Reviewed: https://review.opendev.org/710090 Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=046672247de56bad950e8267a57bd26205f354a0 Submitter: Zuul Branch: master
commit 046672247de56bad950e8267a57bd26205f354a0 Author: Rodolfo Alonso Hernandez <ralon...@redhat.com> Date: Wed Feb 26 10:39:19 2020 +0000 Fix queries to retrieve allocations with network_segment_range Fixed the queries to retrieve the segment ID allocations when service plugin network_segment_range is enabled. With the previous implementation, a project user was able to allocate a segment ID belonging to other project segment range. The solution implemented was discussed in [1]: - A project user will retrieve segments from the project ranges. - When depleted, the segment IDs will be retrieved from the shared range, never using another project segment ID. [1]http://lists.openstack.org/pipermail/openstack-discuss/2020-February/012736.html Change-Id: I953062d9ee8ee5ee9a9f07aff4a8222ac63ed525 Closes-Bug: #1863423 ** Changed in: neutron Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1863423 Title: Method "build_segment_queries_for_tenant_and_shared_ranges" returning empty query Status in neutron: Fix Released Bug description: Method "build_segment_queries_for_tenant_and_shared_ranges" returns two queries: - One for those network segment ranges matching the project_id - One for those network segment ranges shared (no project_id, but available for everyone) The first one, if "project_id" is not present in the filter variable, returns an empty list: https://github.com/openstack/neutron/blob/6a8277d70ee28ae6fcb68a75634eb508d4e6952a/neutron/plugins/ml2/drivers/helpers.py#L117 The returned queries are used in "allocate_partially_specified_segment": https://github.com/openstack/neutron/blob/6a8277d70ee28ae6fcb68a75634eb508d4e6952a/neutron/plugins/ml2/drivers/helpers.py#L197-L200 If the first object is not a query but an empty list, the code will fail. UPDATE: I've found some other issues related to this feature that should be addressed in order to have a healthy functionality. Those issues were found during the implementation of [1] This service plugin creates, when the drivers are initialized (one per segmentation type: VLAN, VXLAN, GRE or Geneve), a default segment range not assigned to any project, with the min/max values defined statically in the neutron plugin config ("network_vlan_ranges", "vni_ranges", etc). Then the administrator can create segment ranges for project. Those segment ranges do not overlap among them but can overlap with the default range. When a network is created, the method "SegmentTypeDriver.allocate_partially_specified_segment" selects a segmentation ID from both the segment ranges assigned to the project AND the shared range. That means: - When the the segment ranges are depleted, the project user can always receive a segmentation from the default group. Why is then this feature needed? - In this case, the user can have assigned a segmentation ID belonging to other project (this segmentation can fall under the interval defined in other segment range). There is no check for this. - The tests implemented in [2] rely on the current buggy implementation of this method. Currently this new feature does not perform what is intended to do. [1] https://review.opendev.org/708027 [2] https://github.com/openstack/neutron-tempest-plugin/blob/b7e0eef8de92f6a70c16c879f6a9a20377e82882/neutron_tempest_plugin/api/admin/test_network_segment_range.py#L91 To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1863423/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp