From 3d5d378769f0715e3254ac00b6f091a6f9f6960b Mon Sep 17 00:00:00 2001 From: Cedric Brandily Date: Wed, 27 Jan 2016 23:58:18 +0100 Subject: [PATCH] Allow non-admins to define "external" extra-routes Currently non-admin users can create extra-routes when the nexthop is on router-interfaces subnets but not on external-network subnet. Indeed user permissions are used to get router ports in order to validate nexthops BUT non-admin users don't "see" router port on its external network. This change uses an elevated context instead of user context to enable non-admins to create "external" extra-routes. APIImpact Closes-Bug: #1538767 Change-Id: I08b1d8586a4cd241a3589e8cb7151b77ab679124 --- neutron/db/extraroute_db.py | 2 +- neutron/tests/unit/extensions/test_extraroute.py | 10 ++++++++++ ...-define-external-extra-routes-0d541fc356a5c546.yaml | 3 +++ 3 files changed, 14 insertions(+), 1 deletion(-) create mode 100644 releasenotes/notes/allow-non-admins-to-define-external-extra-routes-0d541fc356a5c546.yaml diff --git a/neutron/db/extraroute_db.py b/neutron/db/extraroute_db.py index 0f94810cb23..193308a3638 100644 --- a/neutron/db/extraroute_db.py +++ b/neutron/db/extraroute_db.py @@ -104,7 +104,7 @@ class ExtraRoute_dbonly_mixin(l3_db.L3_NAT_dbonly_mixin): quota=cfg.CONF.max_routes) filters = {'device_id': [router_id]} - ports = self._core_plugin.get_ports(context, filters) + ports = self._core_plugin.get_ports(context.elevated(), filters) cidrs = [] ips = [] for port in ports: diff --git a/neutron/tests/unit/extensions/test_extraroute.py b/neutron/tests/unit/extensions/test_extraroute.py index 5405d56fee3..08cb7d1ae6d 100644 --- a/neutron/tests/unit/extensions/test_extraroute.py +++ b/neutron/tests/unit/extensions/test_extraroute.py @@ -81,6 +81,16 @@ class ExtraRouteDBTestCaseBase(object): self._routes_update_cleanup(p['port']['id'], None, r['router']['id'], []) + def test_route_update_with_external_route(self): + routes = [{'destination': '135.207.0.0/16', 'nexthop': '10.0.1.3'}] + with self.subnet(cidr='10.0.1.0/24') as ext_subnet: + self._set_net_external(ext_subnet['subnet']['network_id']) + ext_info = {'network_id': ext_subnet['subnet']['network_id']} + with self.router(external_gateway_info=ext_info) as r: + body = self._routes_update_prepare( + r['router']['id'], None, None, routes, skip_add=True) + self.assertEqual(routes, body['router']['routes']) + def test_route_clear_routes_with_None(self): routes = [{'destination': '135.207.0.0/16', 'nexthop': '10.0.1.3'}, diff --git a/releasenotes/notes/allow-non-admins-to-define-external-extra-routes-0d541fc356a5c546.yaml b/releasenotes/notes/allow-non-admins-to-define-external-extra-routes-0d541fc356a5c546.yaml new file mode 100644 index 00000000000..71edea97bf0 --- /dev/null +++ b/releasenotes/notes/allow-non-admins-to-define-external-extra-routes-0d541fc356a5c546.yaml @@ -0,0 +1,3 @@ +--- +features: + - Allow non-admin users to define "external" extra-routes.