Fix segment-aware scheduling permissions error

Resolves a bug encountered when setting the Nova scheduler to
be aware of Neutron routed provider network segments, by using
'query_placement_for_routed_network_aggregates'.

Non-admin users attempting to access the 'segment_id' attribute
of a subnet caused a traceback, resulting in instance creation
failure.

This patch ensures the Neutron client is initialised with an
administrative context no matter what the requesting user's
permissions are.

Change-Id: Ic0f25e4d2395560fc2b68f3b469e266ac59abaa2
Closes-Bug: #1970383
(cherry picked from commit ee32934)
(cherry picked from commit 60548e8)
(cherry picked from commit 28f94eb)

Author: andrewbonney

nova/network/neutron.py

@@ -3567,7 +3567,7 @@ def get_segment_ids_for_network(
         if not self._has_segment_extension(context):
             return []
 
-        client = get_client(context)
+        client = get_client(context, admin=True)
         try:
             # NOTE(sbauza): We can't use list_segments() directly because the
             # API is borked and returns both segments but also segmentation IDs
@@ -3597,7 +3597,7 @@ def get_segment_id_for_subnet(
         if not self._has_segment_extension(context):
             return None
 
-        client = get_client(context)
+        client = get_client(context, admin=True)
         try:
             subnet = client.show_subnet(subnet_id)['subnet']
         except neutron_client_exc.NeutronClientException as e:

nova/tests/unit/network/test_neutron.py

@@ -6323,6 +6323,7 @@ def test_get_segment_ids_for_network_passes(self, mock_client):
             res = self.api.get_segment_ids_for_network(
                 self.context, uuids.network_id)
         self.assertEqual([uuids.segment_id], res)
+        mock_client.assert_called_once_with(self.context, admin=True)
         mocked_client.list_subnets.assert_called_once_with(
             network_id=uuids.network_id, fields='segment_id')
 
@@ -6338,6 +6339,7 @@ def test_get_segment_ids_for_network_with_no_segments(self, mock_client):
             res = self.api.get_segment_ids_for_network(
                 self.context, uuids.network_id)
         self.assertEqual([], res)
+        mock_client.assert_called_once_with(self.context, admin=True)
         mocked_client.list_subnets.assert_called_once_with(
             network_id=uuids.network_id, fields='segment_id')
 
@@ -6353,6 +6355,7 @@ def test_get_segment_ids_for_network_fails(self, mock_client):
             self.assertRaises(exception.InvalidRoutedNetworkConfiguration,
                               self.api.get_segment_ids_for_network,
                               self.context, uuids.network_id)
+            mock_client.assert_called_once_with(self.context, admin=True)
 
     def test_get_segment_id_for_subnet_no_segment_ext(self):
         with mock.patch.object(
@@ -6374,6 +6377,7 @@ def test_get_segment_id_for_subnet_passes(self, mock_client):
             res = self.api.get_segment_id_for_subnet(
                 self.context, uuids.subnet_id)
         self.assertEqual(uuids.segment_id, res)
+        mock_client.assert_called_once_with(self.context, admin=True)
         mocked_client.show_subnet.assert_called_once_with(uuids.subnet_id)
 
     @mock.patch.object(neutronapi, 'get_client')
@@ -6388,6 +6392,7 @@ def test_get_segment_id_for_subnet_with_no_segment(self, mock_client):
             self.assertIsNone(
                 self.api.get_segment_id_for_subnet(self.context,
                                                    uuids.subnet_id))
+            mock_client.assert_called_once_with(self.context, admin=True)
 
     @mock.patch.object(neutronapi, 'get_client')
     def test_get_segment_id_for_subnet_fails(self, mock_client):
@@ -6401,6 +6406,7 @@ def test_get_segment_id_for_subnet_fails(self, mock_client):
             self.assertRaises(exception.InvalidRoutedNetworkConfiguration,
                               self.api.get_segment_id_for_subnet,
                               self.context, uuids.subnet_id)
+            mock_client.assert_called_once_with(self.context, admin=True)
 
     @mock.patch.object(neutronapi.LOG, 'debug')
     def test_get_port_pci_slot(self, mock_debug):

releasenotes/notes/bug-1970383-segment-scheduling-permissions-92ba907b10a9eb1c.yaml

@@ -0,0 +1,7 @@
+---
+fixes:
+  - |
+    `Bug #1970383 <https://bugs.launchpad.net/nova/+bug/1970383>`_: Fixes a
+    permissions error when using the
+    'query_placement_for_routed_network_aggregates' scheduler variable, which
+    caused a traceback on instance creation for non-admin users.