diff --git a/ironic/common/neutron.py b/ironic/common/neutron.py index df5b5bd7a8..aca98fee27 100644 --- a/ironic/common/neutron.py +++ b/ironic/common/neutron.py @@ -70,7 +70,11 @@ def get_client(token=None, context=None, auth_from_config=False): user_auth = None if (not auth_from_config and CONF.neutron.auth_type != 'none' - and context.auth_token): + and context.auth_token and not context.system_scope): + # If we have a token, we *should* use the user's auth, however we + # can only do so *if* it is a project scoped request. If it is + # system scoped, we cannot leverage user auth data to make the next + # request. user_auth = keystone.get_service_auth(context, endpoint, service_auth) sess = keystone.get_session('neutron', timeout=CONF.neutron.timeout, diff --git a/ironic/tests/unit/common/test_neutron.py b/ironic/tests/unit/common/test_neutron.py index 7dc67ab329..a29a560a1a 100644 --- a/ironic/tests/unit/common/test_neutron.py +++ b/ironic/tests/unit/common/test_neutron.py @@ -75,6 +75,7 @@ class TestNeutronClient(base.TestCase): mock_auth, mock_sauth): mock_ctxt.return_value = ctxt = mock.Mock() ctxt.auth_token = 'test-token-123' + ctxt.system_scope = None neutron.get_client(token='test-token-123') mock_ctxt.assert_called_once_with(auth_token='test-token-123') mock_client_init.assert_called_once_with(oslo_conf=mock.ANY, diff --git a/releasenotes/notes/fix-system-scope-triggered-clean-22ada9b920c08365.yaml b/releasenotes/notes/fix-system-scope-triggered-clean-22ada9b920c08365.yaml new file mode 100644 index 0000000000..325d615eff --- /dev/null +++ b/releasenotes/notes/fix-system-scope-triggered-clean-22ada9b920c08365.yaml @@ -0,0 +1,12 @@ +--- +fixes: + - | + Fixes an issue where a System Scoped user could not trigger a node into + a ``manageable`` state with cleaning enabled, as the Neutron client would + attempt to utilize their user's token to create the Neutron port for the + cleaning operation, as designed. This is because with requests made in the + ``system`` scope, there is no associated project and the request fails. + + Ironic now checks if the request has been made with a ``system`` scope, + and if so it utilizes the internal credential configuration to communicate + with Neutron.