Comment 14 for bug 2071374

Reviewed: https://review.opendev.org/c/openstack/neutron/+/923488
Committed: https://opendev.org/openstack/neutron/commit/f25cc2f503573e2288b61e262bcc3900c62c1a04
Submitter: "Zuul (22348)"
Branch: stable/2024.1

commit f25cc2f503573e2288b61e262bcc3900c62c1a04
Author: Rodolfo Alonso Hernandez <email address hidden>
Date: Tue Jul 2 07:29:44 2024 +0000

    Reorder subnet RBAC policy check strings

    The subnet policy rule ``ADMIN_OR_NET_OWNER_MEMBER`` requires to
    retrieve the network object from the database to read the project ID.
    When retrieving a list of subnets, this operation can slow down the
    API call. This patch is reordering the subnet RBAC policy checks to
    make this check at the end.

    As reported in the related LP bug, it is usual to have a "creator"
    project where different resources are created and then shared to others;
    in this case networks and subnets. All these subnets will belong to the
    same project. If a non-admin user from this project list all the
    subnets, with the code before to this patch it would be needed to
    retrieve all the networks to read the project ID. With the current code
    it is needed only to check that the user is a project reader.

    The following benchmark has been done in a VM running a standalone
    OpenStack deployment. One project has created 400 networks and 400
    subnets (one per network). Each network has been shared with another
    project. API time to process "GET /networking/v2.0/subnets":
    * Without this patch: 5.5 seconds (average)
    * With this patch: 0.25 seconds (average)

    Related-Bug: #2071374
    Related-Bug: #2037107
    Change-Id: Ibca174213bba3c56fc18ec2732d80054ac95e859
    (cherry picked from commit 729920da5e836fa7a27b1b85b3b2999146d905ba)