Only try and do deep network config validate if admin

User mdfr reported an issue where a user with ironic, who had member privileges of the node's owner project, reported they would get an error about ironic being unable to validate the cleaning network when trying to bind a baremetal port to a portgroup. This is rooted in checks to provide early feedback of ironic configuration issues, which just work if a user is an admin scoped user... However the networking client utilizes the credentials from the task, meaning the credentials of the user with member access. That being said, we only need to do the additional checks if the user is an "admin". Modifies the existing code and test to test/assert the admin role. Closes-Bug: 2100520 Change-Id: Idfbf0f58c9976bedb60e1eca1dd282875c89977f
2025-02-27 08:08:03 -08:00
parent 1471984fc0
commit 1f5755ec12
3 changed files with 14 additions and 2 deletions
--- a/ironic/drivers/modules/network/neutron.py
+++ b/ironic/drivers/modules/network/neutron.py
@@ -43,8 +43,11 @@ class NeutronNetwork(common.NeutronVIFPortIDMixin,
        """
        # NOTE(TheJulia): These are the minimal networks needed for
        # the neutron network interface to function.
-        self.get_cleaning_network_uuid(task)
-        self.get_provisioning_network_uuid(task)
+        if 'admin' in task.context.roles:
+            # NOTE(TheJulia): In a fully integrated environment, the user
+            # must be an admin to fully resolve networking details.
+            self.get_cleaning_network_uuid(task)
+            self.get_provisioning_network_uuid(task)
        if (task.node.disable_power_off
                and not CONF.neutron.allow_disabling_power_off):
            raise exception.InvalidParameterValue(
--- a/ironic/tests/unit/drivers/modules/network/test_neutron.py
+++ b/ironic/tests/unit/drivers/modules/network/test_neutron.py
@@ -87,6 +87,7 @@ class NeutronInterfaceTestCase(db_base.DbTestCase):

    @mock.patch.object(neutron_common, 'validate_network', autospec=True)
    def test_validate(self, validate_mock):
+        self.context.roles = ['admin', 'member', 'reader']
        with task_manager.acquire(self.context, self.node.id) as task:
            self.interface.validate(task)
            # NOTE(TheJulia): This tests validates the calls are made.
--- a/releasenotes/notes/fix-member-user-access-around-port-update-86118701989d8a61.yaml
+++ b/releasenotes/notes/fix-member-user-access-around-port-update-86118701989d8a61.yaml
@@ -0,0 +1,8 @@
+---
+fixes:
+  - |
+    Fixes an issue with the ``neutron`` ``network_interface`` driver where
+    validate calls by ``member`` scoped API users, triggered through a port
+    update or explicit node interface validation action would fail due to
+    the user being unable to resolve provisioning or cleaning networks
+    because the networks are in a different project.