Allow non-admins to define "external" extra-routes

Currently non-admin users can create extra-routes when the nexthop is on
router-interfaces subnets but not on external-network subnet. Indeed
user permissions are used to get router ports in order to validate
nexthops BUT non-admin users don't "see" router port on its external
network.

This change uses an elevated context instead of user context to enable
non-admins to create "external" extra-routes.

APIImpact
Closes-Bug: #1538767
Change-Id: I08b1d8586a4cd241a3589e8cb7151b77ab679124
This commit is contained in:
Cedric Brandily 2016-01-27 23:58:18 +01:00
parent 3dec972fcd
commit 3d5d378769
3 changed files with 14 additions and 1 deletions

View File

@ -104,7 +104,7 @@ class ExtraRoute_dbonly_mixin(l3_db.L3_NAT_dbonly_mixin):
quota=cfg.CONF.max_routes)
filters = {'device_id': [router_id]}
ports = self._core_plugin.get_ports(context, filters)
ports = self._core_plugin.get_ports(context.elevated(), filters)
cidrs = []
ips = []
for port in ports:

View File

@ -81,6 +81,16 @@ class ExtraRouteDBTestCaseBase(object):
self._routes_update_cleanup(p['port']['id'],
None, r['router']['id'], [])
def test_route_update_with_external_route(self):
routes = [{'destination': '135.207.0.0/16', 'nexthop': '10.0.1.3'}]
with self.subnet(cidr='10.0.1.0/24') as ext_subnet:
self._set_net_external(ext_subnet['subnet']['network_id'])
ext_info = {'network_id': ext_subnet['subnet']['network_id']}
with self.router(external_gateway_info=ext_info) as r:
body = self._routes_update_prepare(
r['router']['id'], None, None, routes, skip_add=True)
self.assertEqual(routes, body['router']['routes'])
def test_route_clear_routes_with_None(self):
routes = [{'destination': '135.207.0.0/16',
'nexthop': '10.0.1.3'},

View File

@ -0,0 +1,3 @@
---
features:
- Allow non-admin users to define "external" extra-routes.