f5-openstack-lbaasv2-driver icon indicating copy to clipboard operation
f5-openstack-lbaasv2-driver copied to clipboard

Published 20 hours ago verified publisher icon F5Networks

Creating a Loadbalancer with the admin tenant without a explicit tenant_id failing community BVT test

Open jgruber opened this issue 8 years ago • 5 comments

Agent Version

9.2.0

Operating System

RHEL 7.3

OpenStack Release

Mitaka

Bug Severity

Severity: 5

Description

According to community BVT

  neutron_lbaas.tests.tempest.v2.api.test_load_balancers_admin.LoadBalancersTestJSON.test_create_load_balancer_missing_tenant_id_field_for_admin

when a loadbalacner is created by the admin tenant and no tenant_id is explicitly specified in the loadbalancer create call, the subnet_id should be interrogated and the tenant for the neutron subnet should be used for the loadblancer.

Deployment

Run neutron_lbaas.tests.tempest.v2.api.test_load_balancers_admin.LoadBalancersTestJSON.test_create_load_balancer_missing_tenant_id_field_for_admin

Errors in the /var/log/neutron/server.log on the controller:

  2017-02-27 15:22:32.195 32234 ERROR f5lbaasdriver.v2.bigip.service_builder [req-4dbd4d41-fe4f-4b27-89a6-cedacee7e680 93d38cf9fdcf4509945aad474b286f40 47303b67b68746c7812dae8a1adc494f - - -] Creating a loadbalancer 4840516d-31f3-4c88-830f-15a68d5c7815 for tenant 47303b67b68746c7812dae8a1adc494f on a  non-shared network baee7507-f604-4894-9c81-356597aefb69 owned by cc49c93a364f49509ccfc02f3a081a20
  2017-02-27 15:22:32.197 32234 ERROR f5lbaasdriver.v2.bigip.driver_v2 [req-4dbd4d41-fe4f-4b27-89a6-cedacee7e680 93d38cf9fdcf4509945aad474b286f40 47303b67b68746c7812dae8a1adc494f - - -] Exception: loadbalancer create: Tenant Id of network and loadbalancer mismatched

jgruber avatar Feb 27 '17 23:02 jgruber

Just a note.. I'm not sure the BVT test should work.

The use case to me that is important is the admin tenant can create a loadbalancer for a non-admin tenant with the loadbalancing subnet_id on a non-shared network owned by admin. This is the use case for letting a third party orchestration create a loadbalancer for a non-admin tenant with a loadbalancer on a public facing network.

jgruber avatar Feb 28 '17 00:02 jgruber

This scenario results in a loadbalancer in 'ERROR' state using the Octavia loadbalancer. Our driver should pass when the admin user creates a loadbalancer for a particular tenant provided the --tenant-id parameter matches the subnet ID.

richbrowne avatar Feb 28 '17 03:02 richbrowne

Ok, this does work on the Octavia driver. I was hitting an error in the number of loadbalancers I could create. On Octavia, I see a loadbalancer with the tenant id of the admin and a subnet tenant id of the tenant.

We need to be able to check that the user that is creating the loadbalancer is 'admin' or has admin privileges. I am not sure how the driver does this.

richbrowne avatar Feb 28 '17 03:02 richbrowne

@dflanigan @mattgreene Could you take a look this issue? If this is supported, then I can work on it next sprint, otherwise can we close it?

szakeri avatar May 15 '17 20:05 szakeri

This is a known limitation with the F5 product and will be addressed in a future release. Exclude from automated regression.

mattgreene avatar May 26 '17 19:05 mattgreene