Merge "Allow network owner reader to get subnets" into stable/2024.1

This commit is contained in:
Zuul 2025-01-10 13:00:01 +00:00 committed by Gerrit Code Review
commit d2bed18af4
3 changed files with 167 additions and 2 deletions

View File

@ -97,7 +97,7 @@ rules = [
check_str=neutron_policy.policy_or(
base.PROJECT_READER,
'rule:shared',
base.ADMIN_OR_NET_OWNER_MEMBER,
base.ADMIN_OR_NET_OWNER_READER,
),
scope_types=['project'],
description='Get a subnet',
@ -128,7 +128,8 @@ rules = [
check_str=neutron_policy.policy_or(
base.PROJECT_READER,
'rule:shared',
base.ADMIN_OR_NET_OWNER_MEMBER,
'rule:external_network',
base.ADMIN_OR_NET_OWNER_READER,
),
scope_types=['project'],
description='Get the subnet tags',

View File

@ -57,6 +57,13 @@ class SubnetAPITestCase(base.PolicyBaseTestCase):
'tenant_id': self.alt_project_id,
'network_id': self.alt_network['id'],
'ext_parent_network_id': self.alt_network['id']}
# This is the case where the network belongs to the project but not
# the subnet.
self.alt_target_own_net = {
'project_id': self.alt_project_id,
'tenant_id': self.alt_project_id,
'network_id': self.network['id'],
'ext_parent_network_id': self.network['id']}
def get_network(context, id, fields=None):
return networks.get(id)
@ -87,6 +94,10 @@ class SystemAdminTests(SubnetAPITestCase):
base_policy.InvalidScope,
policy.enforce,
self.context, 'create_subnet', self.alt_target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context, 'create_subnet', self.alt_target_own_net)
def test_create_subnet_segment_id(self):
self.assertRaises(
@ -102,6 +113,10 @@ class SystemAdminTests(SubnetAPITestCase):
base_policy.InvalidScope,
policy.enforce,
self.context, 'create_subnet:segment_id', self.alt_target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context, 'create_subnet:segment_id', self.alt_target_own_net)
def test_create_subnet_service_types(self):
self.assertRaises(
@ -117,6 +132,11 @@ class SystemAdminTests(SubnetAPITestCase):
base_policy.InvalidScope,
policy.enforce,
self.context, 'create_subnet:service_types', self.alt_target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context, 'create_subnet:service_types',
self.alt_target_own_net)
def test_get_subnet(self):
self.assertRaises(
@ -131,6 +151,10 @@ class SystemAdminTests(SubnetAPITestCase):
base_policy.InvalidScope,
policy.enforce,
self.context, 'get_subnet', self.alt_target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context, 'get_subnet', self.alt_target_own_net)
def test_get_subnet_segment_id(self):
self.assertRaises(
@ -145,6 +169,10 @@ class SystemAdminTests(SubnetAPITestCase):
base_policy.InvalidScope,
policy.enforce,
self.context, 'get_subnet:segment_id', self.alt_target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context, 'get_subnet:segment_id', self.alt_target_own_net)
def test_get_subnets_tags(self):
self.assertRaises(
@ -159,6 +187,10 @@ class SystemAdminTests(SubnetAPITestCase):
base_policy.InvalidScope,
policy.enforce,
self.context, 'get_subnets_tags', self.alt_target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context, 'get_subnets_tags', self.alt_target_own_net)
def test_update_subnet(self):
self.assertRaises(
@ -173,6 +205,10 @@ class SystemAdminTests(SubnetAPITestCase):
base_policy.InvalidScope,
policy.enforce,
self.context, 'update_subnet', self.alt_target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context, 'update_subnet', self.alt_target_own_net)
def test_update_subnet_segment_id(self):
self.assertRaises(
@ -188,6 +224,10 @@ class SystemAdminTests(SubnetAPITestCase):
base_policy.InvalidScope,
policy.enforce,
self.context, 'update_subnet:segment_id', self.alt_target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context, 'update_subnet:segment_id', self.alt_target_own_net)
def test_update_subnet_service_types(self):
self.assertRaises(
@ -203,6 +243,11 @@ class SystemAdminTests(SubnetAPITestCase):
base_policy.InvalidScope,
policy.enforce,
self.context, 'update_subnet:service_types', self.alt_target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context, 'update_subnet:service_types',
self.alt_target_own_net)
def test_update_subnets_tags(self):
self.assertRaises(
@ -217,6 +262,10 @@ class SystemAdminTests(SubnetAPITestCase):
base_policy.InvalidScope,
policy.enforce,
self.context, 'update_subnets_tags', self.alt_target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context, 'update_subnets_tags', self.alt_target_own_net)
def test_delete_subnet(self):
self.assertRaises(
@ -231,6 +280,10 @@ class SystemAdminTests(SubnetAPITestCase):
base_policy.InvalidScope,
policy.enforce,
