The subnet policy rule ``ADMIN_OR_NET_OWNER_MEMBER`` requires to
retrieve the network object from the database to read the project ID.
When retrieving a list of subnets, this operation can slow down the
API call. This patch is reordering the subnet RBAC policy checks to
make this check at the end.
As reported in the related LP bug, it is usual to have a "creator"
project where different resources are created and then shared to others;
in this case networks and subnets. All these subnets will belong to the
same project. If a non-admin user from this project list all the
subnets, with the code before to this patch it would be needed to
retrieve all the networks to read the project ID. With the current code
it is needed only to check that the user is a project reader.
The following benchmark has been done in a VM running a standalone
OpenStack deployment. One project has created 400 networks and 400
subnets (one per network). Each network has been shared with another
project. API time to process "GET /networking/v2.0/subnets":
* Without this patch: 5.5 seconds (average)
* With this patch: 0.25 seconds (average)
Reviewed: https:/ /review. opendev. org/c/openstack /neutron/ +/923488 /opendev. org/openstack/ neutron/ commit/ f25cc2f503573e2 288b61e262bcc39 00c62c1a04
Committed: https:/
Submitter: "Zuul (22348)"
Branch: stable/2024.1
commit f25cc2f503573e2 288b61e262bcc39 00c62c1a04
Author: Rodolfo Alonso Hernandez <email address hidden>
Date: Tue Jul 2 07:29:44 2024 +0000
Reorder subnet RBAC policy check strings
The subnet policy rule ``ADMIN_ OR_NET_ OWNER_MEMBER` ` requires to
retrieve the network object from the database to read the project ID.
When retrieving a list of subnets, this operation can slow down the
API call. This patch is reordering the subnet RBAC policy checks to
make this check at the end.
As reported in the related LP bug, it is usual to have a "creator"
project where different resources are created and then shared to others;
in this case networks and subnets. All these subnets will belong to the
same project. If a non-admin user from this project list all the
subnets, with the code before to this patch it would be needed to
retrieve all the networks to read the project ID. With the current code
it is needed only to check that the user is a project reader.
The following benchmark has been done in a VM running a standalone v2.0/subnets" :
OpenStack deployment. One project has created 400 networks and 400
subnets (one per network). Each network has been shared with another
project. API time to process "GET /networking/
* Without this patch: 5.5 seconds (average)
* With this patch: 0.25 seconds (average)
Related-Bug: #2071374 56fc18ec2732d80 054ac95e859 7a27b1b85b3b299 9146d905ba)
Related-Bug: #2037107
Change-Id: Ibca174213bba3c
(cherry picked from commit 729920da5e836fa