diff options
author | Pavlo Shchelokovskyy <shchelokovskyy@gmail.com> | 2020-03-27 11:48:36 +0000 |
---|---|---|
committer | Pavlo Shchelokovskyy <pshchelokovskyy@mirantis.com> | 2020-04-08 09:10:05 +0000 |
commit | fe55842f72072028d0cad49acc3ce83f8edc347b (patch) | |
tree | a59508a3e983f326d38bd63a7e711dc22278839e | |
parent | 96c4dbe3ea2681b5d53cec3f6904f5d9d221d914 (diff) | |
download | heat-fe55842f72072028d0cad49acc3ce83f8edc347b.tar.gz |
Filter by project id in list_security_groups
this utilizes server-side filtering and makes requests issued
on behalf of admin user (who otherwise sees all SGs) much faster,
avoiding unnecessary failures due to timeouts.
Change-Id: Ifdceb855affcfccb07dbe415ee4b140d3a0355ee
Story: 2007473
Task: 39168
-rw-r--r-- | heat/engine/clients/os/neutron/__init__.py | 16 | ||||
-rw-r--r-- | heat/tests/aws/test_instance.py | 3 | ||||
-rw-r--r-- | heat/tests/clients/test_neutron_client.py | 22 |
3 files changed, 8 insertions, 33 deletions
diff --git a/heat/engine/clients/os/neutron/__init__.py b/heat/engine/clients/os/neutron/__init__.py index cb1a4c009..beb752afe 100644 --- a/heat/engine/clients/os/neutron/__init__.py +++ b/heat/engine/clients/os/neutron/__init__.py @@ -167,7 +167,11 @@ class NeutronClientPlugin(os_client.ExtensionMixin, seclist.append(sg) else: if not all_groups: - response = self.client().list_security_groups() + # filtering by project_id so that if the user + # has access to multiple (like admin) + # only groups from the token scope are returned + response = self.client().list_security_groups( + project_id=self.context.project_id) all_groups = response['security_groups'] same_name_groups = [g for g in all_groups if g['name'] == sg] groups = [g['id'] for g in same_name_groups] @@ -176,15 +180,7 @@ class NeutronClientPlugin(os_client.ExtensionMixin, elif len(groups) == 1: seclist.append(groups[0]) else: - # for admin roles, can get the other users' - # securityGroups, so we should match the tenant_id with - # the groups, and return the own one - own_groups = [g['id'] for g in same_name_groups - if g['tenant_id'] == self.context.tenant_id] - if len(own_groups) == 1: - seclist.append(own_groups[0]) - else: - raise exception.PhysicalResourceNameAmbiguity(name=sg) + raise exception.PhysicalResourceNameAmbiguity(name=sg) return seclist def _resolve_resource_path(self, resource): diff --git a/heat/tests/aws/test_instance.py b/heat/tests/aws/test_instance.py index 8ae162c35..47ee63bdf 100644 --- a/heat/tests/aws/test_instance.py +++ b/heat/tests/aws/test_instance.py @@ -1385,7 +1385,8 @@ class InstancesTest(common.HeatTestCase): self.nclient.create_port.assert_called_with({'port': props}) if not all_uuids: - self.nclient.list_security_groups.assert_called_once_with() + self.nclient.list_security_groups.assert_called_once_with( + project_id=mock.ANY) def _get_fake_properties(self, sg='one'): fake_groups_list = { diff --git a/heat/tests/clients/test_neutron_client.py b/heat/tests/clients/test_neutron_client.py index 1cbd61526..b16e8dd38 100644 --- a/heat/tests/clients/test_neutron_client.py +++ b/heat/tests/clients/test_neutron_client.py @@ -66,28 +66,6 @@ class NeutronClientPluginTest(NeutronClientPluginTestCase): self.neutron_client.list_security_groups.return_value = fake_list self.assertEqual(expected_groups, self.neutron_plugin.get_secgroup_uuids(sgs_non_uuid)) - # test only one belong to the tenant - fake_list = { - 'security_groups': [ - { - 'tenant_id': 'test_tenant_id', - 'id': '0389f747-7785-4757-b7bb-2ab07e4b09c3', - 'name': 'security_group_1', - 'security_group_rules': [], - 'description': 'no protocol' - }, - { - 'tenant_id': 'not_test_tenant_id', - 'id': '384ccd91-447c-4d83-832c-06974a7d3d05', - 'name': 'security_group_1', - 'security_group_rules': [], - 'description': 'no protocol' - } - ] - } - self.neutron_client.list_security_groups.return_value = fake_list - self.assertEqual(expected_groups, - self.neutron_plugin.get_secgroup_uuids(sgs_non_uuid)) # test there are two securityGroups with same name, and the two # all belong to the tenant fake_list = { |