Enable users to list subnets on shared networks

Fixes bug 1039591 This patch will enable regular users to list subnets on a shared network by exposing the subnet's "shared" attribute to the policy engine, and letting it applying different rules if the subnet is shared or private. Change-Id: If204f1e352c114e16251586c743f5b7fe2d1ad7d
2012-08-21 08:26:24 -07:00 · 2012-08-21 08:26:24 -07:00 · 3dbaa356b9
parent b7f5f8e2fa
commit 3dbaa356b9
4 changed files with 34 additions and 2 deletions
--- a/etc/policy.json
+++ b/etc/policy.json
@ -13,8 +13,13 @@
    "networks:shared:read": [["rule:regular_user"]],
    "networks:shared:write": [["rule:admin_only"]],

+    "subnets:private:read": [["rule:admin_or_owner"]],
+    "subnets:private:write": [["rule:admin_or_owner"]],
+    "subnets:shared:read": [["rule:regular_user"]],
+    "subnets:shared:write": [["rule:admin_only"]],
+
    "create_subnet": [["rule:admin_or_network_owner"]],
-    "get_subnet": [["rule:admin_or_owner"]],
+    "get_subnet": [],
    "update_subnet": [["rule:admin_or_network_owner"]],
    "delete_subnet": [["rule:admin_or_network_owner"]],

--- a/quantum/api/v2/attributes.py
+++ b/quantum/api/v2/attributes.py
@ -278,7 +278,11 @@ RESOURCE_ATTRIBUTE_MAP = {
        SHARED: {'allow_post': False,
                 'allow_put': False,
                 'default': False,
-                 'is_visible': False},
+                 'convert_to': convert_to_boolean,
+                 'validate': {'type:boolean': None},
+                 'is_visible': False,
+                 'required_by_policy': True,
+                 'enforce_policy': True},
    }
 }

--- a/quantum/db/db_base_plugin_v2.py
+++ b/quantum/db/db_base_plugin_v2.py
@ -710,6 +710,7 @@ class QuantumDbPluginV2(quantum_plugin_base_v2.QuantumPluginBaseV2):
               'host_routes': [{'destination': route['destination'],
                                'nexthop': route['nexthop']}
                               for route in subnet['routes']],
+               'shared': subnet['shared']
               }
        if subnet['gateway_ip']:
            res['gateway_ip'] = subnet['gateway_ip']
--- a/quantum/tests/unit/test_db_plugin.py
+++ b/quantum/tests/unit/test_db_plugin.py
@ -1843,6 +1843,28 @@ class TestSubnetsV2(QuantumDbPluginV2TestCase):
                    self.assertEquals(res2['cidr'],
                                      subnet2['subnet']['cidr'])

+    def test_list_subnets_shared(self):
+        with self.network(shared=True) as network:
+            with self.subnet(network=network, cidr='10.0.0.0/24') as subnet:
+                with self.subnet(cidr='10.0.1.0/24') as priv_subnet:
+                    # normal user should see only 1 subnet
+                    req = self.new_list_request('subnets')
+                    req.environ['quantum.context'] = context.Context(
+                        '', 'some_tenant')
+                    res = self.deserialize('json',
+                                           req.get_response(self.api))
+                    self.assertEqual(len(res['subnets']), 1)
+                    self.assertEquals(res['subnets'][0]['cidr'],
+                                      subnet['subnet']['cidr'])
+                    # admin will see both subnets
+                    admin_req = self.new_list_request('subnets')
+                    admin_res = self.deserialize(
+                        'json', admin_req.get_response(self.api))
+                    self.assertEqual(len(admin_res['subnets']), 2)
+                    cidrs = [sub['cidr'] for sub in admin_res['subnets']]
+                    self.assertIn(subnet['subnet']['cidr'], cidrs)
+                    self.assertIn(priv_subnet['subnet']['cidr'], cidrs)
+
    def test_list_subnets_with_parameter(self):
        # NOTE(jkoelker) This would be a good place to use contextlib.nested
        #                or just drop 2.6 support ;)