Fix default RBAC policy quota
The previous config value for the default RBAC policy
was not in neutron.conf and value that was registered
as a config option 'rbac_entry' didn't match the resource
name 'rbac_policy' so the default did not take effect.
This patch corrects it by registering the 'rbac_policy'
option instead of 'rbac_entry' and documents it in neutron.conf.
It also adds an API test that exercises the quota limit and
ensures that it's not set to -1.
Change-Id: I8c8d4bcfda808e376af94048fe5a98c68a2a975f
Closes-Bug: #1522224
(cherry picked from commit 3f7fa1d646
)
This commit is contained in:
parent
5bb0b87e47
commit
50373f1843
|
@ -679,6 +679,10 @@
|
|||
# unlimited.
|
||||
# quota_firewall_rule = 100
|
||||
|
||||
# Default number of RBAC entries allowed per tenant. A negative value means
|
||||
# unlimited.
|
||||
# quota_rbac_policy = 10
|
||||
|
||||
[agent]
|
||||
# Use "sudo neutron-rootwrap /etc/neutron/rootwrap.conf" to use the real
|
||||
# root filter facility.
|
||||
|
|
|
@ -70,7 +70,8 @@ RESOURCE_ATTRIBUTE_MAP = {
|
|||
}
|
||||
|
||||
rbac_quota_opts = [
|
||||
cfg.IntOpt('quota_rbac_entry', default=10,
|
||||
cfg.IntOpt('quota_rbac_policy', default=10,
|
||||
deprecated_name='quota_rbac_entry',
|
||||
help=_('Default number of RBAC entries allowed per tenant. '
|
||||
'A negative value means unlimited.'))
|
||||
]
|
||||
|
|
|
@ -14,6 +14,8 @@
|
|||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
import uuid
|
||||
|
||||
from tempest_lib import exceptions as lib_exc
|
||||
import testtools
|
||||
|
||||
|
@ -358,6 +360,25 @@ class RBACSharedNetworksTest(base.BaseAdminNetworkTest):
|
|||
object_type='network', object_id=net['id'],
|
||||
action='access_as_shared', target_tenant=self.client.tenant_id)
|
||||
|
||||
@test.attr(type='smoke')
|
||||
@test.idempotent_id('c5f8f785-ce8d-4430-af7e-a236205862fb')
|
||||
def test_rbac_policy_quota(self):
|
||||
if not test.is_extension_enabled('quotas', 'network'):
|
||||
msg = "quotas extension not enabled."
|
||||
raise self.skipException(msg)
|
||||
quota = self.client.show_quotas(self.client.tenant_id)['quota']
|
||||
max_policies = quota['rbac_policy']
|
||||
self.assertGreater(max_policies, 0)
|
||||
net = self.client.create_network(
|
||||
name=data_utils.rand_name('test-network-'))['network']
|
||||
self.addCleanup(self.client.delete_network, net['id'])
|
||||
with testtools.ExpectedException(lib_exc.Conflict):
|
||||
for i in range(0, max_policies + 1):
|
||||
self.admin_client.create_rbac_policy(
|
||||
object_type='network', object_id=net['id'],
|
||||
action='access_as_shared',
|
||||
target_tenant=str(uuid.uuid4()).replace('-', ''))
|
||||
|
||||
@test.attr(type='smoke')
|
||||
@test.idempotent_id('86c3529b-1231-40de-803c-afffffff7fff')
|
||||
def test_regular_client_blocked_from_sharing_with_wildcard(self):
|
||||
|
|
Loading…
Reference in New Issue