Fix default RBAC policy quota
The previous config value for the default RBAC policy was not in neutron.conf and value that was registered as a config option 'rbac_entry' didn't match the resource name 'rbac_policy' so the default did not take effect. This patch corrects it by registering the 'rbac_policy' option instead of 'rbac_entry' and documents it in neutron.conf. It also adds an API test that exercises the quota limit and ensures that it's not set to -1. Change-Id: I8c8d4bcfda808e376af94048fe5a98c68a2a975f Closes-Bug: #1522224
This commit is contained in:
parent
a8a0c619de
commit
3f7fa1d646
|
@ -70,7 +70,8 @@ RESOURCE_ATTRIBUTE_MAP = {
|
|||
}
|
||||
|
||||
rbac_quota_opts = [
|
||||
cfg.IntOpt('quota_rbac_entry', default=10,
|
||||
cfg.IntOpt('quota_rbac_policy', default=10,
|
||||
deprecated_name='quota_rbac_entry',
|
||||
help=_('Default number of RBAC entries allowed per tenant. '
|
||||
'A negative value means unlimited.'))
|
||||
]
|
||||
|
|
|
@ -14,6 +14,8 @@
|
|||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
import uuid
|
||||
|
||||
from tempest_lib import exceptions as lib_exc
|
||||
import testtools
|
||||
|
||||
|
@ -358,6 +360,25 @@ class RBACSharedNetworksTest(base.BaseAdminNetworkTest):
|
|||
object_type='network', object_id=net['id'],
|
||||
action='access_as_shared', target_tenant=self.client.tenant_id)
|
||||
|
||||
@test.attr(type='smoke')
|
||||
@test.idempotent_id('c5f8f785-ce8d-4430-af7e-a236205862fb')
|
||||
def test_rbac_policy_quota(self):
|
||||
if not test.is_extension_enabled('quotas', 'network'):
|
||||
msg = "quotas extension not enabled."
|
||||
raise self.skipException(msg)
|
||||
quota = self.client.show_quotas(self.client.tenant_id)['quota']
|
||||
max_policies = quota['rbac_policy']
|
||||
self.assertGreater(max_policies, 0)
|
||||
net = self.client.create_network(
|
||||
name=data_utils.rand_name('test-network-'))['network']
|
||||
self.addCleanup(self.client.delete_network, net['id'])
|
||||
with testtools.ExpectedException(lib_exc.Conflict):
|
||||
for i in range(0, max_policies + 1):
|
||||
self.admin_client.create_rbac_policy(
|
||||
object_type='network', object_id=net['id'],
|
||||
action='access_as_shared',
|
||||
target_tenant=str(uuid.uuid4()).replace('-', ''))
|
||||
|
||||
@test.attr(type='smoke')
|
||||
@test.idempotent_id('86c3529b-1231-40de-803c-afffffff7fff')
|
||||
def test_regular_client_blocked_from_sharing_with_wildcard(self):
|
||||
|
|
Loading…
Reference in New Issue