Reorder subnet RBAC policy check strings

The subnet policy rule ``ADMIN_OR_NET_OWNER_MEMBER`` requires to
retrieve the network object from the database to read the project ID.
When retrieving a list of subnets, this operation can slow down the
API call. This patch is reordering the subnet RBAC policy checks to
make this check at the end.

As reported in the related LP bug, it is usual to have a "creator"
project where different resources are created and then shared to others;
in this case networks and subnets. All these subnets will belong to the
same project. If a non-admin user from this project list all the
subnets, with the code before to this patch it would be needed to
retrieve all the networks to read the project ID. With the current code
it is needed only to check that the user is a project reader.

The following benchmark has been done in a VM running a standalone
OpenStack deployment. One project has created 400 networks and 400
subnets (one per network). Each network has been shared with another
project. API time to process "GET /networking/v2.0/subnets":
* Without this patch: 5.5 seconds (average)
* With this patch: 0.25 seconds (average)

Related-Bug: #2071374
Related-Bug: #2037107
Change-Id: Ibca174213bba3c56fc18ec2732d80054ac95e859
(cherry picked from commit 729920da5e836fa7a27b1b85b3b2999146d905ba)
This commit is contained in:
Rodolfo Alonso Hernandez 2024-07-02 07:29:44 +00:00
parent c6d4a3e364
commit f25cc2f503

@ -95,17 +95,19 @@ rules = [
policy.DocumentedRuleDefault(
name='get_subnet',
check_str=neutron_policy.policy_or(
base.ADMIN_OR_NET_OWNER_MEMBER,
base.PROJECT_READER,
'rule:shared'),
'rule:shared',
base.ADMIN_OR_NET_OWNER_MEMBER,
),
scope_types=['project'],
description='Get a subnet',
operations=ACTION_GET,
deprecated_rule=policy.DeprecatedRule(
name='get_subnet',
check_str=neutron_policy.policy_or(
'rule:shared',
neutron_policy.RULE_ADMIN_OR_OWNER,
'rule:shared'),
),
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY)
),
@ -124,9 +126,10 @@ rules = [
policy.DocumentedRuleDefault(
name='get_subnets_tags',
check_str=neutron_policy.policy_or(
base.ADMIN_OR_NET_OWNER_MEMBER,
base.PROJECT_READER,
'rule:shared'),
'rule:shared',
base.ADMIN_OR_NET_OWNER_MEMBER,
),
scope_types=['project'],
description='Get the subnet tags',
operations=ACTION_GET_TAGS,
@ -134,8 +137,8 @@ rules = [
policy.DocumentedRuleDefault(
name='update_subnet',
check_str=neutron_policy.policy_or(
base.ADMIN_OR_NET_OWNER_MEMBER,
base.PROJECT_MEMBER),
base.PROJECT_MEMBER,
base.ADMIN_OR_NET_OWNER_MEMBER),
scope_types=['project'],
description='Update a subnet',
operations=ACTION_PUT,
@ -172,8 +175,9 @@ rules = [
policy.DocumentedRuleDefault(
name='update_subnets_tags',
check_str=neutron_policy.policy_or(
base.PROJECT_MEMBER,
base.ADMIN_OR_NET_OWNER_MEMBER,
base.PROJECT_MEMBER),
),
scope_types=['project'],
description='Update the subnet tags',
operations=ACTION_PUT_TAGS,
@ -181,8 +185,9 @@ rules = [
policy.DocumentedRuleDefault(
name='delete_subnet',
check_str=neutron_policy.policy_or(
base.PROJECT_MEMBER,
base.ADMIN_OR_NET_OWNER_MEMBER,
base.PROJECT_MEMBER),
),
scope_types=['project'],
description='Delete a subnet',
operations=ACTION_DELETE,
@ -195,8 +200,9 @@ rules = [
policy.DocumentedRuleDefault(
name='delete_subnets_tags',
check_str=neutron_policy.policy_or(
base.PROJECT_MEMBER,
base.ADMIN_OR_NET_OWNER_MEMBER,
base.PROJECT_MEMBER),
),
scope_types=['project'],
description='Delete the subnet tags',
operations=ACTION_DELETE_TAGS,