Allow admin to delete default security groups

Previously there was no way to delete a default security groups which
isn't ideal if you want to clean up after deleting a tenant. This patch
allows default security groups to be deleted by the admin.

Fixes bug 1175393

Change-Id: I2214c7dabf0f2ec960ce10ebbbcdc513bc73664c

diff --git a/quantum/db/securitygroups_db.py b/quantum/db/securitygroups_db.py
index b91d339049d1691fbafb5a669b08c172d45c1b1d..b1c5f9a32fafb6a8553d458046d4d63bd3e2d42f 100644 (file)
--- a/quantum/db/securitygroups_db.py
+++ b/quantum/db/securitygroups_db.py
@@ -180,7 +180,7 @@ class SecurityGroupDbMixin(ext_sg.SecurityGroupPluginBase):
         # confirm security group exists
         sg = self._get_security_group(context, id)
 
-        if sg['name'] == 'default':
+        if sg['name'] == 'default' and not context.is_admin:
             raise ext_sg.SecurityGroupCannotRemoveDefault()
         with context.session.begin(subtransactions=True):
             context.session.delete(sg)

diff --git a/quantum/plugins/midonet/plugin.py b/quantum/plugins/midonet/plugin.py
index 9baff5d88483d10ade639641f6844bd262f5500e..34e46808bcdc59f288f4151f64067966628e0358 100644 (file)
--- a/quantum/plugins/midonet/plugin.py
+++ b/quantum/plugins/midonet/plugin.py
@@ -1018,7 +1018,7 @@ class MidonetPluginV2(db_base_plugin_v2.QuantumDbPluginV2,
             sg_id = sg_db_entry['id']
             tenant_id = sg_db_entry['tenant_id']
 
-            if sg_name == 'default':
+            if sg_name == 'default' and not context.is_admin:
                 raise ext_sg.SecurityGroupCannotRemoveDefault()
 
             filters = {'security_group_id': [sg_id]}

diff --git a/quantum/plugins/nicira/QuantumPlugin.py b/quantum/plugins/nicira/QuantumPlugin.py
index 04e5641cdbfc871f0756748d348b435ce13182bd..4df1dd7897f3b04661319802d556cccce15c549f 100644 (file)
--- a/quantum/plugins/nicira/QuantumPlugin.py
+++ b/quantum/plugins/nicira/QuantumPlugin.py
@@ -1949,7 +1949,7 @@ class NvpPluginV2(db_base_plugin_v2.QuantumDbPluginV2,
             if not security_group:
                 raise ext_sg.SecurityGroupNotFound(id=security_group_id)
 
-            if security_group['name'] == 'default':
+            if security_group['name'] == 'default' and not context.is_admin:
                 raise ext_sg.SecurityGroupCannotRemoveDefault()
 
             filters = {'security_group_id': [security_group['id']]}

diff --git a/quantum/tests/unit/test_extension_security_group.py b/quantum/tests/unit/test_extension_security_group.py
index b768ef51d4bbd98bfe2a444891a64008ce3fc8d7..788cfc66d6945b29d0a253ec5774969a641f848e 100644 (file)
--- a/quantum/tests/unit/test_extension_security_group.py
+++ b/quantum/tests/unit/test_extension_security_group.py
@@ -432,12 +432,20 @@ class TestSecurityGroups(SecurityGroupDBTestCase):
             remote_group_id = sg['security_group']['id']
             self._delete('security-groups', remote_group_id, 204)
 
-    def test_delete_default_security_group_fail(self):
+    def test_delete_default_security_group_admin(self):
         with self.network():
             res = self.new_list_request('security-groups')
             sg = self.deserialize(self.fmt, res.get_response(self.ext_api))
             self._delete('security-groups', sg['security_groups'][0]['id'],
-                         409)
+                         204)
+
+    def test_delete_default_security_group_nonadmin(self):
+        with self.network():
+            res = self.new_list_request('security-groups')
+            sg = self.deserialize(self.fmt, res.get_response(self.ext_api))
+            quantum_context = context.Context('', 'test-tenant')
+            self._delete('security-groups', sg['security_groups'][0]['id'],
+                         409, quantum_context=quantum_context)
 
     def test_default_security_group_rules(self):
         with self.network():