security groups filtered with tenant_id does not accept rbac
Bug #1907843 reported by
Jesper Schmitz Mouridsen
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Dashboard (Horizon) |
Fix Released
|
Wishlist
|
Hang Yang | ||
neutron |
Invalid
|
Undecided
|
Unassigned |
Bug Description
Horizon filters security groups on tenant_id, this excludes rbac shared security groups from other projects/tenants. Perhaps there should be a filter option called tenant_allowed so that horizon can filter correctly for all tenants, without losing the ability to filter on owner project_id.
tags: | added: neutron |
Changed in horizon: | |
assignee: | nobody → Hang Yang (hangyang) |
status: | Confirmed → In Progress |
To post a comment you must log in.
the two below patches uses neutron_ lib/db/ model_query. py around line 206
elif key == 'shared' and hasattr(model, 'rbac_entries'):
rbac = model.rbac_ entries. property. mapper. class_
matches = [rbac.target_tenant == '*']
matches. append( rbac.target_ tenant == context.tenant_id)
is_shared = and_(rbac.action == 'access_as_shared',
or_ (*matches) )
# translate a filter on shared into a query against the
# object's rbac entries
if context:
# any 'access_as_shared' records that match the
# wildcard or requesting tenant
so adding a shared filter does return shared security groups, but horizon needs two calls,
is there an elegant way to merge the two queries?
Here goes the patches
diff --git a/openstack_ dashboard/ api/neutron. py b/openstack_ dashboard/ api/neutron. py .9d88d9692 100644 dashboard/ api/neutron. py dashboard/ api/neutron. py nager(object) :
index 7bd3e29fb.
--- a/openstack_
+++ b/openstack_
@@ -355,7 +355,11 @@ class SecurityGroupMa
def _list(self, **filters): list_security_ groups( **filters) get('security_ groups' )] get("tenant_ id"): pop("tenant_ id") "shared" ]=True list_security_ groups( **filters) get('security_ groups' ) + secgroups_ rbac.get( "security_ groups" )]
secgroups = self.client.
- return [SecurityGroup(sg) for sg in secgroups.
+ if filters.
+ filters.
+ filters[
+ secgroups_rbac = self.client.
+ return [SecurityGroup(sg) for sg in secgroups.
@profiler. trace
def list(self, **params):
diff --git a/neutron/ extensions/ securitygroup. py b/neutron/ extensions/ securitygroup. py .ee4a05a650 100644 extensions/ securitygroup. py extensions/ securitygroup. py ATTRIBUTE_ MAP = {
'validate' : {
' type:string' : db_const. PROJECT_ ID_FIELD_ SIZE},
'is_visible' : True, 'is_filter': True},
SECURITYGROUP RULES: {'allow_post': False, 'allow_put': False,
'is_visible' : True}, objects/ securitygroup. py b/neutron/ objects/ securitygroup. py .370683341f 100644 objects/ securitygroup. py objects/ securitygroup. py rbac_db. NeutronRbacObje ct):
index 48b3b5f4c0.
--- a/neutron/
+++ b/neutron/
@@ -233,6 +233,9 @@ RESOURCE_
+ 'shared' : { 'allow_post': False, 'allow_put': False,
+ 'is_sort_key': False,
+ 'is_filter': True, 'primary_key': False},
},
diff --git a/neutron/
index 5edfd80b98.
--- a/neutron/
+++ b/neutron/
@@ -62,7 +62,7 @@ class SecurityGroup(
synthetic_ fields = ['is_default', 'rules']
- extra_filter_names = {'is_default'} ,'shared' }
+ extra_filter_names = {'is_default'
lazy_fields = set(['rules'])