Merge "Allow shared net to be added on router"
This commit is contained in:
commit
d4790238cd
@ -55,6 +55,7 @@ from neutron.db import standardattrdescription_db as st_attr
|
||||
from neutron.extensions import l3
|
||||
from neutron.extensions import segment as segment_ext
|
||||
from neutron.objects import base as base_obj
|
||||
from neutron.objects import network as network_obj
|
||||
from neutron.objects import port_forwarding
|
||||
from neutron.objects import ports as port_obj
|
||||
from neutron.objects import router as l3_obj
|
||||
@ -859,9 +860,24 @@ class L3_NAT_dbonly_mixin(l3.RouterPluginBase,
|
||||
msg = _('Subnet for router interface must have a gateway IP')
|
||||
raise n_exc.BadRequest(resource='router', msg=msg)
|
||||
if subnet['project_id'] != context.project_id and not context.is_admin:
|
||||
msg = (_('Cannot add interface to router because subnet %s is not '
|
||||
'owned by project making the request') % subnet_id)
|
||||
raise n_exc.BadRequest(resource='router', msg=msg)
|
||||
# NOTE(amorin): check if network is RBAC or globaly shared
|
||||
# globaly shared --> disallow adding interface (see LP-1757482)
|
||||
# RBAC shared --> allow adding interface (see LP-1975603)
|
||||
elevated = context.elevated()
|
||||
|
||||
with db_api.CONTEXT_READER.using(elevated):
|
||||
rbac_allowed_projects = network_obj.NetworkRBAC.get_projects(
|
||||
elevated, object_id=subnet['network_id'],
|
||||
action='access_as_shared',
|
||||
target_project=context.project_id)
|
||||
|
||||
# Fail if the current project_id is NOT in the allowed
|
||||
# projects
|
||||
if context.project_id not in rbac_allowed_projects:
|
||||
msg = (_('Cannot add interface to router because subnet '
|
||||
'%s is not owned by project making the request')
|
||||
% subnet_id)
|
||||
raise n_exc.BadRequest(resource='router', msg=msg)
|
||||
self._validate_subnet_address_mode(subnet)
|
||||
self._check_for_dup_router_subnets(context, router,
|
||||
subnet['network_id'], [subnet])
|
||||
|
@ -57,6 +57,7 @@ from neutron.db import l3_hamode_db
|
||||
from neutron.db.models import l3 as l3_models
|
||||
from neutron.db import models_v2
|
||||
from neutron.extensions import l3
|
||||
from neutron.objects import network as network_obj
|
||||
from neutron.services.revisions import revision_plugin
|
||||
from neutron.tests import base
|
||||
from neutron.tests.unit.api import test_extensions
|
||||
@ -1328,6 +1329,26 @@ class L3NatTestCaseBase(L3NatTestCaseMixin):
|
||||
expected_code=err_code,
|
||||
tenant_id=router_tenant_id)
|
||||
|
||||
def test_router_add_interface_by_subnet_other_tenant_subnet_rbac_shared(
|
||||
self,
|
||||
):
|
||||
router_tenant_id = _uuid()
|
||||
with mock.patch.object(network_obj.NetworkRBAC, "get_projects") as g:
|
||||
with self.router(
|
||||
tenant_id=router_tenant_id, set_context=True
|
||||
) as r:
|
||||
with self.network(shared=True) as n:
|
||||
with self.subnet(network=n) as s:
|
||||
g.return_value = [router_tenant_id]
|
||||
self._router_interface_action(
|
||||
"add",
|
||||
r["router"]["id"],
|
||||
s["subnet"]["id"],
|
||||
None,
|
||||
expected_code=exc.HTTPOk.code,
|
||||
tenant_id=router_tenant_id,
|
||||
)
|
||||
|
||||
def _test_router_add_interface_by_port_allocation_pool(
|
||||
self, out_of_pool=False, router_action_as_admin=False,
|
||||
expected_code=exc.HTTPOk.code):
|
||||
|
Loading…
Reference in New Issue
Block a user