yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #88794
[Bug 1970383] Re: Segment-aware scheduling fails for non-admin users
Reviewed: https://review.opendev.org/c/openstack/nova/+/839361
Committed: https://opendev.org/openstack/nova/commit/ee32934f34afd8e6df467361e9d71788cd36f6ee
Submitter: "Zuul (22348)"
Branch: master
commit ee32934f34afd8e6df467361e9d71788cd36f6ee
Author: Andrew Bonney <andrew.bonney@xxxxxxxxx>
Date: Tue Apr 26 11:35:38 2022 +0100
Fix segment-aware scheduling permissions error
Resolves a bug encountered when setting the Nova scheduler to
be aware of Neutron routed provider network segments, by using
'query_placement_for_routed_network_aggregates'.
Non-admin users attempting to access the 'segment_id' attribute
of a subnet caused a traceback, resulting in instance creation
failure.
This patch ensures the Neutron client is initialised with an
administrative context no matter what the requesting user's
permissions are.
Change-Id: Ic0f25e4d2395560fc2b68f3b469e266ac59abaa2
Closes-Bug: #1970383
** Changed in: nova
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1970383
Title:
Segment-aware scheduling fails for non-admin users
Status in OpenStack Compute (nova):
Fix Released
Status in OpenStack Compute (nova) wallaby series:
New
Status in OpenStack Compute (nova) xena series:
New
Status in OpenStack Compute (nova) yoga series:
New
Bug description:
This is a follow-up to https://bugs.launchpad.net/nova/+bug/1967314
Having deployed the Nova scheduler configuration for routed provider
networks as follows (Xena deployment @
7df9379d6661233174d49fb7be8eda0828a5e5ca), this was found to resolve
issues around scheduling of instances to appropriate hypervisors, but
it appears to have surfaced a side effect.
[scheduler]
query_placement_for_routed_network_aggregates = True
When the above configuration is enabled, creation of new instances for
admin users works correctly, but for non-admin users against the same
networks results in the following error:
285768 ERROR oslo_messaging.rpc.server [req-79ca3cb3-eb52-4755-bba1-4c840c8ae5fc c35a1473225f422c90a6f75b25188bf2 d96f0cd70c6a4adbbbcf993502b264dc - default default] Exception during message handling: K>
285768 ERROR oslo_messaging.rpc.server Traceback (most recent call last):
285768 ERROR oslo_messaging.rpc.server File "/openstack/venvs/nova-24.0.0.0rc1/lib/python3.8/site-packages/oslo_messaging/rpc/server.py", line 165, in _process_incoming
285768 ERROR oslo_messaging.rpc.server res = self.dispatcher.dispatch(message)
285768 ERROR oslo_messaging.rpc.server File "/openstack/venvs/nova-24.0.0.0rc1/lib/python3.8/site-packages/oslo_messaging/rpc/dispatcher.py", line 309, in dispatch
285768 ERROR oslo_messaging.rpc.server return self._do_dispatch(endpoint, method, ctxt, args)
285768 ERROR oslo_messaging.rpc.server File "/openstack/venvs/nova-24.0.0.0rc1/lib/python3.8/site-packages/oslo_messaging/rpc/dispatcher.py", line 229, in _do_dispatch
285768 ERROR oslo_messaging.rpc.server result = func(ctxt, **new_args)
285768 ERROR oslo_messaging.rpc.server File "/openstack/venvs/nova-24.0.0.0rc1/lib/python3.8/site-packages/oslo_messaging/rpc/server.py", line 241, in inner
285768 ERROR oslo_messaging.rpc.server return func(*args, **kwargs)
285768 ERROR oslo_messaging.rpc.server File "/openstack/venvs/nova-24.0.0.0rc1/lib/python3.8/site-packages/nova/scheduler/manager.py", line 154, in select_destinations
285768 ERROR oslo_messaging.rpc.server request_filter.process_reqspec(context, spec_obj)
285768 ERROR oslo_messaging.rpc.server File "/openstack/venvs/nova-24.0.0.0rc1/lib/python3.8/site-packages/nova/scheduler/request_filter.py", line 387, in process_reqspec
285768 ERROR oslo_messaging.rpc.server filter(ctxt, request_spec)
285768 ERROR oslo_messaging.rpc.server File "/openstack/venvs/nova-24.0.0.0rc1/lib/python3.8/site-packages/nova/scheduler/request_filter.py", line 41, in wrapper
285768 ERROR oslo_messaging.rpc.server ran = fn(ctxt, request_spec)
285768 ERROR oslo_messaging.rpc.server File "/openstack/venvs/nova-24.0.0.0rc1/lib/python3.8/site-packages/nova/scheduler/request_filter.py", line 348, in routed_networks_filter
285768 ERROR oslo_messaging.rpc.server aggregates = utils.get_aggregates_for_routed_network(
285768 ERROR oslo_messaging.rpc.server File "/openstack/venvs/nova-24.0.0.0rc1/lib/python3.8/site-packages/nova/scheduler/utils.py", line 1406, in get_aggregates_for_routed_network
285768 ERROR oslo_messaging.rpc.server segment_ids = network_api.get_segment_ids_for_network(
285768 ERROR oslo_messaging.rpc.server File "/openstack/venvs/nova-24.0.0.0rc1/lib/python3.8/site-packages/nova/network/neutron.py", line 3721, in get_segment_ids_for_network
285768 ERROR oslo_messaging.rpc.server return [subnet['segment_id'] for subnet in subnets
285768 ERROR oslo_messaging.rpc.server File "/openstack/venvs/nova-24.0.0.0rc1/lib/python3.8/site-packages/nova/network/neutron.py", line 3722, in <listcomp>
285768 ERROR oslo_messaging.rpc.server if subnet['segment_id'] is not None]
285768 ERROR oslo_messaging.rpc.server KeyError: 'segment_id'
285768 ERROR oslo_messaging.rpc.server
It appears that the subnet dictionaries are returned empty from the
Neutron client library in this case, causing the KeyError.
As far as I can see, a matching command line request for 'openstack
subnet show X' as the same requesting user correctly includes the
'segment_id', but I don't know how similar this code path and the
permissions handling is.
I'd be happy to test out other requests or obtain additional logs if
useful.
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1970383/+subscriptions
References
