Get subnets of router interfaces with an elevated context.

Fixes bug 1057558

A router may have interfaces owned by other tenants (by admin operations).
An elevated context is required to get subnet information for such interfaces.

Change-Id: Iaf24c842c2c1e3c52573e7f9831d5f6d8fc01885

diff --git a/quantum/db/l3_db.py b/quantum/db/l3_db.py
index 59f0197c4a497c056b6ad69031e4947d021a858c..8b78bf1e2c358e1fec248df4899e8c059b6707a6 100644 (file)
--- a/quantum/db/l3_db.py
+++ b/quantum/db/l3_db.py
@@ -262,7 +262,8 @@ class L3_NAT_db_mixin(l3.RouterPluginBase):
                         msg = ("Router already has a port on subnet %s"
                                % subnet_id)
                         raise q_exc.BadRequest(resource='router', msg=msg)
-                    cidr = self._get_subnet(context, ip['subnet_id'])['cidr']
+                    cidr = self._get_subnet(context.elevated(),
+                                            ip['subnet_id'])['cidr']
                     ipnet = netaddr.IPNetwork(cidr)
                     match1 = netaddr.all_matching_cidrs(new_ipnet, [cidr])
                     match2 = netaddr.all_matching_cidrs(ipnet, [new_cidr])

diff --git a/quantum/tests/unit/test_l3_plugin.py b/quantum/tests/unit/test_l3_plugin.py
index 81251036989f9f6824bb571458f326b87a78681c..c404992560f59301f29ee15eab3ff09249ecf9fb 100644 (file)
--- a/quantum/tests/unit/test_l3_plugin.py
+++ b/quantum/tests/unit/test_l3_plugin.py
@@ -426,6 +426,46 @@ class L3NatDBTestCase(test_db_plugin.QuantumDbPluginV2TestCase):
                                                              s['subnet']['id'],
                                                              None)
 
+    def test_router_add_interface_subnet_with_port_from_other_tenant(self):
+        tenant_id = _uuid()
+        other_tenant_id = _uuid()
+        tenant_context = context.Context(user_id=None, tenant_id=tenant_id)
+        admin_context = context.get_admin_context()
+        with mock.patch('quantum.context.Context') as ctx:
+            ctx.return_value = admin_context
+            with contextlib.nested(
+                self.router(tenant_id=tenant_id),
+                self.network(tenant_id=tenant_id),
+                self.network(tenant_id=other_tenant_id)) as (r, n1, n2):
+                with contextlib.nested(
+                    self.subnet(network=n1, cidr='10.0.0.0/24'),
+                    self.subnet(network=n2, cidr='10.1.0.0/24')) as (s1, s2):
+                        ctx.return_value = admin_context
+                        body = self._router_interface_action(
+                            'add',
+                            r['router']['id'],
+                            s2['subnet']['id'],
+                            None)
+                        self.assertTrue('port_id' in body)
+                        ctx.return_value = tenant_context
+                        self._router_interface_action(
+                            'add',
+                            r['router']['id'],
+                            s1['subnet']['id'],
+                            None)
+                        self.assertTrue('port_id' in body)
+                        self._router_interface_action(
+                            'remove',
+                            r['router']['id'],
+                            s1['subnet']['id'],
+                            None)
+                        ctx.return_value = admin_context
+                        body = self._router_interface_action(
+                            'remove',
+                            r['router']['id'],
+                            s2['subnet']['id'],
+                            None)
+
     def test_router_add_interface_port(self):
         with self.router() as r:
             with self.port(no_delete=True) as p: