Allow non-admins to define "external" extra-routes
Currently non-admin users can create extra-routes when the nexthop is on router-interfaces subnets but not on external-network subnet. Indeed user permissions are used to get router ports in order to validate nexthops BUT non-admin users don't "see" router port on its external network. This change uses an elevated context instead of user context to enable non-admins to create "external" extra-routes. APIImpact Closes-Bug: #1538767 Change-Id: I08b1d8586a4cd241a3589e8cb7151b77ab679124
This commit is contained in:
parent
3dec972fcd
commit
3d5d378769
@ -104,7 +104,7 @@ class ExtraRoute_dbonly_mixin(l3_db.L3_NAT_dbonly_mixin):
|
||||
quota=cfg.CONF.max_routes)
|
||||
|
||||
filters = {'device_id': [router_id]}
|
||||
ports = self._core_plugin.get_ports(context, filters)
|
||||
ports = self._core_plugin.get_ports(context.elevated(), filters)
|
||||
cidrs = []
|
||||
ips = []
|
||||
for port in ports:
|
||||
|
@ -81,6 +81,16 @@ class ExtraRouteDBTestCaseBase(object):
|
||||
self._routes_update_cleanup(p['port']['id'],
|
||||
None, r['router']['id'], [])
|
||||
|
||||
def test_route_update_with_external_route(self):
|
||||
routes = [{'destination': '135.207.0.0/16', 'nexthop': '10.0.1.3'}]
|
||||
with self.subnet(cidr='10.0.1.0/24') as ext_subnet:
|
||||
self._set_net_external(ext_subnet['subnet']['network_id'])
|
||||
ext_info = {'network_id': ext_subnet['subnet']['network_id']}
|
||||
with self.router(external_gateway_info=ext_info) as r:
|
||||
body = self._routes_update_prepare(
|
||||
r['router']['id'], None, None, routes, skip_add=True)
|
||||
self.assertEqual(routes, body['router']['routes'])
|
||||
|
||||
def test_route_clear_routes_with_None(self):
|
||||
routes = [{'destination': '135.207.0.0/16',
|
||||
'nexthop': '10.0.1.3'},
|
||||
|
@ -0,0 +1,3 @@
|
||||
---
|
||||
features:
|
||||
- Allow non-admin users to define "external" extra-routes.
|
Loading…
Reference in New Issue
Block a user