Fix update target tenant RBAC external path
This fixes the logic to allow updates to wildcard RBAC external
policies. It was broken for two reasons: first, it was using the
wrong kwarg, second, it wasn't considering the target tenant when
determining if the policy was required.
This patch fixes both issues and adds an API test exercising the
update path.
Closes-Bug: #1577100
Change-Id: Id7441ab5c3f3667aa1cc48100286a2a9d480e201
(cherry picked from commit 89297919a7
)
This commit is contained in:
parent
0c4218202c
commit
c98c866e8c
|
@ -220,8 +220,9 @@ class External_net_db_mixin(object):
|
|||
if (object_type != 'network' or
|
||||
policy['action'] != 'access_as_external'):
|
||||
return
|
||||
new_tenant = None
|
||||
if event == events.BEFORE_UPDATE:
|
||||
new_tenant = kwargs['policy_tenant']['target_tenant']
|
||||
new_tenant = kwargs['policy_update']['target_tenant']
|
||||
if new_tenant == policy['target_tenant']:
|
||||
# nothing to validate if the tenant didn't change
|
||||
return
|
||||
|
@ -259,6 +260,10 @@ class External_net_db_mixin(object):
|
|||
rbac.target_tenant != '*'))
|
||||
router = router.filter(
|
||||
~l3_db.Router.tenant_id.in_(tenants_with_entries))
|
||||
if new_tenant:
|
||||
# if this is an update we also need to ignore any router
|
||||
# interfaces that belong to the new target.
|
||||
router = router.filter(l3_db.Router.tenant_id != new_tenant)
|
||||
if router.count():
|
||||
msg = _("There are routers attached to this network that "
|
||||
"depend on this policy for access.")
|
||||
|
|
|
@ -89,6 +89,21 @@ class ExternalNetworksRBACTestJSON(base.BaseAdminNetworkTest):
|
|||
object_id=net_id, action='access_as_external',
|
||||
target_tenant='*')['rbac_policies']))
|
||||
|
||||
@test.idempotent_id('a5539002-5bdb-48b5-b124-abcd12347865')
|
||||
def test_external_update_policy_from_wildcard_to_specific_tenant(self):
|
||||
net_id = self._create_network(external=True)['id']
|
||||
rbac_pol = self.admin_client.list_rbac_policies(
|
||||
object_id=net_id, action='access_as_external',
|
||||
target_tenant='*')['rbac_policies'][0]
|
||||
r = self.client2.create_router(
|
||||
data_utils.rand_name('router-'),
|
||||
external_gateway_info={'network_id': net_id})['router']
|
||||
self.addCleanup(self.admin_client.delete_router, r['id'])
|
||||
# changing wildcard to specific tenant should be okay since its the
|
||||
# only one using the network
|
||||
self.admin_client.update_rbac_policy(
|
||||
rbac_pol['id'], target_tenant=self.client2.tenant_id)
|
||||
|
||||
@test.idempotent_id('a5539002-5bdb-48b5-b124-e9eedd5975e6')
|
||||
def test_external_conversion_on_policy_create(self):
|
||||
net_id = self._create_network(external=False)['id']
|
||||
|
|
Loading…
Reference in New Issue