Shared security groups

Registered by Mark Goddard

Originally reported as a bug: https://bugs.launchpad.net/nova/+bug/1943969

Description
===========
Nova does not support shared security groups for new virtual mashines. It happens because Nova filters security groups by tenant ID here https://github.com/openstack/nova/blob/master/nova/network/neutron.py#L813

Steps to reproduce
==================

* create two projects A and B
* in project A create security group in Neutron
* share the security group to project B via RBAC (https://docs.openstack.org/neutron/latest/admin/config-rbac.html#sharing-a-security-group-with-specific-projects)
* try to create VM with this security group in project B

Expected result
===============

The VM should be created if security group shared to this project.

Actual result
=============

The error in logs:

Traceback (most recent call last):
  File "/nova-base-source/nova-base-archive-stable-rocky-m3/nova/compute/manager.py", line 2510, in _build_resources
    yield resources
  File "/nova-base-source/nova-base-archive-stable-rocky-m3/nova/compute/manager.py", line 2271, in _build_and_run_instance
    block_device_info=block_device_info)
  File "/nova-base-source/nova-base-archive-stable-rocky-m3/nova/virt/vmwareapi/driver.py", line 505, in spawn
    admin_password, network_info, block_device_info)
  File "/nova-base-source/nova-base-archive-stable-rocky-m3/nova/virt/vmwareapi/vmops.py", line 1175, in spawn
    vm_folder)
  File "/nova-base-source/nova-base-archive-stable-rocky-m3/nova/virt/vmwareapi/vmops.py", line 342, in build_virtual_machine
    vm_name=vm_name)
  File "/nova-base-source/nova-base-archive-stable-rocky-m3/nova/virt/vmwareapi/vmops.py", line 311, in _get_vm_config_spec
    network_info)
  File "/nova-base-source/nova-base-archive-stable-rocky-m3/nova/virt/vmwareapi/vif.py", line 187, in get_vif_info
    for vif in network_info:
  File "/nova-base-source/nova-base-archive-stable-rocky-m3/nova/network/model.py", line 585, in __iter__
    return self._sync_wrapper(fn, *args, **kwargs)
  File "/nova-base-source/nova-base-archive-stable-rocky-m3/nova/network/model.py", line 576, in _sync_wrapper
    self.wait()
  File "/nova-base-source/nova-base-archive-stable-rocky-m3/nova/network/model.py", line 608, in wait
    self[:] = self._gt.wait()
  File "/var/lib/kolla/venv/lib/python2.7/site-packages/eventlet/greenthread.py", line 175, in wait
    return self._exit_event.wait()
  File "/var/lib/kolla/venv/lib/python2.7/site-packages/eventlet/event.py", line 125, in wait
    current.throw(*self._exc)
  File "/var/lib/kolla/venv/lib/python2.7/site-packages/eventlet/greenthread.py", line 214, in main
    result = function(*args, **kwargs)
  File "/nova-base-source/nova-base-archive-stable-rocky-m3/nova/utils.py", line 828, in context_wrapper
    return func(*args, **kwargs)
  File "/nova-base-source/nova-base-archive-stable-rocky-m3/nova/compute/manager.py", line 1656, in _allocate_network_async
    six.reraise(*exc_info)
  File "/nova-base-source/nova-base-archive-stable-rocky-m3/nova/compute/manager.py", line 1639, in _allocate_network_async
    bind_host_id=bind_host_id)
  File "/nova-base-source/nova-base-archive-stable-rocky-m3/nova/network/neutronv2/api.py", line 1043, in allocate_for_instance
    instance, neutron, security_groups)
  File "/nova-base-source/nova-base-archive-stable-rocky-m3/nova/network/neutronv2/api.py", line 830, in _process_security_groups
    security_group_id=security_group)
SecurityGroupNotFound: Security group 0c649378-1cf8-48e0-9eb4-b72772c35a62 not found.

Blueprint information

Status:
Not started
Approver:
None
Priority:
Undefined
Drafter:
Mark Goddard
Direction:
Needs approval
Assignee:
None
Definition:
New
Series goal:
None
Implementation:
Unknown
Milestone target:
None

Related branches

Sprints

Whiteboard

Gerrit topic: https://review.opendev.org/#/q/topic:sg-shared-filter

Addressed by: https://review.opendev.org/c/openstack/nova/+/811521
    Support creating servers with RBAC SGs

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.