openstack/charm-neutron-api
Code Issues Proposed changes

revert "Ensure that only cloud admins are neutron admins"

Browse Source 
We can't add constraints to admin role without consider
regressions. It happens that two tempest scenarios are now failling:

 tempest.scenario.test_network_basic_ops.TestNetworkBasicOps.test_network_basic_ops
 tempest.scenario.test_server_multinode.TestServerMultinode.test_schedule_to_all_nodes

If admin wants to give role (even Admin role) to an user for a tenant,
the right way is to use keystone trust API.

Change-Id: I161ea7d1aec5e5784455b5bce4605b2f9143daa2
Related-Bug: #1830536
Signed-off-by: Sahid Orentino Ferdjaoui <sahid.ferdjaoui@canonical.com>
This commit is contained in:
Sahid Orentino Ferdjaoui 2019-09-09 07:32:10 +00:00 committed by sahid
parent fdb611d9c1
commit 2ad425b1cd
4 changed files with 8 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
hooks/neutron_api_hooks.py
View File

@ -14,6 +14,7 @@
# See the License for the specific language governing permissions and # See the License for the specific language governing permissions and
# limitations under the License. # limitations under the License.
import os
import sys import sys
import uuid import uuid
from subprocess import ( from subprocess import (
@ -65,6 +66,7 @@ from charmhelpers.contrib.openstack.utils import (
from neutron_api_utils import ( from neutron_api_utils import (
additional_install_locations, additional_install_locations,
ADMIN_POLICY,
API_PASTE_INI, API_PASTE_INI,
api_port, api_port,
assess_status, assess_status,
@ -298,6 +300,11 @@ def config_changed():
configure_https() configure_https()
update_nrpe_config() update_nrpe_config()
infoblox_changed() infoblox_changed()
# This part can be removed for U.
if os.path.exists(ADMIN_POLICY):
# Clean 00-admin.json added for bug/1830536. At has been
# noticed that it creates regression.
os.remove(ADMIN_POLICY)
CONFIGS.write_all() CONFIGS.write_all()
if packages_removed and not is_unit_paused_set(): if packages_removed and not is_unit_paused_set():
log("Package purge detected, restarting services", "INFO") log("Package purge detected, restarting services", "INFO")

7
hooks/neutron_api_utils.py
View File

@ -462,13 +462,6 @@ def resource_map(release=None):
release = release or os_release('neutron-common') release = release or os_release('neutron-common')
resource_map = deepcopy(BASE_RESOURCE_MAP) resource_map = deepcopy(BASE_RESOURCE_MAP)
if CompareOpenStackReleases(release) >= 'queens':
resource_map[ADMIN_POLICY] = {
'contexts': [
neutron_api_context.IdentityServiceContext(
service='neutron',
service_user='neutron')],
'services': ['neutron-server']}
if CompareOpenStackReleases(release) >= 'liberty': if CompareOpenStackReleases(release) >= 'liberty':
resource_map.update(LIBERTY_RESOURCE_MAP) resource_map.update(LIBERTY_RESOURCE_MAP)

2
templates/queens/00-admin.json
View File

@ -1,2 +0,0 @@
"is_service_project": "project_id:{{ service_project_id }} or domain_id:{{ service_domain_id }}"
"context_is_admin": "role:admin and (is_admin_project:True or rule:is_service_project)"

2
unit_tests/test_neutron_api_utils.py
View File

@ -187,7 +187,7 @@ class TestNeutronAPIUtils(CharmTestCase):
_map = nutils.resource_map() _map = nutils.resource_map()
confs = [nutils.NEUTRON_CONF, nutils.NEUTRON_DEFAULT, confs = [nutils.NEUTRON_CONF, nutils.NEUTRON_DEFAULT,
nutils.APACHE_CONF, nutils.NEUTRON_LBAAS_CONF, nutils.APACHE_CONF, nutils.NEUTRON_LBAAS_CONF,
nutils.NEUTRON_VPNAAS_CONF, nutils.ADMIN_POLICY] nutils.NEUTRON_VPNAAS_CONF]
[self.assertIn(q_conf, _map.keys()) for q_conf in confs] [self.assertIn(q_conf, _map.keys()) for q_conf in confs]
self.assertTrue(nutils.APACHE_24_CONF not in _map.keys()) self.assertTrue(nutils.APACHE_24_CONF not in _map.keys())