Reorder subnet RBAC policy check strings
The subnet policy rule ``ADMIN_OR_NET_OWNER_MEMBER`` requires to retrieve the network object from the database to read the project ID. When retrieving a list of subnets, this operation can slow down the API call. This patch is reordering the subnet RBAC policy checks to make this check at the end. As reported in the related LP bug, it is usual to have a "creator" project where different resources are created and then shared to others; in this case networks and subnets. All these subnets will belong to the same project. If a non-admin user from this project list all the subnets, with the code before to this patch it would be needed to retrieve all the networks to read the project ID. With the current code it is needed only to check that the user is a project reader. The following benchmark has been done in a VM running a standalone OpenStack deployment. One project has created 400 networks and 400 subnets (one per network). Each network has been shared with another project. API time to process "GET /networking/v2.0/subnets": * Without this patch: 5.5 seconds (average) * With this patch: 0.25 seconds (average) Related-Bug: #2071374 Related-Bug: #2037107 Change-Id: Ibca174213bba3c56fc18ec2732d80054ac95e859 (cherry picked from commit 729920da5e836fa7a27b1b85b3b2999146d905ba)
This commit is contained in:
parent
c6d4a3e364
commit
f25cc2f503
@ -95,17 +95,19 @@ rules = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name='get_subnet',
|
||||
check_str=neutron_policy.policy_or(
|
||||
base.ADMIN_OR_NET_OWNER_MEMBER,
|
||||
base.PROJECT_READER,
|
||||
'rule:shared'),
|
||||
'rule:shared',
|
||||
base.ADMIN_OR_NET_OWNER_MEMBER,
|
||||
),
|
||||
scope_types=['project'],
|
||||
description='Get a subnet',
|
||||
operations=ACTION_GET,
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
name='get_subnet',
|
||||
check_str=neutron_policy.policy_or(
|
||||
'rule:shared',
|
||||
neutron_policy.RULE_ADMIN_OR_OWNER,
|
||||
'rule:shared'),
|
||||
),
|
||||
deprecated_reason=DEPRECATED_REASON,
|
||||
deprecated_since=versionutils.deprecated.WALLABY)
|
||||
),
|
||||
@ -124,9 +126,10 @@ rules = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name='get_subnets_tags',
|
||||
check_str=neutron_policy.policy_or(
|
||||
base.ADMIN_OR_NET_OWNER_MEMBER,
|
||||
base.PROJECT_READER,
|
||||
'rule:shared'),
|
||||
'rule:shared',
|
||||
base.ADMIN_OR_NET_OWNER_MEMBER,
|
||||
),
|
||||
scope_types=['project'],
|
||||
description='Get the subnet tags',
|
||||
operations=ACTION_GET_TAGS,
|
||||
@ -134,8 +137,8 @@ rules = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name='update_subnet',
|
||||
check_str=neutron_policy.policy_or(
|
||||
base.ADMIN_OR_NET_OWNER_MEMBER,
|
||||
base.PROJECT_MEMBER),
|
||||
base.PROJECT_MEMBER,
|
||||
base.ADMIN_OR_NET_OWNER_MEMBER),
|
||||
scope_types=['project'],
|
||||
description='Update a subnet',
|
||||
operations=ACTION_PUT,
|
||||
@ -172,8 +175,9 @@ rules = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name='update_subnets_tags',
|
||||
check_str=neutron_policy.policy_or(
|
||||
base.PROJECT_MEMBER,
|
||||
base.ADMIN_OR_NET_OWNER_MEMBER,
|
||||
base.PROJECT_MEMBER),
|
||||
),
|
||||
scope_types=['project'],
|
||||
description='Update the subnet tags',
|
||||
operations=ACTION_PUT_TAGS,
|
||||
@ -181,8 +185,9 @@ rules = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name='delete_subnet',
|
||||
check_str=neutron_policy.policy_or(
|
||||
base.PROJECT_MEMBER,
|
||||
base.ADMIN_OR_NET_OWNER_MEMBER,
|
||||
base.PROJECT_MEMBER),
|
||||
),
|
||||
scope_types=['project'],
|
||||
description='Delete a subnet',
|
||||
operations=ACTION_DELETE,
|
||||
@ -195,8 +200,9 @@ rules = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name='delete_subnets_tags',
|
||||
check_str=neutron_policy.policy_or(
|
||||
base.PROJECT_MEMBER,
|
||||
base.ADMIN_OR_NET_OWNER_MEMBER,
|
||||
base.PROJECT_MEMBER),
|
||||
),
|
||||
scope_types=['project'],
|
||||
description='Delete the subnet tags',
|
||||
operations=ACTION_DELETE_TAGS,
|
||||
|
Loading…
x
Reference in New Issue
Block a user