Add rule for updating network's router:external attribute

Set admin_only rule for update_network:router:external in policy.json

Also, change the default value of router:external from attr.ATTR_NOT_SPECIFIED
to False, because each time we try to get or update a network the dict with
its attributes is extended by _extend_network_dict_l3 function which adds
router:external=False to the dict if this attribute is not specified.
Thus, if the default value is not specified, router:external is considered
to be updated in any case and the policy rule is applied.

Change-Id: I899d98c7d8c9d9863ac5d8f992b6a2d507ec4482
Closes-Bug: 1338880

diff --git a/etc/policy.json b/etc/policy.json
index 81fe49556a46df0296e816a1addc5fd9d5df3fb5..d21427cb4ee106094b3defaa83b4528f8bae4976 100644 (file)
--- a/etc/policy.json
+++ b/etc/policy.json
@@ -39,6 +39,7 @@
     "update_network:provider:network_type": "rule:admin_only",
     "update_network:provider:physical_network": "rule:admin_only",
     "update_network:provider:segmentation_id": "rule:admin_only",
+    "update_network:router:external": "rule:admin_only",
     "delete_network": "rule:admin_or_owner",
 
     "create_port": "",

diff --git a/neutron/extensions/external_net.py b/neutron/extensions/external_net.py
index 6e50e93cb057648f279cde5325bcbc0f41e444ca..0e24f13f6c71eb619298388f2e5f2b244a1f324a 100644 (file)
--- a/neutron/extensions/external_net.py
+++ b/neutron/extensions/external_net.py
@@ -29,7 +29,7 @@ EXTERNAL = 'router:external'
 EXTENDED_ATTRIBUTES_2_0 = {
     'networks': {EXTERNAL: {'allow_post': True,
                             'allow_put': True,
-                            'default': attr.ATTR_NOT_SPECIFIED,
+                            'default': False,
                             'is_visible': True,
                             'convert_to': attr.convert_to_boolean,
                             'enforce_policy': True,

diff --git a/neutron/tests/unit/test_extension_ext_net.py b/neutron/tests/unit/test_extension_ext_net.py
index d841670b15dd6b095bae60e5a683fdb03ee2e24a..fc308747c078c920ebbd11b9ecf4cae398b4e8fd 100644 (file)
--- a/neutron/tests/unit/test_extension_ext_net.py
+++ b/neutron/tests/unit/test_extension_ext_net.py
@@ -108,6 +108,19 @@ class ExtNetDBTestCase(test_db_plugin.NeutronDbPluginV2TestCase):
         result = plugin.get_networks(ctx, filters=None)
         self.assertEqual(result, [])
 
+    def test_update_network_set_external_non_admin_fails(self):
+        # Assert that a non-admin user cannot update the
+        # router:external attribute
+        with self.network(tenant_id='noadmin') as network:
+            data = {'network': {'router:external': True}}
+            req = self.new_update_request('networks',
+                                          data,
+                                          network['network']['id'])
+            req.environ['neutron.context'] = context.Context('', 'noadmin')
+            res = req.get_response(self.api)
+            # The API layer always returns 404 on updates in place of 403
+            self.assertEqual(exc.HTTPNotFound.code, res.status_int)
+
     def test_network_filter_hook_admin_context(self):
         plugin = manager.NeutronManager.get_plugin()
         ctx = context.Context(None, None, is_admin=True)