yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1531743] Re: ipsec site connection status is blocked on "DOWN"

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1531743@xxxxxxxxxxxxxxxxxx>
Date: Tue, 12 Jan 2016 15:38:29 -0000
Reply-to: Bug 1531743 <1531743@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.openstack.org/264712
Committed: https://git.openstack.org/cgit/openstack/neutron-vpnaas/commit/?id=d6a1c3cda8403a45dc08c6cedad31befedb2cd43
Submitter: Jenkins
Branch:    master

commit d6a1c3cda8403a45dc08c6cedad31befedb2cd43
Author: Sun Zhengnan <nnusun@xxxxxxxx>
Date:   Thu Jan 7 03:23:50 2016 -0500

    ipsec site connection status is blocked on "DOWN"
    
    when a normal tenant creates a ipsec-site-connection, it will report
    all the vpnservices status（including other tenant's resources, which
    status is changed but not reported by the looping call) on the same
    network node to the neutron-server.
    But the status report will be ignored, as it is another tenant.
    As a result, when the other tenant does a status update,
    it won't see the change.
    
    This change prevents a non-admin tenant from updating the internal
    status for a connections owned by other tenants and thereby preventing
    the other client from seeing the status change.
    
    Change-Id: I31b8ed1454a645b8c68c28feeeb628ddf5d1eebc
    Closes-Bug: #1531743


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1531743

Title:
  ipsec site connection status is blocked on "DOWN"

Status in neutron:
  Fix Released

Bug description:
  When I create two ipsec-site-connections as the following steps,
  the first ipsec-site-connection's status is blocked on "DOWN"
  the environment has only one network node.
  step1: use tenantA create ipsec-site-connection-A
  step2: use tenantB(not admin tenant)create  ipsec-site-connection-B

  After  ipsec-site-connection-B is created,  ipsec-site-connection-B's
  status becomes "ACTIVE" while  ipsec-site-connection-A's status
  is blocked on "DOWN"

  This can happen on the following condition too.
  environment A has only one network node.
  step1: use tenantA create ipsec-site-connection-A on environment A
  step2: use tenantB create ipsec-site-connection-B on environment B
  step3: before the neutron-vpn-agent's loopcall is executed on environment A
               use tenantC(not admin tenant) to create ipsec-site-connection-C
  After ipsec-site-connection-C is created,  ipsec-site-connection-A's status
  is blocked on "DOWN" and can not be changed by the neutron-vpn-agent's loopcall.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1531743/+subscriptions

References

[Bug 1531743] [NEW] ipsec site connection status is blocked on "DOWN"
From: sun, 2016-01-07