Commit 0162f233 authored by David Johnson's avatar David Johnson

Send provider:physical_network attr from get_networks if net is shared.

The default Neutron policy is that the provider:* attributes are only
sent on a get_networks() call if the caller is an admin.  Well, Capnet
needs that attribute so it knows which Capnet bridge to put a virtual
NIC into.  And it turns out that if a non-admin user adds a VM to an
admin-owned shared network, when Nova sets up the VM, it calls out to
Neutron to collect network info for the VM -- but it must be doing it as
the tenant user -- not with its admin powers.  Well, we have to know
this attribute... so we open up the policy a tiny bit to send the
provider:physical_network attribute if the network is a shared network.

So we override that default Neutron policy bit here.

This is really the wrong thing to do, I suppose, because it leaks
provider info through get_networks for shared networks.  But the
alternative is to make a secondary call in our Nova plugin to
get_networks() with admin creds, and that I don't have time for right
now.

(The bit of our Nova plugin that requires this is in
compute_capnet/network/neutronv2/api.py .)
Nova agent collected the port's network info
parent 48420535
Pipeline #1236 skipped
......@@ -7,5 +7,7 @@
"get_capnet_workflow_agent": "rule:admin_or_owner or rule:shared",
"get_capnet_workflow_agents": "rule:admin_only or rule:shared",
"create_capnet_workflow_agent": "rule:admin_or_owner or rule:shared",
"delete_capnet_workflow_agent": "rule:admin_or_owner"
"delete_capnet_workflow_agent": "rule:admin_or_owner",
"get_network:provider:physical_network": "rule:admin_only or rule:shared"
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment