When a port is validated, we check for the user to be the owner of
corresponding network, among other things. Sadly, this check requires a
plugin call to fetch the network, which goes straight into the database.
Now, if there are multiple ports to validate with current policy, and
the user is not admin, we fetch the network for each port, f.e. making
list operation on ports to scale badly.
To avoid that, we should postpone OwnerCheck (tenant_id) based
validations that rely on foreign keys, tenant_id:%(network:...)s, to as
late as possible. It will make policy checks avoid hitting database in
some cases, like when a port is owned by current user.
Note: the patch excludes regression unit tests to avoid breaking
external plugin repos that rely on base db test classes private methods
like _create_network or _create_router.
See Ic323e148f7d6d333194aa339774afa953b241aa7 for details about possible
third party breakage.
Reviewed: https:/ /review. openstack. org/277095 /git.openstack. org/cgit/ openstack/ neutron/ commit/ ?id=9cb65919978 6b95581553318cf dda93649c21c28
Committed: https:/
Submitter: Jenkins
Branch: stable/liberty
commit 9cb659199786b95 581553318cfdda9 3649c21c28
Author: Ihar Hrachyshka <email address hidden>
Date: Tue Jan 19 23:10:25 2016 +0100
Postpone heavy policy check for ports to later
When a port is validated, we check for the user to be the owner of
corresponding network, among other things. Sadly, this check requires a
plugin call to fetch the network, which goes straight into the database.
Now, if there are multiple ports to validate with current policy, and
the user is not admin, we fetch the network for each port, f.e. making
list operation on ports to scale badly.
To avoid that, we should postpone OwnerCheck (tenant_id) based id:%(network: ...)s, to as
validations that rely on foreign keys, tenant_
late as possible. It will make policy checks avoid hitting database in
some cases, like when a port is owned by current user.
Note: the patch excludes regression unit tests to avoid breaking
external plugin repos that rely on base db test classes private methods
like _create_network or _create_router.
See Ic323e148f7d6d3 33194aa339774af a953b241aa7 for details about possible
third party breakage.
Change-Id: I99e0c4280b06d8 ebab0aa8adc4976 62c995133ad
Closes-Bug: #1513782