17563a802e
Neutron Manager is loaded at the very startup of the neutron server process and with it plugins are loaded and stored for lookup purposes as their references are widely used across the entire neutron codebase. Rather than holding these references directly in NeutronManager this patch refactors the code so that these references are held by a plugin directory. This allows subprojects and other parts of the Neutron codebase to use the directory in lieu of the manager. The result is a leaner, cleaner, and more decoupled code. Usage pattern [1,2] can be translated to [3,4] respectively. [1] manager.NeutronManager.get_service_plugins()[FOO] [2] manager.NeutronManager.get_plugin() [3] directory.get_plugin(FOO) [4] directory.get_plugin() The more entangled part is in the neutron unit tests, where the use of the manager can be simplified as mocking is typically replaced by a call to the directory add_plugin() method. This is safe as each test case gets its own copy of the plugin directory. That said, unit tests that look more like API tests and that rely on the entire plugin machinery, need some tweaking to avoid stumbling into plugin loading failures. Due to the massive use of the manager, deprecation warnings are considered impractical as they cause logs to bloat out of proportion. Follow-up patches that show how to adopt the directory in neutron subprojects are tagged with topic:plugin-directory. NeutronLibImpact Partially-implements: blueprint neutron-lib Change-Id: I7331e914234c5f0b7abe836604fdd7e4067551cf
57 lines
2.1 KiB
Python
57 lines
2.1 KiB
Python
# Copyright (c) 2015 Mirantis, Inc.
|
|
# All Rights Reserved.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
from neutron_lib.plugins import directory
|
|
from pecan import hooks
|
|
import webob
|
|
|
|
from neutron._i18n import _
|
|
|
|
|
|
class OwnershipValidationHook(hooks.PecanHook):
|
|
|
|
priority = 125
|
|
|
|
def before(self, state):
|
|
if state.request.method != 'POST':
|
|
return
|
|
for item in state.request.context.get('resources', []):
|
|
self._validate_network_tenant_ownership(state, item)
|
|
|
|
def _validate_network_tenant_ownership(self, state, resource_item):
|
|
# TODO(salvatore-orlando): consider whether this check can be folded
|
|
# in the policy engine
|
|
neutron_context = state.request.context.get('neutron_context')
|
|
resource = state.request.context.get('resource')
|
|
if (neutron_context.is_admin or neutron_context.is_advsvc or
|
|
resource not in ('port', 'subnet')):
|
|
return
|
|
plugin = directory.get_plugin()
|
|
network = plugin.get_network(neutron_context,
|
|
resource_item['network_id'])
|
|
# do not perform the check on shared networks
|
|
if network.get('shared'):
|
|
return
|
|
|
|
network_owner = network['tenant_id']
|
|
|
|
if network_owner != resource_item['tenant_id']:
|
|
msg = _("Tenant %(tenant_id)s not allowed to "
|
|
"create %(resource)s on this network")
|
|
raise webob.exc.HTTPForbidden(msg % {
|
|
"tenant_id": resource_item['tenant_id'],
|
|
"resource": resource,
|
|
})
|