Postpone heavy policy check for ports to later
When a port is validated, we check for the user to be the owner of corresponding network, among other things. Sadly, this check requires a plugin call to fetch the network, which goes straight into the database. Now, if there are multiple ports to validate with current policy, and the user is not admin, we fetch the network for each port, f.e. making list operation on ports to scale badly. To avoid that, we should postpone OwnerCheck (tenant_id) based validations that rely on foreign keys, tenant_id:%(network:...)s, to as late as possible. It will make policy checks avoid hitting database in some cases, like when a port is owned by current user. Also, added some unit tests to avoid later regressions: DbOperationBoundMixin now passes user context into API calls. It allows us to trigger policy engine checks when executing listing operations. Change-Id: I99e0c4280b06d8ebab0aa8adc497662c995133ad Closes-Bug: #1513782
This commit is contained in:
parent
8d6ecd96fe
commit
9367801994
|
@ -4,7 +4,7 @@
|
||||||
"admin_or_owner": "rule:context_is_admin or rule:owner",
|
"admin_or_owner": "rule:context_is_admin or rule:owner",
|
||||||
"context_is_advsvc": "role:advsvc",
|
"context_is_advsvc": "role:advsvc",
|
||||||
"admin_or_network_owner": "rule:context_is_admin or tenant_id:%(network:tenant_id)s",
|
"admin_or_network_owner": "rule:context_is_admin or tenant_id:%(network:tenant_id)s",
|
||||||
"admin_owner_or_network_owner": "rule:admin_or_network_owner or rule:owner",
|
"admin_owner_or_network_owner": "rule:owner or rule:admin_or_network_owner",
|
||||||
"admin_only": "rule:context_is_admin",
|
"admin_only": "rule:context_is_admin",
|
||||||
"regular_user": "",
|
"regular_user": "",
|
||||||
"shared": "field:networks:shared=True",
|
"shared": "field:networks:shared=True",
|
||||||
|
@ -60,30 +60,30 @@
|
||||||
|
|
||||||
"network_device": "field:port:device_owner=~^network:",
|
"network_device": "field:port:device_owner=~^network:",
|
||||||
"create_port": "",
|
"create_port": "",
|
||||||
"create_port:device_owner": "not rule:network_device or rule:admin_or_network_owner or rule:context_is_advsvc",
|
"create_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner",
|
||||||
"create_port:mac_address": "rule:admin_or_network_owner or rule:context_is_advsvc",
|
"create_port:mac_address": "rule:context_is_advsvc or rule:admin_or_network_owner",
|
||||||
"create_port:fixed_ips": "rule:admin_or_network_owner or rule:context_is_advsvc",
|
"create_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner",
|
||||||
"create_port:port_security_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
|
"create_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",
|
||||||
"create_port:binding:host_id": "rule:admin_only",
|
"create_port:binding:host_id": "rule:admin_only",
|
||||||
"create_port:binding:profile": "rule:admin_only",
|
"create_port:binding:profile": "rule:admin_only",
|
||||||
"create_port:mac_learning_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
|
"create_port:mac_learning_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",
|
||||||
"create_port:allowed_address_pairs": "rule:admin_or_network_owner",
|
"create_port:allowed_address_pairs": "rule:admin_or_network_owner",
|
||||||
"get_port": "rule:admin_owner_or_network_owner or rule:context_is_advsvc",
|
"get_port": "rule:context_is_advsvc or rule:admin_owner_or_network_owner",
|
||||||
"get_port:queue_id": "rule:admin_only",
|
"get_port:queue_id": "rule:admin_only",
|
||||||
"get_port:binding:vif_type": "rule:admin_only",
|
"get_port:binding:vif_type": "rule:admin_only",
|
||||||
"get_port:binding:vif_details": "rule:admin_only",
|
"get_port:binding:vif_details": "rule:admin_only",
|
||||||
"get_port:binding:host_id": "rule:admin_only",
|
"get_port:binding:host_id": "rule:admin_only",
|
||||||
"get_port:binding:profile": "rule:admin_only",
|
"get_port:binding:profile": "rule:admin_only",
|
||||||
"update_port": "rule:admin_or_owner or rule:context_is_advsvc",
|
"update_port": "rule:admin_or_owner or rule:context_is_advsvc",
|
||||||
"update_port:device_owner": "not rule:network_device or rule:admin_or_network_owner or rule:context_is_advsvc",
|
"update_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner",
|
||||||
"update_port:mac_address": "rule:admin_only or rule:context_is_advsvc",
|
"update_port:mac_address": "rule:admin_only or rule:context_is_advsvc",
|
||||||
"update_port:fixed_ips": "rule:admin_or_network_owner or rule:context_is_advsvc",
|
"update_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner",
|
||||||
"update_port:port_security_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
|
"update_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",
|
||||||
"update_port:binding:host_id": "rule:admin_only",
|
"update_port:binding:host_id": "rule:admin_only",
|
||||||
"update_port:binding:profile": "rule:admin_only",
|
"update_port:binding:profile": "rule:admin_only",
|
||||||
"update_port:mac_learning_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
|
"update_port:mac_learning_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",
|
