Update permissions on external networks

Users outside the projet should be able to read/refer to External network. This is how neutron treats external networks (even if they are not shared) Also added check for ethertype conflict with prefix in SG rules Closes-Bug: 1709196 Closes-Bug: 1709192 Change-Id: Id6a0c1a509d7663da8e5bc86f2c7c91c73d420a2
Juniper · Aug 10, 2017 · 1ce8cd8 · 1ce8cd8
1 parent bdbb71d
commit 1ce8cd8
Show file tree

Hide file tree

Showing 2 changed files with 45 additions and 2 deletions.
diff --git a/src/config/vnc_openstack/vnc_openstack/neutron_plugin_db.py b/src/config/vnc_openstack/vnc_openstack/neutron_plugin_db.py
@@ -10,7 +10,7 @@
 import re
 import uuid
 from cfgm_common import jsonutils as json
-from cfgm_common import PERMS_RWX, PERMS_NONE
+from cfgm_common import PERMS_RWX, PERMS_NONE, PERMS_RX
 import netaddr
 from netaddr import IPNetwork, IPSet, IPAddress
 import gevent
@@ -1209,6 +1209,13 @@ def _security_group_rule_neutron_to_vnc(self, sgr_q, oper):
                     'SecurityGroupRemoteGroupAndRemoteIpPrefix')
             endpt = [AddressType(security_group='any')]
             if sgr_q['remote_ip_prefix']:
+                et = sgr_q.get('ethertype')
+                ip_net = netaddr.IPNetwork(sgr_q['remote_ip_prefix'])
+                if ((ip_net.version == 4 and et != 'IPv4') or
+                        (ip_net.version == 6 and et != 'IPv6')):
+                    self._raise_contrail_exception(
+                        'SecurityGroupRuleParameterConflict',
+                        ethertype=et, cidr=sgr_q['remote_ip_prefix'])
                 cidr = sgr_q['remote_ip_prefix'].split('/')
                 pfx = cidr[0]
                 pfx_len = int(cidr[1])
@@ -1288,6 +1295,13 @@ def _network_neutron_to_vnc(self, network_q, oper):
                 net_obj.router_external = False
             else:
                 net_obj.router_external = external_attr
+                # external network should be readable and reference-able from
+                # outside
+                if external_attr:
+                    net_obj.perms2 = PermType2(
+                        project_obj.uuid, PERMS_RWX, # tenant, tenant-access
+                        PERMS_RX,                    # global-access
+                        [])                          # share list
             if 'shared' in network_q:
                 net_obj.is_shared = network_q['shared']
             else:
@@ -1299,6 +1313,9 @@ def _network_neutron_to_vnc(self, network_q, oper):
                     net_obj.is_shared = network_q['shared']
                 if external_attr is not attr_not_specified:
                     net_obj.router_external = external_attr
+                    perms2 = net_obj.perms2
+                    perms2.global_access = PERMS_RX if external_attr else PERMS_NONE
+                    net_obj.perms2 = perms2
 
         if 'name' in network_q and network_q['name']:
             net_obj.display_name = network_q['name']

diff --git a/src/config/vnc_openstack/vnc_openstack/tests/test_basic.py b/src/config/vnc_openstack/vnc_openstack/tests/test_basic.py
@@ -8,7 +8,7 @@
 
 sys.path.append('../common/tests')
 from cfgm_common.exceptions import NoIdError
-from cfgm_common import PERMS_RWX, PERMS_NONE
+from cfgm_common import PERMS_RWX, PERMS_NONE, PERMS_RX
 from test_utils import *
 import test_common
 
@@ -871,6 +871,32 @@ def test_subnet_timestamps(self):
         self.assertIsNot(sn_dict_2['created_at'], sn_dict_2['updated_at'])
     # end test_subnet_timestamps
 
+    def test_external_network_perms(self):
+        proj_obj = self._vnc_lib.project_read(fq_name=['default-domain',
+                                                       'default-project'])
+        net_q = self.create_resource('network', proj_obj.uuid,
+            extra_res_fields={'router:external': True})
+        self.create_resource('subnet', proj_obj.uuid, extra_res_fields={
+                'network_id': net_q['id'],
+                'cidr': '1.1.1.0/24',
+                'ip_version': 4,
+        })
+
+        net_obj = self._vnc_lib.virtual_network_read(net_q['contrail:fq_name'])
+        self.assertEqual(net_obj.perms2.global_access, PERMS_RX)
+
+        self.update_resource('network', net_q['id'], proj_obj.uuid,
+                             extra_res_fields={'router:external':False})
+        net_obj = self._vnc_lib.virtual_network_read(net_q['contrail:fq_name'])
+        self.assertEqual(net_obj.perms2.global_access, PERMS_NONE)
+
+        self.update_resource('network', net_q['id'], proj_obj.uuid,
+                             extra_res_fields={'router:external':True})
+        net_obj = self._vnc_lib.virtual_network_read(net_q['contrail:fq_name'])
+        self.assertEqual(net_obj.perms2.global_access, PERMS_RX)
+        self.delete_resource('network', proj_obj.uuid, net_q['id'])
+    # end test_external_network_perms
+
     def test_external_network_fip_pool(self):
         proj_obj = self._vnc_lib.project_read(fq_name=['default-domain',
                                                        'default-project'])