | "self": { |
| | | | | | "href": "/vnfpkgm/
| | | | | | }, |
| | | | | | "packageContent": { |
| | | | | | "href": "/vnfpkgm/
| | | | | | } |
| | | | | | } |
+------
```
Tacker error log
```
Traceback (most recent call last):
File "/usr/local/
res = self.dispatcher
File "/usr/local/
return self._do_
File "/usr/local/
result = func(ctxt, **new_args)
File "/opt/stack/
vnf_
File "/usr/local/
self.
File "/usr/local/
raise self.value
File "/opt/stack/
return function(self, context, *args, **kwargs)
File "/opt/stack/
self.
File "/opt/stack/
package_
File "/usr/local/
return fn(self, *args, **kwargs)
File "/opt/stack/
db_
File "/usr/local/
return fn(*args, **kwargs)
File "/opt/stack/
raise exceptions.
tacker.
```
## Expected behavior
From a data-model perspective, tenant-scoped resources in Tacker should behave
consistently.
Resources such as:
- VNF Package (e.g. `vnf_packages` table),
- VNF Instance (e.g. `vnf_instances` table),
- VIMs (e.g. `vims` table) ...
all have a `tenant_id` column and are treated as **tenant-scoped**. Their
ownership and uniqueness are evaluated within the scope of a single
tenant/project.
By contrast, the VNFD metadata table (e.g. `vnf_package_vnfd`) does not have
a `tenant_id` column, and `vnfdId` is enforced as **globally unique** across
the whole deployment. This effectively makes VNFD a **global** resource.
In a real multi-tenant NFV deployment, however:
- The same VNFD (the same VNF product and VNFD content) may need to be used
by different projects/tenants.
- The choice of “which project owns this VNF package?” is an operational and
design decision, and should not be constrained by a globally unique `vnfdId`.
Therefore, VNFD should be aligned with other resources and become
**tenant-scoped** as well, by introducing `tenant_id` into the VNFD metadata
and scoping uniqueness per tenant.
VNFD metadata (vnf_package_vnfd) – expected
- id (PK)
- package_uuid (FK → vnf_packages.id)
- tenant_id (same value as the owning VNF package)
- vnfd_id
- ... other fields ...
- Uniqueness constraint:
UNIQUE (tenant_id, vnfd_id)
| description: | updated |
