Merge "Use NetworkRBAC OVO in neutron/db/external_net_db.py"

2018-11-05 12:45:33 +00:00 · 2018-11-05 12:45:33 +00:00 · 5fcfa3d874
parent 0587824123 ea63c6ae40
commit 5fcfa3d874
2 changed files with 39 additions and 26 deletions
--- a/neutron/db/external_net_db.py
+++ b/neutron/db/external_net_db.py
@ -31,7 +31,6 @@ from neutron._i18n import _
 from neutron.db import _model_query as model_query
 from neutron.db import _resource_extend as resource_extend
 from neutron.db import models_v2
-from neutron.db import rbac_db_models as rbac_db
 from neutron.extensions import rbac as rbac_ext
 from neutron.objects import network as net_obj
 from neutron.objects import router as l3_obj
@ -98,9 +97,11 @@ class External_net_db_mixin(object):
        if external:
            net_obj.ExternalNetwork(
                context, network_id=net_data['id']).create()
-            context.session.add(rbac_db.NetworkRBAC(
-                  object_id=net_data['id'], action='access_as_external',
-                  target_tenant='*', tenant_id=net_data['tenant_id']))
+            net_rbac_args = {'project_id': net_data['tenant_id'],
+                             'object_id': net_data['id'],
+                             'action': 'access_as_external',
+                             'target_tenant': '*'}
+            net_obj.NetworkRBAC(context, **net_rbac_args).create()
        net_data[extnet_apidef.EXTERNAL] = external

    def _process_l3_update(self, context, net_data, req_data, allow_all=True):
@ -117,9 +118,11 @@ class External_net_db_mixin(object):
                context, network_id=net_id).create()
            net_data[extnet_apidef.EXTERNAL] = True
            if allow_all:
-                context.session.add(rbac_db.NetworkRBAC(
-                      object_id=net_id, action='access_as_external',
-                      target_tenant='*', tenant_id=net_data['tenant_id']))
+                net_rbac_args = {'project_id': net_data['tenant_id'],
+                                 'object_id': net_id,
+                                 'action': 'access_as_external',
+                                 'target_tenant': '*'}
+                net_obj.NetworkRBAC(context, **net_rbac_args).create()
        else:
            # must make sure we do not have any external gateway ports
            # (and thus, possible floating IPs) on this network before
@ -131,9 +134,8 @@ class External_net_db_mixin(object):

            net_obj.ExternalNetwork.delete_objects(
                context, network_id=net_id)
-            for rbdb in (context.session.query(rbac_db.NetworkRBAC).filter_by(
-                         object_id=net_id, action='access_as_external')):
-                context.session.delete(rbdb)
+            net_obj.NetworkRBAC.delete_objects(
+                    context, object_id=net_id, action='access_as_external')
            net_data[extnet_apidef.EXTERNAL] = False

    def _process_l3_delete(self, context, network_id):
@ -173,9 +175,8 @@ class External_net_db_mixin(object):
            return
        # If the network still have rbac policies, we should not
        # update external attribute.
-        if context.session.query(rbac_db.NetworkRBAC.object_id).filter(
-            rbac_db.NetworkRBAC.object_id == policy['object_id'],
-            rbac_db.NetworkRBAC.action == 'access_as_external').count():
+        if net_obj.NetworkRBAC.count(context, object_id=policy['object_id'],
+                                     action='access_as_external'):
            return
        net = self.get_network(context, policy['object_id'])
        self._process_l3_update(context, net,
@ -199,7 +200,6 @@ class External_net_db_mixin(object):
            device_owner=constants.DEVICE_OWNER_ROUTER_GW,
            network_id=policy['object_id'])
        gw_ports = [gw_port[0] for gw_port in gw_ports]
-        rbac = rbac_db.NetworkRBAC
        if policy['target_tenant'] != '*':
            filters = {
                'gw_port_id': gw_ports,
@ -207,10 +207,9 @@ class External_net_db_mixin(object):
            }
            # if there is a wildcard entry we can safely proceed without the
            # router lookup because they will have access either way
-            if context.session.query(rbac_db.NetworkRBAC.object_id).filter(
-                    rbac.object_id == policy['object_id'],
-                    rbac.action == 'access_as_external',
-                    rbac.target_tenant == '*').count():
+            if net_obj.NetworkRBAC.count(
+                    context, object_id=policy['object_id'],
+                    action='access_as_external', target_tenant='*'):
                return
            router_exist = l3_obj.Router.objects_exist(context, **filters)
        else:
@ -223,14 +222,11 @@ class External_net_db_mixin(object):
                        "everyone.")
                raise rbac_ext.RbacPolicyInUse(object_id=policy['object_id'],
                                               details=msg)
-            projects_with_entries = (
-                context.session.query(rbac.target_tenant).
-                filter(rbac.object_id == policy['object_id'],
-                       rbac.action == 'access_as_external',
-                       rbac.target_tenant != '*'))
-            projects_with_entries = [projects_with_entry[0]
-                                     for projects_with_entry
-                                     in projects_with_entries]
+            projects = net_obj.NetworkRBAC.get_projects(
+                context, object_id=policy['object_id'],
+                action='access_as_external')
+            projects_with_entries = [project for project in projects
+                                     if project != '*']
            if new_project:
                projects_with_entries.append(new_project)
            router_exist = l3_obj.Router.check_routers_not_owned_by_projects(
--- a/neutron/objects/network.py
+++ b/neutron/objects/network.py
@ -16,6 +16,7 @@ from neutron_lib.api.definitions import availability_zone as az_def
 from neutron_lib.api.validators import availability_zone as az_validator
 from oslo_utils import versionutils
 from oslo_versionedobjects import fields as obj_fields
+import sqlalchemy as sa

 from neutron.db.models import dns as dns_models
 from neutron.db.models import external_net as ext_net_model
@ -56,6 +57,22 @@ class NetworkRBAC(base.NeutronDbObject):
            for f in standard_fields:
                primitive.pop(f, None)

+    @classmethod
+    def get_projects(cls, context, object_id=None, action=None,
+                     target_tenant=None):
+        clauses = []
+        if object_id:
+            clauses.append(rbac_db_models.NetworkRBAC.object_id == object_id)
+        if action:
+            clauses.append(rbac_db_models.NetworkRBAC.action == action)
+        if target_tenant:
+            clauses.append(rbac_db_models.NetworkRBAC.target_tenant ==
+                           target_tenant)
+        query = context.session.query(rbac_db_models.NetworkRBAC.target_tenant)
+        if clauses:
+            query = query.filter(sa.and_(*clauses))
+        return [data[0] for data in query]
+

@base.NeutronObjectRegistry.register
 class NetworkDhcpAgentBinding(base.NeutronDbObject):