Security groups: prevent race for default security group creation

When a VM is booted via the Nova the client connection is created with an admin user. This causes problems when creating the neutron port. That is, there may be a race for the creation of the default security group for the tenant. The problem was introduced by commit acf44dba26 Change-Id: Ie0199c71231a322704f1f49995facde09c92da25 Closes-bug: #1372570
2014-09-22 10:03:37 -07:00 · 2014-09-22 10:03:37 -07:00 · 32ea2e349d
parent 9d5bd529cd
commit 32ea2e349d
2 changed files with 21 additions and 2 deletions
--- a/neutron/db/securitygroups_db.py
+++ b/neutron/db/securitygroups_db.py
@ -147,7 +147,12 @@ class SecurityGroupDbMixin(ext_sg.SecurityGroupPluginBase):
        # because all the unit tests do not explicitly set the context on
        # GETS. TODO(arosen)  context handling can probably be improved here.
        if not default_sg and context.tenant_id:
-            self._ensure_default_security_group(context, context.tenant_id)
+            tenant_id = filters.get('tenant_id')
+            if tenant_id:
+                tenant_id = tenant_id[0]
+            else:
+                tenant_id = context.tenant_id
+            self._ensure_default_security_group(context, tenant_id)
        marker_obj = self._get_marker_obj(context, 'security_group', limit,
                                          marker)
        return self._get_collection(context,
@ -518,9 +523,13 @@ class SecurityGroupDbMixin(ext_sg.SecurityGroupPluginBase):
            return

        port_sg = p.get(ext_sg.SECURITYGROUPS, [])
+        filters = {'id': port_sg}
+        tenant_id = p.get('tenant_id')
+        if tenant_id:
+            filters['tenant_id'] = [tenant_id]
        valid_groups = set(g['id'] for g in
                           self.get_security_groups(context, fields=['id'],
-                                                    filters={'id': port_sg}))
+                                                    filters=filters))

        requested_groups = set(port_sg)
        port_sg_missing = requested_groups - valid_groups
--- a/neutron/tests/unit/test_extension_security_group.py
+++ b/neutron/tests/unit/test_extension_security_group.py
@ -573,6 +573,16 @@ class TestSecurityGroups(SecurityGroupDBTestCase):
                        neutron_context=neutron_context).get('security_groups')
        self.assertEqual(len(sg), 1)

+    def test_security_group_port_create_creates_default_security_group(self):
+        res = self._create_network(self.fmt, 'net1', True,
+                                   tenant_id='not_admin',
+                                   set_context=True)
+        net1 = self.deserialize(self.fmt, res)
+        res = self._create_port(self.fmt, net1['network']['id'],
+                                tenant_id='not_admin', set_context=True)
+        sg = self._list('security-groups').get('security_groups')
+        self.assertEqual(len(sg), 1)
+
    def test_default_security_group_rules(self):
        with self.network():
            res = self.new_list_request('security-groups')