Aaron Rosen [Thu, 2 May 2013 00:12:11 +0000 (17:12 -0700)]
Allow admin to delete default security groups
Previously there was no way to delete a default security groups which
isn't ideal if you want to clean up after deleting a tenant. This patch
allows default security groups to be deleted by the admin.
For a particular NVP extension, a database entry was being populated
in the plugin's __init__ method. The entry was added with an admin
context. Grabbing the context caused the policy engine to load before
all the extension were loaded, so rule on extended attribute
were not being parsed correctly.
This cause checks on external networks to fail always.
Fix 'null' response on router-interface-remove operation
To avoid a 'null' response body, the delete operation returns a response
that is consistent with its add counterpart, i.e. we return the router
id with details about the interface being affected by the operation, as
well as the tenant id.
A unit test is added to ensure that the right body is returned and minor
adjustments have been made to the plugins affected by the change.
Long-term, a delete operation should really return 204 w/o a body, but
this requires some major rework of the WSGI handling within Quantum.
This is an interim solution that deals with an 'ugly' response body,
whilst keeping backward compatibility.
Remove calls to policy.enforce from plugin and db logic
Blueprint make-authz-orthogonal
This patch implementes item #2 of the blueprint
Remove calls to policy.enforce when the policy check can be performed
safely at the API level, and modify policy.json to this aim.
This patch does not address enforce calls in the agent scheduler
extension, as that extension is currently not defined as a quantum.v2.api
resource class.
This patch also adds an API-level test case for the provider networks
extension, which was missing in Quantum and was necessary to validate
the API behaviour with the default policy settings.
Roman Podolyaka [Thu, 25 Apr 2013 13:15:59 +0000 (16:15 +0300)]
Use Query instances as iterables when possible
A Query.all() call creates a list of a DB query results.
We can actually use a Query instance as an iterable and
thus avoid creation of a list if we just need to iterate
over those values only once.
This patch replacest the nvp_controller_connection configuration option
with a set of options more intutitive to user which also avoid
repetitions in ini files.
In order to simplify the configuration of the plugin, this patch also
removes named clusters. As the plugin supports a single cluster at
the moment, this can be simply specified in the [DEFAULT] configuration
section.
Also, this patch restrucures nvp_cluster.NvpCluster so that per-cluster
configuration options are not store anymore multiple times.
* Update veth pair creation to set the namespace of the peer
device on creation rather than subsequently adding it to the
namespace.
* This change supports kernels with limited namespace support
(e.g. RHEL 6.5) so long as ovs_use_veth is set to True.
* Addresses bug 1171727
This patch simply enhances the validator for the 'devices' attribute
by verifying each element in the device list does not contain
unexpected attributes.
This patch adds a new policy named 'context_is_admin' which defines
an admin user as a collection of roles or else. The quantum context
has been updated to check for this policy when setting the is_admin
flag.
This patch also adds a method for gathering 'admin' roles from policy
rules as current logic requires the context to be always populate with
the correct roles for admin rules, even when the context is implicitly
generated with get_admin_context or context.elevated.
Backward compatibility is ensuring by preserving the old behavior if
the 'context_is_admin' policy is not found in policy.json
Roman Podolyaka [Mon, 15 Apr 2013 15:10:07 +0000 (18:10 +0300)]
Simplify delete_health_monitor() using cascades
Currently delete_health_monitor() emulates behaviour of
cascade deletion: when a HealthMonitor instance is deleted,
all corresponding PoolMonitorAssociations are queried and
deleted one by one. This can be done automatically by means
of SQLAlchemy if we set proper cascade flags on the relationship
between HealthMonitor and PoolMonitorAssociations models.
Aaron Rosen [Thu, 21 Feb 2013 23:31:31 +0000 (15:31 -0800)]
Add string 'quantum'/ version to scope/tag in NVP
This patch adds scope='quantum', tag=QUANTUM_VERSION to each element
created in NVP via quantum. This patch also removes the function
set_tenant_id_tag() as it was only used in one place and wasn't very useful.
Enable automatic validation of many HACKING rules.
* Add hacking to the tox build - a set of flake8 plugins that
perform automatic validation of many HACKING.rst rules.
* This patch configures hacking in the tox build and performs
the mechanical cleanup required to allow the checks to pass.
* See https://pypi.python.org/pypi/hacking
* s+[/.]nicira_nvp_plugin++
* Backwards compatibility is maintained by importing the
nicira package as nicira_nvp_plugin in the plugins package.
* It may be necessary to remove stale .pyc/.pyo files under the
nicira path after applying this patch.
* DocImpact
* Addresses bug 1166307
Make "shared" filter more compatible with diff DBs
For the type BOOLEAN, in sqlalchemy,
it's mapped to BOOLEAN type if the backend database supports it,
otherwise, it's mapped to one of the Integer types, like SMALLINT,
and restrict the values to 1(True) and 0(False).
query_filter = (... | model.shared))
The above filter will generate a SQL where clause like:
where ... OR xxx.shared
This is not supported in databases which don't support BOOLEAN type.
Change it as below to make it more compatible:
query_filter = (... | model.shared == True))
It will generate a SQL where clause as below:
where ... OR xxx.shared = ?
In Python, True == 1, so this change is compatible
with both databases supporting BOOLEAN and those not supporting it.
Code Review / openstack-build / neutron-build.git / log