Browse Source

revert "Ensure that only cloud admins are neutron admins"

We can't add constraints to admin role without consider
regressions. It happens that two tempest scenarios are now failling:

 tempest.scenario.test_network_basic_ops.TestNetworkBasicOps.test_network_basic_ops
 tempest.scenario.test_server_multinode.TestServerMultinode.test_schedule_to_all_nodes

If admin wants to give role (even Admin role) to an user for a tenant,
the right way is to use keystone trust API.

Change-Id: I161ea7d1aec5e5784455b5bce4605b2f9143daa2
Related-Bug: #1830536
Signed-off-by: Sahid Orentino Ferdjaoui <sahid.ferdjaoui@canonical.com>
(cherry picked from commit 2ad425b1cd)
changes/57/683057/1
Sahid Orentino Ferdjaoui 2 years ago
committed by sahid
parent
commit
f33b6789ac
  1. 7
      hooks/neutron_api_hooks.py
  2. 7
      hooks/neutron_api_utils.py
  3. 2
      templates/queens/00-admin.json
  4. 2
      unit_tests/test_neutron_api_utils.py

7
hooks/neutron_api_hooks.py

@ -14,6 +14,7 @@
# See the License for the specific language governing permissions and
# limitations under the License.
import os
import sys
import uuid
from subprocess import (
@ -65,6 +66,7 @@ from charmhelpers.contrib.openstack.utils import (
from neutron_api_utils import (
additional_install_locations,
ADMIN_POLICY,
API_PASTE_INI,
api_port,
assess_status,
@ -298,6 +300,11 @@ def config_changed():
configure_https()
update_nrpe_config()
infoblox_changed()
# This part can be removed for U.
if os.path.exists(ADMIN_POLICY):
# Clean 00-admin.json added for bug/1830536. At has been
# noticed that it creates regression.
os.remove(ADMIN_POLICY)
CONFIGS.write_all()
if packages_removed and not is_unit_paused_set():
log("Package purge detected, restarting services", "INFO")

7
hooks/neutron_api_utils.py

@ -462,13 +462,6 @@ def resource_map(release=None):
release = release or os_release('neutron-common')
resource_map = deepcopy(BASE_RESOURCE_MAP)
if CompareOpenStackReleases(release) >= 'queens':
resource_map[ADMIN_POLICY] = {
'contexts': [
neutron_api_context.IdentityServiceContext(
service='neutron',
service_user='neutron')],
'services': ['neutron-server']}
if CompareOpenStackReleases(release) >= 'liberty':
resource_map.update(LIBERTY_RESOURCE_MAP)

2
templates/queens/00-admin.json

@ -1,2 +0,0 @@
"is_service_project": "project_id:{{ service_project_id }} or domain_id:{{ service_domain_id }}"
"context_is_admin": "role:admin and (is_admin_project:True or rule:is_service_project)"

2
unit_tests/test_neutron_api_utils.py

@ -187,7 +187,7 @@ class TestNeutronAPIUtils(CharmTestCase):
_map = nutils.resource_map()
confs = [nutils.NEUTRON_CONF, nutils.NEUTRON_DEFAULT,
nutils.APACHE_CONF, nutils.NEUTRON_LBAAS_CONF,
nutils.NEUTRON_VPNAAS_CONF, nutils.ADMIN_POLICY]
nutils.NEUTRON_VPNAAS_CONF]
[self.assertIn(q_conf, _map.keys()) for q_conf in confs]
self.assertTrue(nutils.APACHE_24_CONF not in _map.keys())

Loading…
Cancel
Save