neutron

  1. Bug #1863201
  2. Comment #17

Comment 17 for bug 1863201

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/train)

Reviewed: https://review.opendev.org/720049
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=d3905264b7659b1d10a68e3629861d5f0ba13568
Submitter: Zuul
Branch: stable/train

commit d3905264b7659b1d10a68e3629861d5f0ba13568
Author: Rodolfo Alonso Hernandez <email address hidden>
Date: Tue Feb 18 17:08:22 2020 +0000

    Filter by owner SGs when retrieving the SG rules

    Retrieving the SG rules now is used the admin context. This allows to
    get all possible rules, independently of the user calling. The filters
    passed and the RBAC policies filter those results, returning only:
    - The SG rules belonging to the user.
    - The SG rules belonging to a SG owned by the user.

    However, if the SG list is too long, the query can take a lot of time.
    Instead of this, the filtering is done in the DB query. If no filters
    are passed to "get_security_group_rules" and the context is not the
    admin context, only the rules specified in the first paragraph will
    be retrieved.

    Because overwriting the method "get_objects" is too complex, an
    intermediate query is done to retrieve the SG rule IDs. Those IDs
    will be used as a filter in the "get_objects" call.

    Conflicts:
          neutron/db/securitygroups_db.py
          neutron/objects/securitygroup.py

    Closes-Bug: #1863201

    Change-Id: I25d3da929f8d0b6ee15d7b90ec59b9d58a4ae6a5
    (cherry picked from commit d874c46bff7045ba25f5dd6e790f7ddb209cb224)