From f33b6789acac63ebb15e6a01a2a0c60e62d9d076 Mon Sep 17 00:00:00 2001 From: Sahid Orentino Ferdjaoui Date: Mon, 9 Sep 2019 07:32:10 +0000 Subject: [PATCH] revert "Ensure that only cloud admins are neutron admins" We can't add constraints to admin role without consider regressions. It happens that two tempest scenarios are now failling: tempest.scenario.test_network_basic_ops.TestNetworkBasicOps.test_network_basic_ops tempest.scenario.test_server_multinode.TestServerMultinode.test_schedule_to_all_nodes If admin wants to give role (even Admin role) to an user for a tenant, the right way is to use keystone trust API. Change-Id: I161ea7d1aec5e5784455b5bce4605b2f9143daa2 Related-Bug: #1830536 Signed-off-by: Sahid Orentino Ferdjaoui (cherry picked from commit 2ad425b1cdd8093b40f4cd57ba59b0c3b4eb8e6a) --- hooks/neutron_api_hooks.py | 7 +++++++ hooks/neutron_api_utils.py | 7 ------- templates/queens/00-admin.json | 2 -- unit_tests/test_neutron_api_utils.py | 2 +- 4 files changed, 8 insertions(+), 10 deletions(-) delete mode 100644 templates/queens/00-admin.json diff --git a/hooks/neutron_api_hooks.py b/hooks/neutron_api_hooks.py index 36cc3d98..80ed42e2 100755 --- a/hooks/neutron_api_hooks.py +++ b/hooks/neutron_api_hooks.py @@ -14,6 +14,7 @@ # See the License for the specific language governing permissions and # limitations under the License. +import os import sys import uuid from subprocess import ( @@ -65,6 +66,7 @@ from charmhelpers.contrib.openstack.utils import ( from neutron_api_utils import ( additional_install_locations, + ADMIN_POLICY, API_PASTE_INI, api_port, assess_status, @@ -298,6 +300,11 @@ def config_changed(): configure_https() update_nrpe_config() infoblox_changed() + # This part can be removed for U. + if os.path.exists(ADMIN_POLICY): + # Clean 00-admin.json added for bug/1830536. At has been + # noticed that it creates regression. + os.remove(ADMIN_POLICY) CONFIGS.write_all() if packages_removed and not is_unit_paused_set(): log("Package purge detected, restarting services", "INFO") diff --git a/hooks/neutron_api_utils.py b/hooks/neutron_api_utils.py index 7c33c8ba..c7fa202c 100755 --- a/hooks/neutron_api_utils.py +++ b/hooks/neutron_api_utils.py @@ -462,13 +462,6 @@ def resource_map(release=None): release = release or os_release('neutron-common') resource_map = deepcopy(BASE_RESOURCE_MAP) - if CompareOpenStackReleases(release) >= 'queens': - resource_map[ADMIN_POLICY] = { - 'contexts': [ - neutron_api_context.IdentityServiceContext( - service='neutron', - service_user='neutron')], - 'services': ['neutron-server']} if CompareOpenStackReleases(release) >= 'liberty': resource_map.update(LIBERTY_RESOURCE_MAP) diff --git a/templates/queens/00-admin.json b/templates/queens/00-admin.json deleted file mode 100644 index 3ebb1d46..00000000 --- a/templates/queens/00-admin.json +++ /dev/null @@ -1,2 +0,0 @@ -"is_service_project": "project_id:{{ service_project_id }} or domain_id:{{ service_domain_id }}" -"context_is_admin": "role:admin and (is_admin_project:True or rule:is_service_project)" diff --git a/unit_tests/test_neutron_api_utils.py b/unit_tests/test_neutron_api_utils.py index 3a7ccdb1..7d5466c5 100644 --- a/unit_tests/test_neutron_api_utils.py +++ b/unit_tests/test_neutron_api_utils.py @@ -187,7 +187,7 @@ class TestNeutronAPIUtils(CharmTestCase): _map = nutils.resource_map() confs = [nutils.NEUTRON_CONF, nutils.NEUTRON_DEFAULT, nutils.APACHE_CONF, nutils.NEUTRON_LBAAS_CONF, - nutils.NEUTRON_VPNAAS_CONF, nutils.ADMIN_POLICY] + nutils.NEUTRON_VPNAAS_CONF] [self.assertIn(q_conf, _map.keys()) for q_conf in confs] self.assertTrue(nutils.APACHE_24_CONF not in _map.keys())