Fix default RBAC policy quota

The previous config value for the default RBAC policy
was not in neutron.conf and value that was registered
as a config option 'rbac_entry' didn't match the resource
name 'rbac_policy' so the default did not take effect.

This patch corrects it by registering the 'rbac_policy'
option instead of 'rbac_entry' and documents it in neutron.conf.
It also adds an API test that exercises the quota limit and
ensures that it's not set to -1.

Change-Id: I8c8d4bcfda808e376af94048fe5a98c68a2a975f
Closes-Bug: #1522224

diff --git a/neutron/extensions/rbac.py b/neutron/extensions/rbac.py
index 23c9e77523138e7028fa4b98dfac66049f73061c..a96b82ad36577e0f8112ea1ece1cacf110043593 100644 (file)
--- a/neutron/extensions/rbac.py
+++ b/neutron/extensions/rbac.py
@@ -70,7 +70,8 @@ RESOURCE_ATTRIBUTE_MAP = {
 }
 
 rbac_quota_opts = [
-    cfg.IntOpt('quota_rbac_entry', default=10,
+    cfg.IntOpt('quota_rbac_policy', default=10,
+               deprecated_name='quota_rbac_entry',
                help=_('Default number of RBAC entries allowed per tenant. '
                       'A negative value means unlimited.'))
 ]

diff --git a/neutron/tests/api/admin/test_shared_network_extension.py b/neutron/tests/api/admin/test_shared_network_extension.py
index 13cee56e1e267a5899c2d8fbee4cfc9c94b51f50..04f70285915c36980e1bde77d6507e1b44b7ab84 100644 (file)
--- a/neutron/tests/api/admin/test_shared_network_extension.py
+++ b/neutron/tests/api/admin/test_shared_network_extension.py
@@ -14,6 +14,8 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
+import uuid
+
 from tempest_lib import exceptions as lib_exc
 import testtools
 
@@ -358,6 +360,25 @@ class RBACSharedNetworksTest(base.BaseAdminNetworkTest):
                 object_type='network', object_id=net['id'],
                 action='access_as_shared', target_tenant=self.client.tenant_id)
 
+    @test.attr(type='smoke')
+    @test.idempotent_id('c5f8f785-ce8d-4430-af7e-a236205862fb')
+    def test_rbac_policy_quota(self):
+        if not test.is_extension_enabled('quotas', 'network'):
+            msg = "quotas extension not enabled."
+            raise self.skipException(msg)
+        quota = self.client.show_quotas(self.client.tenant_id)['quota']
+        max_policies = quota['rbac_policy']
+        self.assertGreater(max_policies, 0)
+        net = self.client.create_network(
+            name=data_utils.rand_name('test-network-'))['network']
+        self.addCleanup(self.client.delete_network, net['id'])
+        with testtools.ExpectedException(lib_exc.Conflict):
+            for i in range(0, max_policies + 1):
+                self.admin_client.create_rbac_policy(
+                    object_type='network', object_id=net['id'],
+                    action='access_as_shared',
+                    target_tenant=str(uuid.uuid4()).replace('-', ''))
+
     @test.attr(type='smoke')
     @test.idempotent_id('86c3529b-1231-40de-803c-afffffff7fff')
     def test_regular_client_blocked_from_sharing_with_wildcard(self):