Fix update target tenant RBAC external path

This fixes the logic to allow updates to wildcard RBAC external policies. It was broken for two reasons: first, it was using the wrong kwarg, second, it wasn't considering the target tenant when determining if the policy was required. This patch fixes both issues and adds an API test exercising the update path. Closes-Bug: #1577100 Change-Id: Id7441ab5c3f3667aa1cc48100286a2a9d480e201 (cherry picked from commit 89297919a7)
2016-04-29 23:24:34 -07:00 · 2016-04-29 23:24:34 -07:00 · c98c866e8c
parent 0c4218202c
commit c98c866e8c
2 changed files with 21 additions and 1 deletions
--- a/neutron/db/external_net_db.py
+++ b/neutron/db/external_net_db.py
@ -220,8 +220,9 @@ class External_net_db_mixin(object):
        if (object_type != 'network' or
                policy['action'] != 'access_as_external'):
            return
+        new_tenant = None
        if event == events.BEFORE_UPDATE:
-            new_tenant = kwargs['policy_tenant']['target_tenant']
+            new_tenant = kwargs['policy_update']['target_tenant']
            if new_tenant == policy['target_tenant']:
                # nothing to validate if the tenant didn't change
                return
@ -259,6 +260,10 @@ class External_net_db_mixin(object):
                       rbac.target_tenant != '*'))
            router = router.filter(
                ~l3_db.Router.tenant_id.in_(tenants_with_entries))
+            if new_tenant:
+                # if this is an update we also need to ignore any router
+                # interfaces that belong to the new target.
+                router = router.filter(l3_db.Router.tenant_id != new_tenant)
        if router.count():
            msg = _("There are routers attached to this network that "
                    "depend on this policy for access.")
--- a/neutron/tests/api/admin/test_external_network_extension.py
+++ b/neutron/tests/api/admin/test_external_network_extension.py
@ -89,6 +89,21 @@ class ExternalNetworksRBACTestJSON(base.BaseAdminNetworkTest):
            object_id=net_id, action='access_as_external',
            target_tenant='*')['rbac_policies']))

+    @test.idempotent_id('a5539002-5bdb-48b5-b124-abcd12347865')
+    def test_external_update_policy_from_wildcard_to_specific_tenant(self):
+        net_id = self._create_network(external=True)['id']
+        rbac_pol = self.admin_client.list_rbac_policies(
+            object_id=net_id, action='access_as_external',
+            target_tenant='*')['rbac_policies'][0]
+        r = self.client2.create_router(
+            data_utils.rand_name('router-'),
+            external_gateway_info={'network_id': net_id})['router']
+        self.addCleanup(self.admin_client.delete_router, r['id'])
+        # changing wildcard to specific tenant should be okay since its the
+        # only one using the network
+        self.admin_client.update_rbac_policy(
+            rbac_pol['id'], target_tenant=self.client2.tenant_id)
+
    @test.idempotent_id('a5539002-5bdb-48b5-b124-e9eedd5975e6')
    def test_external_conversion_on_policy_create(self):
        net_id = self._create_network(external=False)['id']