||||||
"update_port:allowed_address_pairs": "rule:admin_or_network_owner",
|
"update_port:allowed_address_pairs": "rule:admin_or_network_owner",
|
||||||
"delete_port": "rule:admin_owner_or_network_owner or rule:context_is_advsvc",
|
"delete_port": "rule:context_is_advsvc or rule:admin_owner_or_network_owner",
|
||||||
|
|
||||||
"get_router:ha": "rule:admin_only",
|
"get_router:ha": "rule:admin_only",
|
||||||
"create_router": "rule:regular_user",
|
"create_router": "rule:regular_user",
|
||||||
|
|
|
@ -4,7 +4,7 @@
|
||||||
"admin_or_owner": "rule:context_is_admin or rule:owner",
|
"admin_or_owner": "rule:context_is_admin or rule:owner",
|
||||||
"context_is_advsvc": "role:advsvc",
|
"context_is_advsvc": "role:advsvc",
|
||||||
"admin_or_network_owner": "rule:context_is_admin or tenant_id:%(network:tenant_id)s",
|
"admin_or_network_owner": "rule:context_is_admin or tenant_id:%(network:tenant_id)s",
|
||||||
"admin_owner_or_network_owner": "rule:admin_or_network_owner or rule:owner",
|
"admin_owner_or_network_owner": "rule:owner or rule:admin_or_network_owner",
|
||||||
"admin_only": "rule:context_is_admin",
|
"admin_only": "rule:context_is_admin",
|
||||||
"regular_user": "",
|
"regular_user": "",
|
||||||
"shared": "field:networks:shared=True",
|
"shared": "field:networks:shared=True",
|
||||||
|
@ -60,30 +60,30 @@
|
||||||
|
|
||||||
"network_device": "field:port:device_owner=~^network:",
|
"network_device": "field:port:device_owner=~^network:",
|
||||||
"create_port": "",
|
"create_port": "",
|
||||||
"create_port:device_owner": "not rule:network_device or rule:admin_or_network_owner or rule:context_is_advsvc",
|
"create_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner",
|
||||||
"create_port:mac_address": "rule:admin_or_network_owner or rule:context_is_advsvc",
|
"create_port:mac_address": "rule:context_is_advsvc or rule:admin_or_network_owner",
|
||||||
"create_port:fixed_ips": "rule:admin_or_network_owner or rule:context_is_advsvc",
|
"create_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner",
|
||||||
"create_port:port_security_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
|
"create_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",
|
||||||
"create_port:binding:host_id": "rule:admin_only",
|
"create_port:binding:host_id": "rule:admin_only",
|
||||||
"create_port:binding:profile": "rule:admin_only",
|
"create_port:binding:profile": "rule:admin_only",
|
||||||
"create_port:mac_learning_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
|
"create_port:mac_learning_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",
|
||||||
"create_port:allowed_address_pairs": "rule:admin_or_network_owner",
|
"create_port:allowed_address_pairs": "rule:admin_or_network_owner",
|
||||||
"get_port": "rule:admin_owner_or_network_owner or rule:context_is_advsvc",
|
"get_port": "rule:context_is_advsvc or rule:admin_owner_or_network_owner",
|
||||||
"get_port:queue_id": "rule:admin_only",
|
"get_port:queue_id": "rule:admin_only",
|
||||||
"get_port:binding:vif_type": "rule:admin_only",
|
"get_port:binding:vif_type": "rule:admin_only",
|
||||||
"get_port:binding:vif_details": "rule:admin_only",
|
"get_port:binding:vif_details": "rule:admin_only",
|
||||||
"get_port:binding:host_id": "rule:admin_only",
|
"get_port:binding:host_id": "rule:admin_only",
|
||||||
"get_port:binding:profile": "rule:admin_only",
|
"get_port:binding:profile": "rule:admin_only",
|
||||||
"update_port": "rule:admin_or_owner or rule:context_is_advsvc",
|
"update_port": "rule:admin_or_owner or rule:context_is_advsvc",
|
||||||
"update_port:device_owner": "not rule:network_device or rule:admin_or_network_owner or rule:context_is_advsvc",
|
"update_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner",
|
||||||
"update_port:mac_address": "rule:admin_only or rule:context_is_advsvc",
|
"update_port:mac_address": "rule:admin_only or rule:context_is_advsvc",
|
||||||
"update_port:fixed_ips": "rule:admin_or_network_owner or rule:context_is_advsvc",
|
"update_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner",
|
||||||
"update_port:port_security_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
|
"update_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",
|
||||||
"update_port:binding:host_id": "rule:admin_only",
|
"update_port:binding:host_id": "rule:admin_only",
|
||||||
"update_port:binding:profile": "rule:admin_only",
|
"update_port:binding:profile": "rule:admin_only",
|
||||||
"update_port:mac_learning_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
|
"update_port:mac_learning_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",
|
||||||
"update_port:allowed_address_pairs": "rule:admin_or_network_owner",
|
"update_port:allowed_address_pairs": "rule:admin_or_network_owner",
|
||||||
"delete_port": "rule:admin_owner_or_network_owner or rule:context_is_advsvc",
|
"delete_port": "rule:context_is_advsvc or rule:admin_owner_or_network_owner",
|
||||||
|
|
||||||
"get_router:ha": "rule:admin_only",
|
"get_router:ha": "rule:admin_only",
|
||||||
"create_router": "rule:regular_user",
|
"create_router": "rule:regular_user",
|
||||||
|
|
Loading…
Reference in New Issue