From 3f7fa1d6468aea1f043d29291cb5427369b284d3 Mon Sep 17 00:00:00 2001 From: Kevin Benton Date: Wed, 2 Dec 2015 17:55:01 -0800 Subject: [PATCH] Fix default RBAC policy quota The previous config value for the default RBAC policy was not in neutron.conf and value that was registered as a config option 'rbac_entry' didn't match the resource name 'rbac_policy' so the default did not take effect. This patch corrects it by registering the 'rbac_policy' option instead of 'rbac_entry' and documents it in neutron.conf. It also adds an API test that exercises the quota limit and ensures that it's not set to -1. Change-Id: I8c8d4bcfda808e376af94048fe5a98c68a2a975f Closes-Bug: #1522224 --- neutron/extensions/rbac.py | 3 ++- .../admin/test_shared_network_extension.py | 21 +++++++++++++++++++ 2 files changed, 23 insertions(+), 1 deletion(-) diff --git a/neutron/extensions/rbac.py b/neutron/extensions/rbac.py index 23c9e775231..a96b82ad365 100644 --- a/neutron/extensions/rbac.py +++ b/neutron/extensions/rbac.py @@ -70,7 +70,8 @@ RESOURCE_ATTRIBUTE_MAP = { } rbac_quota_opts = [ - cfg.IntOpt('quota_rbac_entry', default=10, + cfg.IntOpt('quota_rbac_policy', default=10, + deprecated_name='quota_rbac_entry', help=_('Default number of RBAC entries allowed per tenant. ' 'A negative value means unlimited.')) ] diff --git a/neutron/tests/api/admin/test_shared_network_extension.py b/neutron/tests/api/admin/test_shared_network_extension.py index 13cee56e1e2..04f70285915 100644 --- a/neutron/tests/api/admin/test_shared_network_extension.py +++ b/neutron/tests/api/admin/test_shared_network_extension.py @@ -14,6 +14,8 @@ # License for the specific language governing permissions and limitations # under the License. +import uuid + from tempest_lib import exceptions as lib_exc import testtools @@ -358,6 +360,25 @@ class RBACSharedNetworksTest(base.BaseAdminNetworkTest): object_type='network', object_id=net['id'], action='access_as_shared', target_tenant=self.client.tenant_id) + @test.attr(type='smoke') + @test.idempotent_id('c5f8f785-ce8d-4430-af7e-a236205862fb') + def test_rbac_policy_quota(self): + if not test.is_extension_enabled('quotas', 'network'): + msg = "quotas extension not enabled." + raise self.skipException(msg) + quota = self.client.show_quotas(self.client.tenant_id)['quota'] + max_policies = quota['rbac_policy'] + self.assertGreater(max_policies, 0) + net = self.client.create_network( + name=data_utils.rand_name('test-network-'))['network'] + self.addCleanup(self.client.delete_network, net['id']) + with testtools.ExpectedException(lib_exc.Conflict): + for i in range(0, max_policies + 1): + self.admin_client.create_rbac_policy( + object_type='network', object_id=net['id'], + action='access_as_shared', + target_tenant=str(uuid.uuid4()).replace('-', '')) + @test.attr(type='smoke') @test.idempotent_id('86c3529b-1231-40de-803c-afffffff7fff') def test_regular_client_blocked_from_sharing_with_wildcard(self):