By default ADMIN user in the new Secure RBAC policies should behave in
the same way as in the legacy rules so basically every API operation for
any project should be allowed for ADMIN user.
In the new rules there are roles like PROJECT_MEMBER and PROJECT_READER
and those personas don't inherits directly from ADMIN which means that
if something is possible to e.g. PROJECT_MEMBER it isn't automatically
also allowed to ADMIN and we need to explicitly allow ADMIN user to do
such requests. It was done like that for many of API calls already but
not for all of them (probably by mistake).
This patch introduces new composite check ADMIN_OR_PROJECT_MEMBER and
uses it in the check strings where ADMIN or PROJECT_MEMBER user is
allowed to use the API.
It also changes some of the check strings which used "policy_or" to
combine ADMIN and PROJECT_MEMBER or PROJECT_READER so that those
composite checks ADMIN_OR_PROJECT_MEMBER and ADMIN_OR_PROJECT_READER are
used everywhere.
Closes-Bug: #1997089
Change-Id: Iab5cd6c7aa07ca8527c5fa8396c9ed0da65b4fa7
For multi segments support we have update the unique contraint so
`segment_index` will be part of it.
Related-Bug: #1791233
Partial-Bug: #1956435
Partial-Bug: #1764738
Signed-off-by: Sahid Orentino Ferdjaoui <sahid.ferdjaoui@industrialdiscipline.com>
Change-Id: Ic564131dcd7525fc5f24c3282688e3584cd2e2e0
This change ensures the [designate] options, which is used by
the designate external DNS driver, are rendered into neutron.conf
generated by oslo-config-generator.
Change-Id: I56a1079fbfc044532aee64f4fbdec50d9524a580
Update neutron-ovn-metadata-agent, catch port_binding update event
of monitoring localport type, and judge if the neutron:cidrs field in
the external_ids of port_binding table has changed,
then update_datapath.
Closes-Bug: #1996677
Change-Id: Ibdc1b385b07a2ab1ca8e4b6278f6d39fb5839509
While the reverse order may work, it's considered invalid by OVN and not
guaranteed to work properly since OVN may not necessarily know which of
two ports is the one to configure.
This configuration also triggered a bug in OVN where tearing down a port
after deploying a new one resulted in removing flows that serve the
port.
There is a patch up for review for OVN [1] to better handle multiple
assignment of the same port, but it doesn't make the setup any more
valid.
[1] http://patchwork.ozlabs.org/project/ovn/patch/20221114092437.2807815-1-xsimonar@redhat.com/
Closes-Bug: #1997092
Change-Id: Ic7dbc4e8b00423e58f69646a9e3cedc6f72d6c63
In legacy RBAC rules get of the network's router:external attribute was
available for everyone (rule:regular_user). In new S-RBAC rules it was
done to be available for admin users and for PROJECT_READER. This didn't
really had the same result as router:external attribute wasn't visible
for networks which belongs to other project.
Networks which are set to be external are automatically shared with all
other projects and each user from such project should be able to check
every of visible networks if it is external or not.
In overall, extra policy rule for "get_network:router:external" isn't
really necessary and this patch removes it.
Closes-Bug: #1996836
Change-Id: I5fe4a0134c6ecf5cf28e2f5d59411134546c98b0
The table "router_extra_attributes" is a child of "router" table.
Each register contains extra information that completes the router
description. When using ML2/OVS mechanism driver, the methods that
create and populate the "router_extra_attributes" register are always
called from the L3 DVR, L3 HA and availability zones extensions.
When using ML2/OVN, those extensions are not loaded and therefore the
"router_extra_attributes" register is not created.
Despite this register is currently not used in ML2/OVN (it will be in
future features), there are some project expecting the
"router_extra_attributes" register to be always created (for example,
neutron-dynamic-routing [1]).
This patch enforces the child register creating always when a router is
created. This register is populated with the default values. This new
register does not affect any current operation related to ML2/OVN nor
ML2/OVS.
There is a 1:1 relationship between "routers" and
"router_extra_attributes". The child register is deleted by the database
engine when the "routers" register is deleted (ondelete="CASCADE").
[1]https://review.opendev.org/c/openstack/neutron-dynamic-routing/+/863713
Closes-Bug: #1995974
Change-Id: Ic546e40513402fa101c9687acce382cd6b84356c
MechanismDriverContext has an attribute _plugin_context, which carries
the current context with it. This is used by many ml2 drivers, as it is
the only way for them to get the current context. We now make this a
public API by adding a property to MechanismDriverContext that returns
_plugin_context as a read-only attribute.
