From b92539646f1ab6f4d480b683778b622f587f0eb2 Mon Sep 17 00:00:00 2001 From: Aaron Rosen Date: Wed, 1 May 2013 17:12:11 -0700 Subject: [PATCH] Allow admin to delete default security groups Previously there was no way to delete a default security groups which isn't ideal if you want to clean up after deleting a tenant. This patch allows default security groups to be deleted by the admin. Fixes bug 1175393 Change-Id: I2214c7dabf0f2ec960ce10ebbbcdc513bc73664c --- quantum/db/securitygroups_db.py | 2 +- quantum/plugins/midonet/plugin.py | 2 +- quantum/plugins/nicira/QuantumPlugin.py | 2 +- quantum/tests/unit/test_extension_security_group.py | 12 ++++++++++-- 4 files changed, 13 insertions(+), 5 deletions(-) diff --git a/quantum/db/securitygroups_db.py b/quantum/db/securitygroups_db.py index b91d339049..b1c5f9a32f 100644 --- a/quantum/db/securitygroups_db.py +++ b/quantum/db/securitygroups_db.py @@ -180,7 +180,7 @@ class SecurityGroupDbMixin(ext_sg.SecurityGroupPluginBase): # confirm security group exists sg = self._get_security_group(context, id) - if sg['name'] == 'default': + if sg['name'] == 'default' and not context.is_admin: raise ext_sg.SecurityGroupCannotRemoveDefault() with context.session.begin(subtransactions=True): context.session.delete(sg) diff --git a/quantum/plugins/midonet/plugin.py b/quantum/plugins/midonet/plugin.py index 9baff5d884..34e46808bc 100644 --- a/quantum/plugins/midonet/plugin.py +++ b/quantum/plugins/midonet/plugin.py @@ -1018,7 +1018,7 @@ class MidonetPluginV2(db_base_plugin_v2.QuantumDbPluginV2, sg_id = sg_db_entry['id'] tenant_id = sg_db_entry['tenant_id'] - if sg_name == 'default': + if sg_name == 'default' and not context.is_admin: raise ext_sg.SecurityGroupCannotRemoveDefault() filters = {'security_group_id': [sg_id]} diff --git a/quantum/plugins/nicira/QuantumPlugin.py b/quantum/plugins/nicira/QuantumPlugin.py index 04e5641cdb..4df1dd7897 100644 --- a/quantum/plugins/nicira/QuantumPlugin.py +++ b/quantum/plugins/nicira/QuantumPlugin.py @@ -1949,7 +1949,7 @@ class NvpPluginV2(db_base_plugin_v2.QuantumDbPluginV2, if not security_group: raise ext_sg.SecurityGroupNotFound(id=security_group_id) - if security_group['name'] == 'default': + if security_group['name'] == 'default' and not context.is_admin: raise ext_sg.SecurityGroupCannotRemoveDefault() filters = {'security_group_id': [security_group['id']]} diff --git a/quantum/tests/unit/test_extension_security_group.py b/quantum/tests/unit/test_extension_security_group.py index b768ef51d4..788cfc66d6 100644 --- a/quantum/tests/unit/test_extension_security_group.py +++ b/quantum/tests/unit/test_extension_security_group.py @@ -432,12 +432,20 @@ class TestSecurityGroups(SecurityGroupDBTestCase): remote_group_id = sg['security_group']['id'] self._delete('security-groups', remote_group_id, 204) - def test_delete_default_security_group_fail(self): + def test_delete_default_security_group_admin(self): with self.network(): res = self.new_list_request('security-groups') sg = self.deserialize(self.fmt, res.get_response(self.ext_api)) self._delete('security-groups', sg['security_groups'][0]['id'], - 409) + 204) + + def test_delete_default_security_group_nonadmin(self): + with self.network(): + res = self.new_list_request('security-groups') + sg = self.deserialize(self.fmt, res.get_response(self.ext_api)) + quantum_context = context.Context('', 'test-tenant') + self._delete('security-groups', sg['security_groups'][0]['id'], + 409, quantum_context=quantum_context) def test_default_security_group_rules(self): with self.network():