commit d3905264b7659b1d10a68e3629861d5f0ba13568
Author: Rodolfo Alonso Hernandez <email address hidden>
Date: Tue Feb 18 17:08:22 2020 +0000
Filter by owner SGs when retrieving the SG rules
Retrieving the SG rules now is used the admin context. This allows to
get all possible rules, independently of the user calling. The filters
passed and the RBAC policies filter those results, returning only:
- The SG rules belonging to the user.
- The SG rules belonging to a SG owned by the user.
However, if the SG list is too long, the query can take a lot of time.
Instead of this, the filtering is done in the DB query. If no filters
are passed to "get_security_group_rules" and the context is not the
admin context, only the rules specified in the first paragraph will
be retrieved.
Because overwriting the method "get_objects" is too complex, an
intermediate query is done to retrieve the SG rule IDs. Those IDs
will be used as a filter in the "get_objects" call.
Reviewed: https:/ /review. opendev. org/720049 /git.openstack. org/cgit/ openstack/ neutron/ commit/ ?id=d3905264b76 59b1d10a68e3629 861d5f0ba13568
Committed: https:/
Submitter: Zuul
Branch: stable/train
commit d3905264b7659b1 d10a68e3629861d 5f0ba13568
Author: Rodolfo Alonso Hernandez <email address hidden>
Date: Tue Feb 18 17:08:22 2020 +0000
Filter by owner SGs when retrieving the SG rules
Retrieving the SG rules now is used the admin context. This allows to
get all possible rules, independently of the user calling. The filters
passed and the RBAC policies filter those results, returning only:
- The SG rules belonging to the user.
- The SG rules belonging to a SG owned by the user.
However, if the SG list is too long, the query can take a lot of time. group_rules" and the context is not the
Instead of this, the filtering is done in the DB query. If no filters
are passed to "get_security_
admin context, only the rules specified in the first paragraph will
be retrieved.
Because overwriting the method "get_objects" is too complex, an
intermediate query is done to retrieve the SG rule IDs. Those IDs
will be used as a filter in the "get_objects" call.
Conflicts:
neutron/ db/securitygrou ps_db.py
neutron/ objects/ securitygroup. py
Closes-Bug: #1863201
Change-Id: I25d3da929f8d0b 6ee15d7b90ec59b 9d58a4ae6a5 a25f5dd6e790f7d db209cb224)
(cherry picked from commit d874c46bff7045b