Query DB to get the tenant ID of the SG

There is a use case that as an admin user, people can just issue port-udpate command to set the SG even if that SG is from another tenant. In this use case, the tenant ID of the SG could be from any tenant so we have to do a DB query to get that. Change-Id: I8b52b049928f1a0b6db56749c02a13cab39a2f98
2018-02-07 16:15:00 -08:00 · 2018-02-07 16:15:00 -08:00 · 7337427275
parent 8cbadf3448
commit 7337427275
2 changed files with 32 additions and 9 deletions
--- a/gbpservice/neutron/services/grouppolicy/drivers/cisco/apic/aim_mapping_rpc.py
+++ b/gbpservice/neutron/services/grouppolicy/drivers/cisco/apic/aim_mapping_rpc.py
@ -15,6 +15,7 @@ from neutron.common import topics
 from neutron.db import api as db_api

 from neutron.db import db_base_plugin_common
+from neutron.db.models import securitygroup as sg_models
 from neutron.objects import base as objects_base
 from neutron.objects import trunk as trunk_objects
 from neutron.plugins.ml2 import rpc as ml2_rpc
@ -258,9 +259,14 @@ class AIMMappingRPCMixin(ha_ip_db.HAIPOwnerDbMixin):
            return
        details['security_group'] = []

-        tenant_aname = self.aim_mech_driver.name_mapper.project(
-            context.session, port['tenant_id'])
-        for sg_id in port['security_groups']:
+        port_sgs = (context.session.query(sg_models.SecurityGroup.id,
+                                          sg_models.SecurityGroup.tenant_id).
+                    filter(sg_models.SecurityGroup.id.
+                           in_(port['security_groups'])).
+                    all())
+        for sg_id, tenant_id in port_sgs:
+            tenant_aname = self.aim_mech_driver.name_mapper.project(
+                context.session, tenant_id)
            details['security_group'].append(
                {'policy-space': tenant_aname,
                 'name': sg_id})
--- a/gbpservice/neutron/tests/unit/services/grouppolicy/test_aim_mapping_driver.py
+++ b/gbpservice/neutron/tests/unit/services/grouppolicy/test_aim_mapping_driver.py
@ -27,10 +27,12 @@ from netaddr import IPSet
 from neutron.api.rpc.agentnotifiers import dhcp_rpc_agent_api
 from neutron.common import utils as n_utils
 from neutron.db import api as db_api
+from neutron.db.models import securitygroup as sg_models
 from neutron.extensions import dns
 from neutron.notifiers import nova
 from neutron.tests.unit.db import test_db_base_plugin_v2 as test_plugin
 from neutron.tests.unit.extensions import test_address_scope
+from neutron.tests.unit.extensions import test_securitygroup
 from neutron_lib.callbacks import registry
 from neutron_lib import constants as n_constants
 from neutron_lib import context as nctx
@ -2600,7 +2602,8 @@ class TestPolicyTargetGroupRollback(AIMBaseTestCase):
        self.dummy.delete_l3_policy_precommit = orig_func


-class TestPolicyTarget(AIMBaseTestCase):
+class TestPolicyTarget(AIMBaseTestCase,
+                       test_securitygroup.SecurityGroupsTestCase):

    def setUp(self, *args, **kwargs):
        super(TestPolicyTarget, self).setUp(*args, **kwargs)
@ -3092,6 +3095,16 @@ class TestPolicyTarget(AIMBaseTestCase):
            policy_target_group_id=ptg['id'])['policy_target']
        self._bind_port_to_host(pt2['port_id'], 'h1')

+        # As admin, create a SG in a different tenant then associate
+        # with the same port
+        sg = self._make_security_group(
+            self.fmt, 'sg_1', 'test',
+            tenant_id='test-tenant-2')['security_group']
+        port = self._plugin.get_port(self._context, pt2['port_id'])
+        port['security_groups'].append(sg['id'])
+        port = self._plugin.update_port(
+            self._context, port['id'], {'port': port})
+
        mapping = self.driver.get_gbp_details(
            self._neutron_admin_context, device='tap%s' % pt2['port_id'],
            host='h2')
@ -3104,13 +3117,17 @@ class TestPolicyTarget(AIMBaseTestCase):
            'uni:tn-t1:out-l2:instP-n2', '200.200.0.3', '200.200.0.1/16')
        self.assertEqual(1000, mapping['interface_mtu'])
        self.assertEqual(100, mapping['dhcp_lease_time'])
-
-        port = self._plugin.get_port(self._context, pt2['port_id'])
-        port_tenant = self.name_mapper.project(None, port['tenant_id'])
        sg_list = []
-        for sg_id in port['security_groups']:
+        ctx = nctx.get_admin_context()
+        port_sgs = (ctx.session.query(sg_models.SecurityGroup.id,
+                                      sg_models.SecurityGroup.tenant_id).
+                    filter(sg_models.SecurityGroup.id.
+                           in_(port['security_groups'])).
+                    all())
+        for sg_id, tenant_id in port_sgs:
+            sg_tenant = self.name_mapper.project(None, tenant_id)
            sg_list.append(
-                {'policy-space': port_tenant,
+                {'policy-space': sg_tenant,
                 'name': sg_id})
        sg_list.append({'policy-space': 'common',
                        'name': self.driver.aim_mech_driver.apic_system_id +