commit 1afe935de81bbfca6ea29c239c55f5768d74410d
Author: Rodolfo Alonso Hernandez <email address hidden>
Date: Tue Feb 18 17:08:22 2020 +0000
Filter by owner SGs when retrieving the SG rules
Retrieving the SG rules now is used the admin context. This allows to
get all possible rules, independently of the user calling. The filters
passed and the RBAC policies filter those results, returning only:
- The SG rules belonging to the user.
- The SG rules belonging to a SG owned by the user.
However, if the SG list is too long, the query can take a lot of time.
Instead of this, the filtering is done in the DB query. If no filters
are passed to "get_security_group_rules" and the context is not the
admin context, only the rules specified in the first paragraph will
be retrieved.
Because overwriting the method "get_objects" is too complex, an
intermediate query is done to retrieve the SG rule IDs. Those IDs
will be used as a filter in the "get_objects" call.
Reviewed: https:/ /review. opendev. org/720137 /git.openstack. org/cgit/ openstack/ neutron/ commit/ ?id=1afe935de81 bbfca6ea29c239c 55f5768d74410d
Committed: https:/
Submitter: Zuul
Branch: stable/rocky
commit 1afe935de81bbfc a6ea29c239c55f5 768d74410d
Author: Rodolfo Alonso Hernandez <email address hidden>
Date: Tue Feb 18 17:08:22 2020 +0000
Filter by owner SGs when retrieving the SG rules
Retrieving the SG rules now is used the admin context. This allows to
get all possible rules, independently of the user calling. The filters
passed and the RBAC policies filter those results, returning only:
- The SG rules belonging to the user.
- The SG rules belonging to a SG owned by the user.
However, if the SG list is too long, the query can take a lot of time. group_rules" and the context is not the
Instead of this, the filtering is done in the DB query. If no filters
are passed to "get_security_
admin context, only the rules specified in the first paragraph will
be retrieved.
Because overwriting the method "get_objects" is too complex, an
intermediate query is done to retrieve the SG rule IDs. Those IDs
will be used as a filter in the "get_objects" call.
Conflicts:
neutron/ objects/ securitygroup. py
neutron/ tests/unit/ db/test_ securitygroups_ db.py
neutron/ tests/unit/ objects/ test_securitygr oup.py
Closes-Bug: #1863201
Change-Id: I25d3da929f8d0b 6ee15d7b90ec59b 9d58a4ae6a5 a25f5dd6e790f7d db209cb224) d10a68e3629861d 5f0ba13568) cedabdfb9f3a185 4cea227d2c)
(cherry picked from commit d874c46bff7045b
(cherry picked from commit d3905264b7659b1
(cherry picked from commit 61dc621c1ba40ef