From 3dbaa356b9d0af75f5a4102d3e881ca803c895e2 Mon Sep 17 00:00:00 2001 From: Salvatore Orlando Date: Tue, 21 Aug 2012 08:26:24 -0700 Subject: [PATCH] Enable users to list subnets on shared networks Fixes bug 1039591 This patch will enable regular users to list subnets on a shared network by exposing the subnet's "shared" attribute to the policy engine, and letting it applying different rules if the subnet is shared or private. Change-Id: If204f1e352c114e16251586c743f5b7fe2d1ad7d --- etc/policy.json | 7 ++++++- quantum/api/v2/attributes.py | 6 +++++- quantum/db/db_base_plugin_v2.py | 1 + quantum/tests/unit/test_db_plugin.py | 22 ++++++++++++++++++++++ 4 files changed, 34 insertions(+), 2 deletions(-) diff --git a/etc/policy.json b/etc/policy.json index d0761adc8bb..f53080cc541 100644 --- a/etc/policy.json +++ b/etc/policy.json @@ -13,8 +13,13 @@ "networks:shared:read": [["rule:regular_user"]], "networks:shared:write": [["rule:admin_only"]], + "subnets:private:read": [["rule:admin_or_owner"]], + "subnets:private:write": [["rule:admin_or_owner"]], + "subnets:shared:read": [["rule:regular_user"]], + "subnets:shared:write": [["rule:admin_only"]], + "create_subnet": [["rule:admin_or_network_owner"]], - "get_subnet": [["rule:admin_or_owner"]], + "get_subnet": [], "update_subnet": [["rule:admin_or_network_owner"]], "delete_subnet": [["rule:admin_or_network_owner"]], diff --git a/quantum/api/v2/attributes.py b/quantum/api/v2/attributes.py index 92b29aa1433..46a9bc84154 100644 --- a/quantum/api/v2/attributes.py +++ b/quantum/api/v2/attributes.py @@ -278,7 +278,11 @@ RESOURCE_ATTRIBUTE_MAP = { SHARED: {'allow_post': False, 'allow_put': False, 'default': False, - 'is_visible': False}, + 'convert_to': convert_to_boolean, + 'validate': {'type:boolean': None}, + 'is_visible': False, + 'required_by_policy': True, + 'enforce_policy': True}, } } diff --git a/quantum/db/db_base_plugin_v2.py b/quantum/db/db_base_plugin_v2.py index 289177b1f4a..8750a26ebe5 100644 --- a/quantum/db/db_base_plugin_v2.py +++ b/quantum/db/db_base_plugin_v2.py @@ -710,6 +710,7 @@ class QuantumDbPluginV2(quantum_plugin_base_v2.QuantumPluginBaseV2): 'host_routes': [{'destination': route['destination'], 'nexthop': route['nexthop']} for route in subnet['routes']], + 'shared': subnet['shared'] } if subnet['gateway_ip']: res['gateway_ip'] = subnet['gateway_ip'] diff --git a/quantum/tests/unit/test_db_plugin.py b/quantum/tests/unit/test_db_plugin.py index 4f13f5ae9c7..8ec59546776 100644 --- a/quantum/tests/unit/test_db_plugin.py +++ b/quantum/tests/unit/test_db_plugin.py @@ -1843,6 +1843,28 @@ class TestSubnetsV2(QuantumDbPluginV2TestCase): self.assertEquals(res2['cidr'], subnet2['subnet']['cidr']) + def test_list_subnets_shared(self): + with self.network(shared=True) as network: + with self.subnet(network=network, cidr='10.0.0.0/24') as subnet: + with self.subnet(cidr='10.0.1.0/24') as priv_subnet: + # normal user should see only 1 subnet + req = self.new_list_request('subnets') + req.environ['quantum.context'] = context.Context( + '', 'some_tenant') + res = self.deserialize('json', + req.get_response(self.api)) + self.assertEqual(len(res['subnets']), 1) + self.assertEquals(res['subnets'][0]['cidr'], + subnet['subnet']['cidr']) + # admin will see both subnets + admin_req = self.new_list_request('subnets') + admin_res = self.deserialize( + 'json', admin_req.get_response(self.api)) + self.assertEqual(len(admin_res['subnets']), 2) + cidrs = [sub['cidr'] for sub in admin_res['subnets']] + self.assertIn(subnet['subnet']['cidr'], cidrs) + self.assertIn(priv_subnet['subnet']['cidr'], cidrs) + def test_list_subnets_with_parameter(self): # NOTE(jkoelker) This would be a good place to use contextlib.nested # or just drop 2.6 support ;)