From: Aaron Rosen <arosen@nicira.com>
Date: Thu, 2 May 2013 00:12:11 +0000 (-0700)
Subject: Allow admin to delete default security groups
X-Git-Url: https://review.fuel-infra.org/gitweb?a=commitdiff_plain;h=b92539646f1ab6f4d480b683778b622f587f0eb2;p=openstack-build%2Fneutron-build.git

Allow admin to delete default security groups

Previously there was no way to delete a default security groups which
isn't ideal if you want to clean up after deleting a tenant. This patch
allows default security groups to be deleted by the admin.

Fixes bug 1175393

Change-Id: I2214c7dabf0f2ec960ce10ebbbcdc513bc73664c
---

diff --git a/quantum/db/securitygroups_db.py b/quantum/db/securitygroups_db.py
index b91d33904..b1c5f9a32 100644
--- a/quantum/db/securitygroups_db.py
+++ b/quantum/db/securitygroups_db.py
@@ -180,7 +180,7 @@ class SecurityGroupDbMixin(ext_sg.SecurityGroupPluginBase):
         # confirm security group exists
         sg = self._get_security_group(context, id)
 
-        if sg['name'] == 'default':
+        if sg['name'] == 'default' and not context.is_admin:
             raise ext_sg.SecurityGroupCannotRemoveDefault()
         with context.session.begin(subtransactions=True):
             context.session.delete(sg)
diff --git a/quantum/plugins/midonet/plugin.py b/quantum/plugins/midonet/plugin.py
index 9baff5d88..34e46808b 100644
--- a/quantum/plugins/midonet/plugin.py
+++ b/quantum/plugins/midonet/plugin.py
@@ -1018,7 +1018,7 @@ class MidonetPluginV2(db_base_plugin_v2.QuantumDbPluginV2,
             sg_id = sg_db_entry['id']
             tenant_id = sg_db_entry['tenant_id']
 
-            if sg_name == 'default':
+            if sg_name == 'default' and not context.is_admin:
                 raise ext_sg.SecurityGroupCannotRemoveDefault()
 
             filters = {'security_group_id': [sg_id]}
diff --git a/quantum/plugins/nicira/QuantumPlugin.py b/quantum/plugins/nicira/QuantumPlugin.py
index 04e5641cd..4df1dd789 100644
--- a/quantum/plugins/nicira/QuantumPlugin.py
+++ b/quantum/plugins/nicira/QuantumPlugin.py
@@ -1949,7 +1949,7 @@ class NvpPluginV2(db_base_plugin_v2.QuantumDbPluginV2,
             if not security_group:
                 raise ext_sg.SecurityGroupNotFound(id=security_group_id)
 
-            if security_group['name'] == 'default':
+            if security_group['name'] == 'default' and not context.is_admin:
                 raise ext_sg.SecurityGroupCannotRemoveDefault()
 
             filters = {'security_group_id': [security_group['id']]}
diff --git a/quantum/tests/unit/test_extension_security_group.py b/quantum/tests/unit/test_extension_security_group.py
index b768ef51d..788cfc66d 100644
--- a/quantum/tests/unit/test_extension_security_group.py
+++ b/quantum/tests/unit/test_extension_security_group.py
@@ -432,12 +432,20 @@ class TestSecurityGroups(SecurityGroupDBTestCase):
             remote_group_id = sg['security_group']['id']
             self._delete('security-groups', remote_group_id, 204)
 
-    def test_delete_default_security_group_fail(self):
+    def test_delete_default_security_group_admin(self):
         with self.network():
             res = self.new_list_request('security-groups')
             sg = self.deserialize(self.fmt, res.get_response(self.ext_api))
             self._delete('security-groups', sg['security_groups'][0]['id'],
-                         409)
+                         204)
+
+    def test_delete_default_security_group_nonadmin(self):
+        with self.network():
+            res = self.new_list_request('security-groups')
+            sg = self.deserialize(self.fmt, res.get_response(self.ext_api))
+            quantum_context = context.Context('', 'test-tenant')
+            self._delete('security-groups', sg['security_groups'][0]['id'],
+                         409, quantum_context=quantum_context)
 
     def test_default_security_group_rules(self):
         with self.network():