Remove unimplemented policy checks for Neutron

The dashboard is doing policy checks for Neutron that aren't even being done by Neutron itself. This fixes bug #1628141, which was caused by change-id I9f4e9209606999e5529e5ba068640d607b817f56, which was meant for Nova and not for Neutron. This change makes the policy checks for Nova secgroups only, if Neutron networking is not enabled. Neutron policy checks removed: * delete_security_group * create_security_group * update_security_group * get_security_group * create_security_group_rule * delete_security_group_rule Change-Id: I46b46fcd4cbc7c8e06f481eac9606c330fc75351 Closes-Bug: #1628141
2016-09-27 09:51:22 -05:00 · 2016-09-27 09:51:22 -05:00 · ed86badc42
parent a55a319af6
commit ed86badc42
1 changed files with 20 additions and 30 deletions
--- a/openstack_dashboard/dashboards/project/security_groups/tables.py
+++ b/openstack_dashboard/dashboards/project/security_groups/tables.py
@ -46,13 +46,10 @@ class DeleteGroup(policy.PolicyTargetMixin, tables.DeleteAction):

    def allowed(self, request, security_group=None):
        policy_target = self.get_policy_target(request, security_group)
-        if api.base.is_service_enabled(request, "network"):
-            policy_rules = (("network", "delete_security_group"),)
-        else:
+        if not api.base.is_service_enabled(request, "network"):
            policy_rules = (("compute", "compute_extension:security_groups"),)
-
-        if not policy.check(policy_rules, request, policy_target):
-            return False
+            if not policy.check(policy_rules, request, policy_target):
+                return False

        if not security_group:
            return True
@ -70,11 +67,6 @@ class CreateGroup(tables.LinkAction):
    icon = "plus"

    def allowed(self, request, security_group=None):
-        if api.base.is_service_enabled(request, "network"):
-            policy_rules = (("network", "create_security_group"),)
-        else:
-            policy_rules = (("compute", "compute_extension:security_groups"),)
-
        usages = quotas.tenant_quota_usages(request)
        if usages['security_groups'].get('available', 1) <= 0:
            if "disabled" not in self.classes:
@ -84,7 +76,11 @@ class CreateGroup(tables.LinkAction):
            self.verbose_name = _("Create Security Group")
            self.classes = [c for c in self.classes if c != "disabled"]

-        return policy.check(policy_rules, request, target={})
+        if not api.base.is_service_enabled(request, "network"):
+            policy_rules = (("compute", "compute_extension:security_groups"),)
+            return policy.check(policy_rules, request, target={})
+
+        return True


 class EditGroup(policy.PolicyTargetMixin, tables.LinkAction):
@ -96,13 +92,10 @@ class EditGroup(policy.PolicyTargetMixin, tables.LinkAction):

    def allowed(self, request, security_group=None):
        policy_target = self.get_policy_target(request, security_group)
-        if api.base.is_service_enabled(request, "network"):
-            policy_rules = (("network", "update_security_group"),)
-        else:
+        if not api.base.is_service_enabled(request, "network"):
            policy_rules = (("compute", "compute_extension:security_groups"),)
-
-        if not policy.check(policy_rules, request, policy_target):
-            return False
+            if not policy.check(policy_rules, request, policy_target):
+                return False

        if not security_group:
            return True
@ -117,12 +110,11 @@ class ManageRules(policy.PolicyTargetMixin, tables.LinkAction):

    def allowed(self, request, security_group=None):
        policy_target = self.get_policy_target(request, security_group)
-        if api.base.is_service_enabled(request, "network"):
-            policy_rules = (("network", "get_security_group"),)
-        else:
+        if not api.base.is_service_enabled(request, "network"):
            policy_rules = (("compute", "compute_extension:security_groups"),)
+            return policy.check(policy_rules, request, policy_target)

-        return policy.check(policy_rules, request, policy_target)
+        return True


 class SecurityGroupsFilterAction(tables.FilterAction):
@ -156,12 +148,11 @@ class CreateRule(tables.LinkAction):
    icon = "plus"

    def allowed(self, request, security_group_rule=None):
-        if api.base.is_service_enabled(request, "network"):
-            policy_rules = (("network", "create_security_group_rule"),)
-        else:
+        if not api.base.is_service_enabled(request, "network"):
            policy_rules = (("compute", "compute_extension:security_groups"),)
+            return policy.check(policy_rules, request, target={})

-        return policy.check(policy_rules, request, target={})
+        return True

    def get_link_url(self):
        return reverse(self.url, args=[self.table.kwargs['security_group_id']])
@ -185,12 +176,11 @@ class DeleteRule(tables.DeleteAction):
        )

    def allowed(self, request, security_group_rule=None):
-        if api.base.is_service_enabled(request, "network"):
-            policy_rules = (("network", "delete_security_group_rule"),)
-        else:
+        if not api.base.is_service_enabled(request, "network"):
            policy_rules = (("compute", "compute_extension:security_groups"),)
+            return policy.check(policy_rules, request, target={})

-        return policy.check(policy_rules, request, target={})
+        return True

    def delete(self, request, obj_id):
        api.network.security_group_rule_delete(request, obj_id)