what is happening is that when the admin creates a net-assoc without specifying the --tenant-id, the neutron framework will add the admin tenant id to the resource dict, used to create the net-assoc.
The bgpvpn plugin checks that the tenant-id of the net-assoc is the same as the one of the bgpvpn and the one of the network. Since they are different, it returns a 403 exception.
So when the admin wants to to create a net-assoc on behalf of a tenant, it has to explicitly specify the --tenant-id parameter. Otherwise it can send the command in the tenant context, as thomas did previously.
Unfortunatly, the neutron-client doesn't display the error message returned by the plugin. I leave the bug open to find a way to have a more explicit message for the end user.
what is happening is that when the admin creates a net-assoc without specifying the --tenant-id, the neutron framework will add the admin tenant id to the resource dict, used to create the net-assoc.
The bgpvpn plugin checks that the tenant-id of the net-assoc is the same as the one of the bgpvpn and the one of the network. Since they are different, it returns a 403 exception.
So when the admin wants to to create a net-assoc on behalf of a tenant, it has to explicitly specify the --tenant-id parameter. Otherwise it can send the command in the tenant context, as thomas did previously.
Unfortunatly, the neutron-client doesn't display the error message returned by the plugin. I leave the bug open to find a way to have a more explicit message for the end user.