Fix default RBAC policy quota

The previous config value for the default RBAC policy was not in neutron.conf and value that was registered as a config option 'rbac_entry' didn't match the resource name 'rbac_policy' so the default did not take effect. This patch corrects it by registering the 'rbac_policy' option instead of 'rbac_entry' and documents it in neutron.conf. It also adds an API test that exercises the quota limit and ensures that it's not set to -1. Change-Id: I8c8d4bcfda808e376af94048fe5a98c68a2a975f Closes-Bug: #1522224 (cherry picked from commit 3f7fa1d646)
2015-12-02 17:55:01 -08:00 · 2015-12-02 17:55:01 -08:00 · 50373f1843
parent 5bb0b87e47
commit 50373f1843
3 changed files with 27 additions and 1 deletions
--- a/etc/neutron.conf
+++ b/etc/neutron.conf
@ -679,6 +679,10 @@
 # unlimited.
 # quota_firewall_rule = 100

+# Default number of RBAC entries allowed per tenant. A negative value means
+# unlimited.
+# quota_rbac_policy = 10
+
 [agent]
 # Use "sudo neutron-rootwrap /etc/neutron/rootwrap.conf" to use the real
 # root filter facility.
--- a/neutron/extensions/rbac.py
+++ b/neutron/extensions/rbac.py
@ -70,7 +70,8 @@ RESOURCE_ATTRIBUTE_MAP = {
 }

 rbac_quota_opts = [
-    cfg.IntOpt('quota_rbac_entry', default=10,
+    cfg.IntOpt('quota_rbac_policy', default=10,
+               deprecated_name='quota_rbac_entry',
               help=_('Default number of RBAC entries allowed per tenant. '
                      'A negative value means unlimited.'))
 ]
--- a/neutron/tests/api/admin/test_shared_network_extension.py
+++ b/neutron/tests/api/admin/test_shared_network_extension.py
@ -14,6 +14,8 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.

+import uuid
+
 from tempest_lib import exceptions as lib_exc
 import testtools

@ -358,6 +360,25 @@ class RBACSharedNetworksTest(base.BaseAdminNetworkTest):
                object_type='network', object_id=net['id'],
                action='access_as_shared', target_tenant=self.client.tenant_id)

+    @test.attr(type='smoke')
+    @test.idempotent_id('c5f8f785-ce8d-4430-af7e-a236205862fb')
+    def test_rbac_policy_quota(self):
+        if not test.is_extension_enabled('quotas', 'network'):
+            msg = "quotas extension not enabled."
+            raise self.skipException(msg)
+        quota = self.client.show_quotas(self.client.tenant_id)['quota']
+        max_policies = quota['rbac_policy']
+        self.assertGreater(max_policies, 0)
+        net = self.client.create_network(
+            name=data_utils.rand_name('test-network-'))['network']
+        self.addCleanup(self.client.delete_network, net['id'])
+        with testtools.ExpectedException(lib_exc.Conflict):
+            for i in range(0, max_policies + 1):
+                self.admin_client.create_rbac_policy(
+                    object_type='network', object_id=net['id'],
+                    action='access_as_shared',
+                    target_tenant=str(uuid.uuid4()).replace('-', ''))
+
    @test.attr(type='smoke')
    @test.idempotent_id('86c3529b-1231-40de-803c-afffffff7fff')
    def test_regular_client_blocked_from_sharing_with_wildcard(self):