self.context, 'delete_subnet', self.alt_target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context, 'delete_subnet', self.alt_target_own_net)
def test_delete_subnets_tags(self):
self.assertRaises(
@ -245,6 +298,10 @@ class SystemAdminTests(SubnetAPITestCase):
base_policy.InvalidScope,
policy.enforce,
self.context, 'delete_subnets_tags', self.alt_target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context, 'delete_subnets_tags', self.alt_target_own_net)
class SystemMemberTests(SystemAdminTests):
@ -275,6 +332,9 @@ class AdminTests(SubnetAPITestCase):
self.target_net_alt_target))
self.assertTrue(
policy.enforce(self.context, 'create_subnet', self.alt_target))
self.assertTrue(
policy.enforce(self.context, 'create_subnet',
self.alt_target_own_net))
def test_create_subnet_segment_id(self):
self.assertTrue(
@ -287,6 +347,10 @@ class AdminTests(SubnetAPITestCase):
self.assertTrue(
policy.enforce(
self.context, 'create_subnet:segment_id', self.alt_target))
self.assertTrue(
policy.enforce(
self.context, 'create_subnet:segment_id',
self.alt_target_own_net))
def test_create_subnet_service_types(self):
self.assertTrue(
@ -299,6 +363,10 @@ class AdminTests(SubnetAPITestCase):
self.assertTrue(
policy.enforce(
self.context, 'create_subnet:service_types', self.alt_target))
self.assertTrue(
policy.enforce(
self.context, 'create_subnet:service_types',
self.alt_target_own_net))
def test_get_subnet(self):
self.assertTrue(
@ -308,6 +376,9 @@ class AdminTests(SubnetAPITestCase):
self.target_net_alt_target))
self.assertTrue(
policy.enforce(self.context, 'get_subnet', self.alt_target))
self.assertTrue(
policy.enforce(self.context, 'get_subnet',
self.alt_target_own_net))
def test_get_subnet_segment_id(self):
self.assertTrue(
@ -318,6 +389,10 @@ class AdminTests(SubnetAPITestCase):
self.assertTrue(
policy.enforce(
self.context, 'get_subnet:segment_id', self.alt_target))
self.assertTrue(
policy.enforce(
self.context, 'get_subnet:segment_id',
self.alt_target_own_net))
def test_get_subnets_tags(self):
self.assertTrue(
@ -327,6 +402,9 @@ class AdminTests(SubnetAPITestCase):
self.target_net_alt_target))
self.assertTrue(
policy.enforce(self.context, 'get_subnets_tags', self.alt_target))
self.assertTrue(
policy.enforce(self.context, 'get_subnets_tags',
self.alt_target_own_net))
def test_update_subnet(self):
self.assertTrue(
@ -336,6 +414,9 @@ class AdminTests(SubnetAPITestCase):
self.target_net_alt_target))
self.assertTrue(
policy.enforce(self.context, 'update_subnet', self.alt_target))
self.assertTrue(
policy.enforce(self.context, 'update_subnet',
self.alt_target_own_net))
def test_update_subnet_segment_id(self):
self.assertTrue(
@ -348,6 +429,10 @@ class AdminTests(SubnetAPITestCase):
self.assertTrue(
policy.enforce(
self.context, 'update_subnet:segment_id', self.alt_target))
self.assertTrue(
policy.enforce(
self.context, 'update_subnet:segment_id',
self.alt_target_own_net))
def test_update_subnet_service_types(self):
self.assertTrue(
@ -370,6 +455,9 @@ class AdminTests(SubnetAPITestCase):
self.assertTrue(
policy.enforce(self.context, 'update_subnets_tags',
self.alt_target))
self.assertTrue(
policy.enforce(self.context, 'update_subnets_tags',
self.alt_target_own_net))
def test_delete_subnet(self):
self.assertTrue(
@ -379,6 +467,9 @@ class AdminTests(SubnetAPITestCase):
self.target_net_alt_target))
self.assertTrue(
policy.enforce(self.context, 'delete_subnet', self.alt_target))
self.assertTrue(
policy.enforce(self.context, 'delete_subnet',
self.alt_target_own_net))
def test_delete_subnets_tags(self):
self.assertTrue(
@ -389,6 +480,9 @@ class AdminTests(SubnetAPITestCase):
self.assertTrue(
policy.enforce(self.context, 'delete_subnets_tags',
self.alt_target))
self.assertTrue(
policy.enforce(self.context, 'delete_subnets_tags',
self.alt_target_own_net))
class ProjectMemberTests(AdminTests):
@ -408,6 +502,9 @@ class ProjectMemberTests(AdminTests):
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'create_subnet', self.alt_target)
self.assertTrue(
policy.enforce(self.context, 'create_subnet',
self.alt_target_own_net))
def test_create_subnet_segment_id(self):
self.assertRaises(
@ -423,6 +520,10 @@ class ProjectMemberTests(AdminTests):
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'create_subnet:segment_id', self.alt_target)
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'create_subnet:segment_id', self.alt_target_own_net)
def test_create_subnet_service_types(self):
self.assertRaises(
@ -438,6 +539,11 @@ class ProjectMemberTests(AdminTests):
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'create_subnet:service_types', self.alt_target)
