diff --git a/quantum/policy.py b/quantum/policy.py index f99ef0dfd0..15ce561642 100644 --- a/quantum/policy.py +++ b/quantum/policy.py @@ -233,10 +233,14 @@ class OwnerCheck(policy.Check): # f *must* exist, if not found it is better to let quantum # explode. Check will be performed with admin context context = importutils.import_module('quantum.context') - data = f(context.get_admin_context(), - target[parent_foreign_key], - fields=[parent_field]) - target[self.target_field] = data[parent_field] + try: + data = f(context.get_admin_context(), + target[parent_foreign_key], + fields=[parent_field]) + target[self.target_field] = data[parent_field] + except Exception: + LOG.exception(_('Policy check error while calling %s!'), f) + raise match = self.match % target if self.kind in creds: return match == unicode(creds[self.kind]) diff --git a/quantum/tests/unit/test_policy.py b/quantum/tests/unit/test_policy.py index 0c47dffb53..5a6d6bfad3 100644 --- a/quantum/tests/unit/test_policy.py +++ b/quantum/tests/unit/test_policy.py @@ -344,6 +344,24 @@ class QuantumPolicyTestCase(base.BaseTestCase): result = policy.enforce(self.context, action, target) self.assertTrue(result) + def test_enforce_plugin_failure(self): + + def fakegetnetwork(*args, **kwargs): + raise NotImplementedError('Blast!') + + # the policy check and plugin method we use in this test are irrelevant + # so long that we verify that, if *f* blows up, the behavior of the + # policy engine to propagate the exception is preserved + action = "create_port:mac" + with mock.patch.object(manager.QuantumManager.get_instance().plugin, + 'get_network', new=fakegetnetwork): + target = {'network_id': 'whatever'} + self.assertRaises(NotImplementedError, + policy.enforce, + self.context, + action, + target) + def test_enforce_tenant_id_check_parent_resource_bw_compatibility(self): def fakegetnetwork(*args, **kwargs):