From 1f5755ec1211ec4511ee1fa1baf0245d86c61109 Mon Sep 17 00:00:00 2001 From: Julia Kreger Date: Thu, 27 Feb 2025 08:08:03 -0800 Subject: [PATCH] Only try and do deep network config validate if admin User mdfr reported an issue where a user with ironic, who had member privileges of the node's owner project, reported they would get an error about ironic being unable to validate the cleaning network when trying to bind a baremetal port to a portgroup. This is rooted in checks to provide early feedback of ironic configuration issues, which just work if a user is an admin scoped user... However the networking client utilizes the credentials from the task, meaning the credentials of the user with member access. That being said, we only need to do the additional checks if the user is an "admin". Modifies the existing code and test to test/assert the admin role. Closes-Bug: 2100520 Change-Id: Idfbf0f58c9976bedb60e1eca1dd282875c89977f --- ironic/drivers/modules/network/neutron.py | 7 +++++-- ironic/tests/unit/drivers/modules/network/test_neutron.py | 1 + ...r-user-access-around-port-update-86118701989d8a61.yaml | 8 ++++++++ 3 files changed, 14 insertions(+), 2 deletions(-) create mode 100644 releasenotes/notes/fix-member-user-access-around-port-update-86118701989d8a61.yaml diff --git a/ironic/drivers/modules/network/neutron.py b/ironic/drivers/modules/network/neutron.py index 26cfd23c74..9bcd2c5937 100644 --- a/ironic/drivers/modules/network/neutron.py +++ b/ironic/drivers/modules/network/neutron.py @@ -43,8 +43,11 @@ class NeutronNetwork(common.NeutronVIFPortIDMixin, """ # NOTE(TheJulia): These are the minimal networks needed for # the neutron network interface to function. - self.get_cleaning_network_uuid(task) - self.get_provisioning_network_uuid(task) + if 'admin' in task.context.roles: + # NOTE(TheJulia): In a fully integrated environment, the user + # must be an admin to fully resolve networking details. + self.get_cleaning_network_uuid(task) + self.get_provisioning_network_uuid(task) if (task.node.disable_power_off and not CONF.neutron.allow_disabling_power_off): raise exception.InvalidParameterValue( diff --git a/ironic/tests/unit/drivers/modules/network/test_neutron.py b/ironic/tests/unit/drivers/modules/network/test_neutron.py index d98c76eb59..b7a352d63d 100644 --- a/ironic/tests/unit/drivers/modules/network/test_neutron.py +++ b/ironic/tests/unit/drivers/modules/network/test_neutron.py @@ -87,6 +87,7 @@ class NeutronInterfaceTestCase(db_base.DbTestCase): @mock.patch.object(neutron_common, 'validate_network', autospec=True) def test_validate(self, validate_mock): + self.context.roles = ['admin', 'member', 'reader'] with task_manager.acquire(self.context, self.node.id) as task: self.interface.validate(task) # NOTE(TheJulia): This tests validates the calls are made. diff --git a/releasenotes/notes/fix-member-user-access-around-port-update-86118701989d8a61.yaml b/releasenotes/notes/fix-member-user-access-around-port-update-86118701989d8a61.yaml new file mode 100644 index 0000000000..9d63f9af49 --- /dev/null +++ b/releasenotes/notes/fix-member-user-access-around-port-update-86118701989d8a61.yaml @@ -0,0 +1,8 @@ +--- +fixes: + - | + Fixes an issue with the ``neutron`` ``network_interface`` driver where + validate calls by ``member`` scoped API users, triggered through a port + update or explicit node interface validation action would fail due to + the user being unable to resolve provisioning or cleaning networks + because the networks are in a different project.