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'create_subnet:service_types',
self.alt_target_own_net)
def test_get_subnet(self):
self.assertTrue(
@ -449,6 +555,9 @@ class ProjectMemberTests(AdminTests):
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'get_subnet', self.alt_target)
self.assertTrue(
policy.enforce(self.context, 'get_subnet',
self.alt_target_own_net))
def test_get_subnet_segment_id(self):
self.assertRaises(
@ -463,6 +572,10 @@ class ProjectMemberTests(AdminTests):
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'get_subnet:segment_id', self.alt_target)
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'get_subnet:segment_id', self.alt_target_own_net)
def test_get_subnets_tags(self):
self.assertTrue(
@ -474,6 +587,9 @@ class ProjectMemberTests(AdminTests):
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'get_subnets_tags', self.alt_target)
self.assertTrue(
policy.enforce(self.context, 'get_subnets_tags',
self.alt_target_own_net))
def test_update_subnet(self):
self.assertTrue(
@ -485,6 +601,9 @@ class ProjectMemberTests(AdminTests):
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'update_subnet', self.alt_target)
self.assertTrue(
policy.enforce(self.context, 'update_subnet',
self.alt_target_own_net))
def test_update_subnet_segment_id(self):
self.assertRaises(
@ -500,6 +619,10 @@ class ProjectMemberTests(AdminTests):
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'update_subnet:segment_id', self.alt_target)
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'update_subnet:segment_id', self.alt_target_own_net)
def test_update_subnet_service_types(self):
self.assertRaises(
@ -515,6 +638,11 @@ class ProjectMemberTests(AdminTests):
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'update_subnet:service_types', self.alt_target)
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'update_subnet:service_types',
self.alt_target_own_net)
def test_update_subnets_tags(self):
self.assertTrue(
@ -526,6 +654,9 @@ class ProjectMemberTests(AdminTests):
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'update_subnets_tags', self.alt_target)
self.assertTrue(
policy.enforce(self.context, 'update_subnets_tags',
self.alt_target_own_net))
def test_delete_subnet(self):
self.assertTrue(
@ -537,6 +668,9 @@ class ProjectMemberTests(AdminTests):
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'delete_subnet', self.alt_target)
self.assertTrue(
policy.enforce(self.context, 'delete_subnet',
self.alt_target_own_net))
def test_delete_subnets_tags(self):
self.assertTrue(
@ -548,6 +682,9 @@ class ProjectMemberTests(AdminTests):
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'delete_subnets_tags', self.alt_target)
self.assertTrue(
policy.enforce(self.context, 'delete_subnets_tags',
self.alt_target_own_net))
class ProjectReaderTests(ProjectMemberTests):
@ -569,6 +706,10 @@ class ProjectReaderTests(ProjectMemberTests):
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'create_subnet', self.alt_target)
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'create_subnet', self.alt_target_own_net)
def test_update_subnet(self):
self.assertRaises(
@ -583,6 +724,10 @@ class ProjectReaderTests(ProjectMemberTests):
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'update_subnet', self.alt_target)
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'update_subnet', self.alt_target_own_net)
def test_update_subnets_tags(self):
self.assertRaises(
@ -597,6 +742,10 @@ class ProjectReaderTests(ProjectMemberTests):
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'update_subnets_tags', self.alt_target)
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'update_subnets_tags', self.alt_target_own_net)
def test_delete_subnet(self):
self.assertRaises(
@ -611,6 +760,10 @@ class ProjectReaderTests(ProjectMemberTests):
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'delete_subnet', self.alt_target)
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'delete_subnet', self.alt_target_own_net)
def test_delete_subnets_tags(self):
self.assertRaises(
@ -625,6 +778,10 @@ class ProjectReaderTests(ProjectMemberTests):
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'delete_subnets_tags', self.alt_target)
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'delete_subnets_tags', self.alt_target_own_net)
class ServiceRoleTests(SubnetAPITestCase):

View File

@ -0,0 +1,7 @@
---
fixes:
- |
Subnet policies have been updated to allow other users to operate on them.
Network owners and readers can now retrieve the subnet and project members
can now update and delete the subnet. For more information, see bug
`2038646 <https://launchpad.net/bugs/2038646>`_.