Change-Id: If9b05655286f42081cf26c90c563429ca2e63244
Nothing much else, what the title says...
Change-Id: Ib1d41a6e4c869e108f31c1eb604f22c794d66467
Closes-Bug: #1996759
Signed-off-by: Lucas Alvares Gomes <lucasagomes@gmail.com>
Move common Exception class to one place. Move haproxy same
configuration to one place.
Partially-Implements: blueprint distributed-metadata-datapath
Change-Id: I3a0fc72da4520d6bc7193fb32a1bcf9a5585fbf4
Since [1], the functional tests are being executed in Ubuntu 22.04.
The test "test_get_all_devices" is failing frequently, maybe because
other tests are interfering and modifying the root namespace
interface list.
Because this test cannot be executed inside a temporary namespace,
this patch moves the execution of this test to the section of
"concurrency=1". That will ensure no other test interferes the
result.
Closes-Bug: #1997341
Change-Id: If0631bf0cdfd5f0989c60d40e31f89cee317e497
Removed "test_live_migration_with_trunk" test execution from
"neutron-ovs-tempest-multinode-full" job until LP#1997025 is
fixed.
Related-Bug: #1997025
Change-Id: Id7a0565db9b014e2658002437a2f21facbe47a8f
There is an inconsistency for keystone domain names
in the docs, 'default' and 'Default'. Should always
use the latter, 'Default'.
Change-Id: I4487de4e121362a02f839546721f007781f84057
Closes-bug: #1996889
Some test classes are not loading the required configuration options
during the setup process. That prevents from launching thoses tests
or classes individually. This patch solves this issue by importing the
required options in the "setUp" test class method.
This is breaking python 3.11 on Debian, not possible to test
in the gate at the moment.
Closes-Bug: #1996527
Change-Id: Ie579df7126ca8d09dbedad8d2254c79ec0d3bc32
Metadata service now supports IPv6 networks. This patch removes
this limitation in the documentation.
Related-Bug: #1460177
Change-Id: I1c50aef5e4aa60705f923f399e8d36c37a9d6289
Move _sign_instance_id to common utils for distributed metadata.
Partially-Implements: blueprint distributed-metadata-datapath
Change-Id: I0ef9330232e2ed5dbda6e45917c291c7385d1e0d
This patch replaces the Linux Bridge references with Open vSwitch in
the installation manuals.
Closes-Bug: #1996772
Change-Id: Ib63daad7fac52e1e10dca2e98add01d5ee7635a3
--black-regex has been deprecated and using it can sometimes
cause failures in the fullstack job.
Change-Id: Iac1d4c4004e1348ced388ee4dd44711f0e27bcc2
Closes-bug: #1995901
For some reason in Python even if using getattr with None and as
default value a string for the type __doc__ will return None.
>>> type(getattr(None, "__doc__", ""))
<class 'NoneType'>
The error reported was:
ft1.1: neutron.tests.functional.db.test_migrations.TestModelsMigrationsMySQL.test_branchestesttools.testresult.real._StringException: Traceback (most recent call last):
File "/home/zuul/src/opendev.org/openstack/neutron/neutron/tests/base.py", line 182, in func
return f(self, *args, **kwargs)
File "/home/zuul/src/opendev.org/openstack/neutron/neutron/tests/functional/db/test_migrations.py", line 302, in test_branches
find_migration_exceptions()
File "/home/zuul/src/opendev.org/openstack/neutron/neutron/tests/functional/db/test_migrations.py", line 253, in find_migration_exceptions
if len(explanation) < 1:
TypeError: object of type 'NoneType' has no len()
Signed-off-by: Sahid Orentino Ferdjaoui <sahid.ferdjaoui@industrialdiscipline.com>
Change-Id: I7c03bac9c6e8dd074325f511e555c10fec8e77fc
Running with a stricter .pylintrc generates a lot of
C0330 warnings (hanging/continued indentation). Fix
the ones in neutron/plugins.
Trivialfix
Change-Id: Id9138652f5f07ef12fa682e182fe210019e8f975
Running with a stricter .pylintrc generates a lot of
C0330 warnings (hanging/continued indentation). Fix
the ones in neutron/db.
Trivialfix
Change-Id: I9311cfe5efc51552008072d84aa238e5d0c9de60
Running with a stricter .pylintrc generates a lot of
C0330 warnings (hanging/continued indentation). Fix
the ones in neutron/ipam.
Trivialfix
Change-Id: I8312c9a0835ee9bdae9e3b2c565bf899899349c3