Merge "Update network external attribute for RBAC change"
This commit is contained in:
commit
59e2c40f14
@ -169,6 +169,23 @@ class External_net_db_mixin(object):
|
|||||||
{extnet_apidef.EXTERNAL: True},
|
{extnet_apidef.EXTERNAL: True},
|
||||||
allow_all=False)
|
allow_all=False)
|
||||||
|
|
||||||
|
@registry.receives('rbac-policy', [events.AFTER_DELETE])
|
||||||
|
def _process_ext_policy_delete(self, resource, event, trigger, context,
|
||||||
|
object_type, policy, **kwargs):
|
||||||
|
if (object_type != 'network' or
|
||||||
|
policy['action'] != 'access_as_external'):
|
||||||
|
return
|
||||||
|
net_as_external = context.session.query(rbac_db.NetworkRBAC).filter(
|
||||||
|
rbac_db.NetworkRBAC.object_id == policy['object_id'],
|
||||||
|
rbac_db.NetworkRBAC.action == 'access_as_external').count()
|
||||||
|
# If the network still have rbac policies, we should not
|
||||||
|
# update external attribute.
|
||||||
|
if net_as_external:
|
||||||
|
return
|
||||||
|
net = self.get_network(context, policy['object_id'])
|
||||||
|
self._process_l3_update(context, net,
|
||||||
|
{extnet_apidef.EXTERNAL: False})
|
||||||
|
|
||||||
@registry.receives('rbac-policy', (events.BEFORE_UPDATE,
|
@registry.receives('rbac-policy', (events.BEFORE_UPDATE,
|
||||||
events.BEFORE_DELETE))
|
events.BEFORE_DELETE))
|
||||||
def _validate_ext_not_in_use_by_tenant(self, resource, event, trigger,
|
def _validate_ext_not_in_use_by_tenant(self, resource, event, trigger,
|
||||||
|
@ -94,6 +94,9 @@ class RbacPluginMixin(common_db_mixin.CommonDbMixin):
|
|||||||
details=ex)
|
details=ex)
|
||||||
with context.session.begin(subtransactions=True):
|
with context.session.begin(subtransactions=True):
|
||||||
context.session.delete(entry)
|
context.session.delete(entry)
|
||||||
|
registry.notify(RBAC_POLICY, events.AFTER_DELETE, self,
|
||||||
|
context=context, object_type=object_type,
|
||||||
|
policy=entry)
|
||||||
self.object_type_cache.pop(id, None)
|
self.object_type_cache.pop(id, None)
|
||||||
|
|
||||||
def _get_rbac_policy(self, context, id):
|
def _get_rbac_policy(self, context, id):
|
||||||
|
@ -87,6 +87,48 @@ class NetworkRbacTestcase(test_plugin.NeutronDbPluginV2TestCase):
|
|||||||
for k, v in policy['rbac_policy'].items():
|
for k, v in policy['rbac_policy'].items():
|
||||||
self.assertEqual(netrbac2[k], v)
|
self.assertEqual(netrbac2[k], v)
|
||||||
|
|
||||||
|
def test_delete_network_rbac_external(self):
|
||||||
|
with self.network() as ext_net:
|
||||||
|
net_id = ext_net['network']['id']
|
||||||
|
self._assert_external_net_state(net_id, is_external=False)
|
||||||
|
policy = self._make_networkrbac(ext_net,
|
||||||
|
'*',
|
||||||
|
'access_as_external')
|
||||||
|
net_rbac = self.plugin.create_rbac_policy(self.context, policy)
|
||||||
|
self._assert_external_net_state(net_id, is_external=True)
|
||||||
|
self.plugin.delete_rbac_policy(self.context, net_rbac['id'])
|
||||||
|
self._assert_external_net_state(net_id, is_external=False)
|
||||||
|
|
||||||
|
def test_delete_network_rbac_external_with_multi_rbac_policy(self):
|
||||||
|
with self.network() as ext_net:
|
||||||
|
net_id = ext_net['network']['id']
|
||||||
|
self._assert_external_net_state(net_id, is_external=False)
|
||||||
|
policy1 = self._make_networkrbac(ext_net,
|
||||||
|
'test-tenant-1',
|
||||||
|
'access_as_external')
|
||||||
|
net_rbac1 = self.plugin.create_rbac_policy(self.context, policy1)
|
||||||
|
self._assert_external_net_state(net_id, is_external=True)
|
||||||
|
policy2 = self._make_networkrbac(ext_net,
|
||||||
|
'test-tenant-2',
|
||||||
|
'access_as_external')
|
||||||
|
self.plugin.create_rbac_policy(self.context, policy2)
|
||||||
|
self._assert_external_net_state(net_id, is_external=True)
|
||||||
|
self.plugin.delete_rbac_policy(self.context, net_rbac1['id'])
|
||||||
|
self._assert_external_net_state(net_id, is_external=True)
|
||||||
|
|
||||||
|
def test_delete_external_network_shared_rbac(self):
|
||||||
|
with self.network() as ext_net:
|
||||||
|
net_id = ext_net['network']['id']
|
||||||
|
self.plugin.update_network(
|
||||||
|
self.context, net_id,
|
||||||
|
{'network': {'router:external': True}})
|
||||||
|
self._assert_external_net_state(net_id, is_external=True)
|
||||||
|
policy = self._make_networkrbac(ext_net, 'test-tenant-2')
|
||||||
|
net_rbac = self.plugin.create_rbac_policy(self.context, policy)
|
||||||
|
self.plugin.delete_rbac_policy(self.context, net_rbac['id'])
|
||||||
|
# Make sure that external attribute not changed.
|
||||||
|
self._assert_external_net_state(net_id, is_external=True)
|
||||||
|
|
||||||
def test_update_networkrbac_valid(self):
|
def test_update_networkrbac_valid(self):
|
||||||
orig_target = 'test-tenant-2'
|
orig_target = 'test-tenant-2'
|
||||||
new_target = 'test-tenant-3'
|
new_target = 'test-tenant-3'
|
||||||
|
Loading…
Reference in New Issue
Block a user