]> review.fuel-infra Code Review - openstack-build/neutron-build.git/commitdiff
Code Review / openstack-build / neutron-build.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | patch | inline | side by side (parent: ff9745c)
Disallow unsharing used firewall policy
authorKoteswara Rao Kelam <koteswara.kelam@hp.com>
Fri, 26 Sep 2014 11:34:11 +0000 (04:34 -0700)
committerKoteswara Rao Kelam <koteswara.kelam@hp.com>
Mon, 29 Sep 2014 09:24:45 +0000 (02:24 -0700)
When admin policy p1 is shared and is used by firewall f1 of different tenant,
then updating p1 with shared=False should not be allowed as it is in use.

Change-Id: I7c753f9d8a25a7edc40233316398475c8ad3efe9
Closes-bug: #1334994

neutron/db/firewall/firewall_db.py patch | blob | history
neutron/tests/unit/db/firewall/test_db_firewall.py patch | blob | history

diff --git a/neutron/db/firewall/firewall_db.py b/neutron/db/firewall/firewall_db.py
index 7321d1d126fa559ed6c89e20590afd428f9b9971..9c8ce696ac9cc247a668388ac45336318c0a8bba 100644 (file)
--- a/neutron/db/firewall/firewall_db.py
+++ b/neutron/db/firewall/firewall_db.py
@@ -338,6 +338,12 @@ class Firewall_db_mixin(firewall.FirewallPluginBase, base_db.CommonDbMixin):
         fwp = firewall_policy['firewall_policy']
         with context.session.begin(subtransactions=True):
             fwp_db = self._get_firewall_policy(context, id)
+            # check tenant ids are same for fw and fwp or not
+            if not fwp.get('shared', True) and fwp_db.firewalls:
+                for fw in fwp_db['firewalls']:
+                    if fwp_db['tenant_id'] != fw['tenant_id']:
+                        raise firewall.FirewallPolicyInUse(
+                            firewall_policy_id=id)
             # check any existing rules are not shared
             if 'shared' in fwp and 'firewall_rules' not in fwp:
                 self._check_unshared_rules_for_policy(fwp_db, fwp)
diff --git a/neutron/tests/unit/db/firewall/test_db_firewall.py b/neutron/tests/unit/db/firewall/test_db_firewall.py
index 0dd6f42aac0a95d81707cf2c782acbb0f4cdeddd..c25ba330506e3ed6b13af80913ccf1153e5b3df0 100644 (file)
--- a/neutron/tests/unit/db/firewall/test_db_firewall.py
+++ b/neutron/tests/unit/db/firewall/test_db_firewall.py
@@ -573,6 +573,16 @@ class TestFirewallDBPlugin(FirewallPluginDbTestCase):
                 res = req.get_response(self.ext_api)
                 self.assertEqual(webob.exc.HTTPConflict.code, res.status_int)
 
+    def test_update_firewall_policy_assoc_with_other_tenant_firewall(self):
+        with self.firewall_policy(shared=True, tenant_id='tenant1') as fwp:
+            fwp_id = fwp['firewall_policy']['id']
+            with self.firewall(firewall_policy_id=fwp_id):
+                data = {'firewall_policy': {'shared': False}}
+                req = self.new_update_request('firewall_policies', data,
+                                              fwp['firewall_policy']['id'])
+                res = req.get_response(self.ext_api)
+                self.assertEqual(webob.exc.HTTPConflict.code, res.status_int)
+
     def test_delete_firewall_policy(self):
         ctx = context.get_admin_context()
         with self.firewall_policy(do_delete=False) as fwp: