Merge "Allow shared net to be added on router"

neutron/db/l3_db.py

@@ -55,6 +55,7 @@ from neutron.db import standardattrdescription_db as st_attr
 from neutron.extensions import l3
 from neutron.extensions import segment as segment_ext
 from neutron.objects import base as base_obj
+from neutron.objects import network as network_obj
 from neutron.objects import port_forwarding
 from neutron.objects import ports as port_obj
 from neutron.objects import router as l3_obj
@@ -859,9 +860,24 @@ class L3_NAT_dbonly_mixin(l3.RouterPluginBase,
             msg = _('Subnet for router interface must have a gateway IP')
             raise n_exc.BadRequest(resource='router', msg=msg)
         if subnet['project_id'] != context.project_id and not context.is_admin:
-            msg = (_('Cannot add interface to router because subnet %s is not '
+            # NOTE(amorin): check if network is RBAC or globaly shared
-                     'owned by project making the request') % subnet_id)
+            # globaly shared --> disallow adding interface (see LP-1757482)
-            raise n_exc.BadRequest(resource='router', msg=msg)
+            # RBAC shared --> allow adding interface (see LP-1975603)
+            elevated = context.elevated()
+
+            with db_api.CONTEXT_READER.using(elevated):
+                rbac_allowed_projects = network_obj.NetworkRBAC.get_projects(
+                    elevated, object_id=subnet['network_id'],
+                    action='access_as_shared',
+                    target_project=context.project_id)
+
+                # Fail if the current project_id is NOT in the allowed
+                # projects
+                if context.project_id not in rbac_allowed_projects:
+                    msg = (_('Cannot add interface to router because subnet '
+                             '%s is not owned by project making the request')
+                          % subnet_id)
+                    raise n_exc.BadRequest(resource='router', msg=msg)
         self._validate_subnet_address_mode(subnet)
         self._check_for_dup_router_subnets(context, router,
                                            subnet['network_id'], [subnet])

neutron/tests/unit/extensions/test_l3.py

@@ -57,6 +57,7 @@ from neutron.db import l3_hamode_db
 from neutron.db.models import l3 as l3_models
 from neutron.db import models_v2
 from neutron.extensions import l3
+from neutron.objects import network as network_obj
 from neutron.services.revisions import revision_plugin
 from neutron.tests import base
 from neutron.tests.unit.api import test_extensions
@@ -1328,6 +1329,26 @@ class L3NatTestCaseBase(L3NatTestCaseMixin):
                                                   expected_code=err_code,
                                                   tenant_id=router_tenant_id)
 
+    def test_router_add_interface_by_subnet_other_tenant_subnet_rbac_shared(
+        self,
+    ):
+        router_tenant_id = _uuid()
+        with mock.patch.object(network_obj.NetworkRBAC, "get_projects") as g:
+            with self.router(
+                tenant_id=router_tenant_id, set_context=True
+            ) as r:
+                with self.network(shared=True) as n:
+                    with self.subnet(network=n) as s:
+                        g.return_value = [router_tenant_id]
+                        self._router_interface_action(
+                            "add",
+                            r["router"]["id"],
+                            s["subnet"]["id"],
+                            None,
+                            expected_code=exc.HTTPOk.code,
+                            tenant_id=router_tenant_id,
+                        )
+
     def _test_router_add_interface_by_port_allocation_pool(
             self, out_of_pool=False, router_action_as_admin=False,
             expected_code=exc.HTTPOk.code):