revert "Ensure that only cloud admins are neutron admins"

We can't add constraints to admin role without consider regressions. It happens that two tempest scenarios are now failling: tempest.scenario.test_network_basic_ops.TestNetworkBasicOps.test_network_basic_ops tempest.scenario.test_server_multinode.TestServerMultinode.test_schedule_to_all_nodes If admin wants to give role (even Admin role) to an user for a tenant, the right way is to use keystone trust API. Change-Id: I161ea7d1aec5e5784455b5bce4605b2f9143daa2 Related-Bug: #1830536 Signed-off-by: Sahid Orentino Ferdjaoui <sahid.ferdjaoui@canonical.com> (cherry picked from commit 2ad425b1cd)
2019-09-09 07:32:10 +00:00 · 2019-09-09 07:32:10 +00:00 · f33b6789ac
parent ca19112f02
commit f33b6789ac
4 changed files with 8 additions and 10 deletions
--- a/hooks/neutron_api_hooks.py
+++ b/hooks/neutron_api_hooks.py
@ -14,6 +14,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

+import os
 import sys
 import uuid
 from subprocess import (
@ -65,6 +66,7 @@ from charmhelpers.contrib.openstack.utils import (

 from neutron_api_utils import (
    additional_install_locations,
+    ADMIN_POLICY,
    API_PASTE_INI,
    api_port,
    assess_status,
@ -298,6 +300,11 @@ def config_changed():
    configure_https()
    update_nrpe_config()
    infoblox_changed()
+    # This part can be removed for U.
+    if os.path.exists(ADMIN_POLICY):
+        # Clean 00-admin.json added for bug/1830536. At has been
+        # noticed that it creates regression.
+        os.remove(ADMIN_POLICY)
    CONFIGS.write_all()
    if packages_removed and not is_unit_paused_set():
        log("Package purge detected, restarting services", "INFO")
--- a/hooks/neutron_api_utils.py
+++ b/hooks/neutron_api_utils.py
@ -462,13 +462,6 @@ def resource_map(release=None):
    release = release or os_release('neutron-common')

    resource_map = deepcopy(BASE_RESOURCE_MAP)
-    if CompareOpenStackReleases(release) >= 'queens':
-        resource_map[ADMIN_POLICY] = {
-            'contexts': [
-                neutron_api_context.IdentityServiceContext(
-                    service='neutron',
-                    service_user='neutron')],
-            'services': ['neutron-server']}
    if CompareOpenStackReleases(release) >= 'liberty':
        resource_map.update(LIBERTY_RESOURCE_MAP)

--- a/templates/queens/00-admin.json
+++ b/templates/queens/00-admin.json
@ -1,2 +0,0 @@
-"is_service_project": "project_id:{{ service_project_id }} or domain_id:{{ service_domain_id }}"
-"context_is_admin": "role:admin and (is_admin_project:True or rule:is_service_project)"
--- a/unit_tests/test_neutron_api_utils.py
+++ b/unit_tests/test_neutron_api_utils.py
@ -187,7 +187,7 @@ class TestNeutronAPIUtils(CharmTestCase):
        _map = nutils.resource_map()
        confs = [nutils.NEUTRON_CONF, nutils.NEUTRON_DEFAULT,
                 nutils.APACHE_CONF, nutils.NEUTRON_LBAAS_CONF,
-                 nutils.NEUTRON_VPNAAS_CONF, nutils.ADMIN_POLICY]
+                 nutils.NEUTRON_VPNAAS_CONF]
        [self.assertIn(q_conf, _map.keys()) for q_conf in confs]
        self.assertTrue(nutils.APACHE_24_CONF not in _map.keys())