Security groups: prevent race for default security group creation

When a VM is booted via the Nova the client connection is created
with an admin user. This causes problems when creating the neutron
port. That is, there may be a race for the creation of the default
security group for the tenant.
The problem was introduced by commit acf44dba26ca8dca47bfb5fb2916807f9f4e2060

Change-Id: Ie0199c71231a322704f1f49995facde09c92da25
Closes-bug: #1372570

diff --git a/neutron/db/securitygroups_db.py b/neutron/db/securitygroups_db.py
index e10d29e6f324d561aba3f126f8caf7a3555376e3..23b5c80cb1136ce06855bb7cefd50cea7431dc10 100644 (file)
--- a/neutron/db/securitygroups_db.py
+++ b/neutron/db/securitygroups_db.py
@@ -147,7 +147,12 @@ class SecurityGroupDbMixin(ext_sg.SecurityGroupPluginBase):
         # because all the unit tests do not explicitly set the context on
         # GETS. TODO(arosen)  context handling can probably be improved here.
         if not default_sg and context.tenant_id:
-            self._ensure_default_security_group(context, context.tenant_id)
+            tenant_id = filters.get('tenant_id')
+            if tenant_id:
+                tenant_id = tenant_id[0]
+            else:
+                tenant_id = context.tenant_id
+            self._ensure_default_security_group(context, tenant_id)
         marker_obj = self._get_marker_obj(context, 'security_group', limit,
                                           marker)
         return self._get_collection(context,
@@ -518,9 +523,13 @@ class SecurityGroupDbMixin(ext_sg.SecurityGroupPluginBase):
             return
 
         port_sg = p.get(ext_sg.SECURITYGROUPS, [])
+        filters = {'id': port_sg}
+        tenant_id = p.get('tenant_id')
+        if tenant_id:
+            filters['tenant_id'] = [tenant_id]
         valid_groups = set(g['id'] for g in
                            self.get_security_groups(context, fields=['id'],
-                                                    filters={'id': port_sg}))
+                                                    filters=filters))
 
         requested_groups = set(port_sg)
         port_sg_missing = requested_groups - valid_groups

diff --git a/neutron/tests/unit/test_extension_security_group.py b/neutron/tests/unit/test_extension_security_group.py
index 478d4a31ddd20209d49ae5c1dbd3b75afa1d9c72..4f52ba08077aac162241033af7ef42a5fdfb89df 100644 (file)
--- a/neutron/tests/unit/test_extension_security_group.py
+++ b/neutron/tests/unit/test_extension_security_group.py
@@ -573,6 +573,16 @@ class TestSecurityGroups(SecurityGroupDBTestCase):
                         neutron_context=neutron_context).get('security_groups')
         self.assertEqual(len(sg), 1)
 
+    def test_security_group_port_create_creates_default_security_group(self):
+        res = self._create_network(self.fmt, 'net1', True,
+                                   tenant_id='not_admin',
+                                   set_context=True)
+        net1 = self.deserialize(self.fmt, res)
+        res = self._create_port(self.fmt, net1['network']['id'],
+                                tenant_id='not_admin', set_context=True)
+        sg = self._list('security-groups').get('security_groups')
+        self.assertEqual(len(sg), 1)
+
     def test_default_security_group_rules(self):
         with self.network():
             res = self.new_list_request('security-groups')