Perform policy checks only once on list responses
The policy engine is currently being called for every attribute of every resource to be returned by a list response. This is harming the API performance; moreover such a high number of checks is also unnecessary. This patch therefore slightly changes the API logic so that list response first determine the list of attributes which should be returned querying the policy engine and then use this list for all resource items to be returned. To this aim a few methods in base.py needed to be refactored. This patch also removes the routine check_if_exists from policy.py and the related PolicyNotFound exception. Finally, this patch also removes unnecessary admin_or_owner rules when applied to attributes. This kind of rule indeed has no effect anyway because of Neutron's ownership checks. The rules were removed because this change won't allow anymore for having attribute-level policies whose evaluation result depends on the resource value. Implements blueprint faster-list-responses Change-Id: I21b8273add5d5984f512ad94af5a99cf0b0a5d93
This commit is contained in:
Salvatore Orlando
parent
1e05f1614a
commit
6b9eb27fdf
|
|
@ -47,7 +47,6 @@
|
|||
"create_port:port_security_enabled": "rule:admin_or_network_owner",
|
||||
"create_port:binding:host_id": "rule:admin_only",
|
||||
"create_port:binding:profile": "rule:admin_only",
|
||||
"create_port:binding:vnic_type": "rule:admin_or_owner",
|
||||
"create_port:mac_learning_enabled": "rule:admin_or_network_owner",
|
||||
"get_port": "rule:admin_or_owner",
|
||||
"get_port:queue_id": "rule:admin_only",
|
||||
|
|
@ -55,13 +54,11 @@
|
|||
"get_port:binding:vif_details": "rule:admin_only",
|
||||
"get_port:binding:host_id": "rule:admin_only",
|
||||
"get_port:binding:profile": "rule:admin_only",
|
||||
"get_port:binding:vnic_type": "rule:admin_or_owner",
|
||||
"update_port": "rule:admin_or_owner",
|
||||
"update_port:fixed_ips": "rule:admin_or_network_owner",
|
||||
"update_port:port_security_enabled": "rule:admin_or_network_owner",
|
||||
"update_port:binding:host_id": "rule:admin_only",
|
||||
"update_port:binding:profile": "rule:admin_only",
|
||||
"update_port:binding:vnic_type": "rule:admin_or_owner",
|
||||
"update_port:mac_learning_enabled": "rule:admin_or_network_owner",
|
||||
"delete_port": "rule:admin_or_owner",
|
||||
|
||||
|
|
@ -83,8 +80,6 @@
|
|||
|
||||
"create_firewall_rule": "",
|
||||
"get_firewall_rule": "rule:admin_or_owner or rule:shared_firewalls",
|
||||
"create_firewall_rule:shared": "rule:admin_or_owner",
|
||||
"get_firewall_rule:shared": "rule:admin_or_owner",
|
||||
"update_firewall_rule": "rule:admin_or_owner",
|
||||
"delete_firewall_rule": "rule:admin_or_owner",
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue