Do no override default owner unless tenant ID is present in incoming …

…token. Closes-Bug: #1528796 Change-Id: Ib1d8ab65e97e6081b28bff3bf932a8c755c378ed
Juniper · Aug 29, 2016 · 669474c · 669474c
1 parent 0cceea1
commit 669474c
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 0 deletions.
diff --git a/src/config/api-server/tests/test_perms2.py b/src/config/api-server/tests/test_perms2.py
@@ -1041,6 +1041,37 @@ def test_shared_network(self):
         vn = vnc_read_obj(self.admin.vnc_lib, 'virtual-network', name = vn_fq_name)
         self.assertEquals(vn.get_is_shared(), False)
 
+    # check owner of internally created ri is cloud-admin (bug #1528796)
+    def test_ri_owner(self):
+        """
+        1) Create a virtual network as a non-admin user.
+        2) Verify owner of automatically created routing instance is cloud-admin
+        """
+
+        alice = self.alice
+        bob   = self.bob
+        admin = self.admin
+
+        # allow permission to create virtual-network
+        for user in self.users:
+            logger.info( "%s: project %s to allow full access to role %s" % \
+                (user.name, user.project, user.role))
+            # note that collection API is set for create operation
+            vnc_fix_api_access_list(self.admin.vnc_lib, user.project_obj,
+                rule_str = 'virtual-networks %s:CRUD' % user.role)
+
+        # Create VN as non-admin user
+        vn_fq_name = [self.domain_name, alice.project, self.vn_name]
+        vn = VirtualNetwork(self.vn_name, self.alice.project_obj)
+        self.alice.vnc_lib.virtual_network_create(vn)
+        vn_obj = vnc_read_obj(self.admin.vnc_lib, 'virtual-network', name = vn_fq_name)
+        self.assertNotEquals(vn_obj, None)
+
+        # Verify owner of automatically created routing instance is cloud-admin
+        ri_name = [self.domain_name, alice.project, self.vn_name, self.vn_name]
+        ri = vnc_read_obj(self.admin.vnc_lib, 'routing-instance', name = ri_name)
+        self.assertEquals(ri.get_perms2().owner, 'cloud-admin')
+
     def tearDown(self):
         super(TestPermissions, self).tearDown()
     # end tearDown
diff --git a/src/config/api-server/vnc_cfg_api_server.py b/src/config/api-server/vnc_cfg_api_server.py
@@ -2609,6 +2609,12 @@ def _ensure_perms2_present(self, obj_type, obj_uuid, obj_dict,
         # retrieve object and permissions
         perms2 = self._get_default_perms2()
 
+        # set ownership of object to creator tenant
+        if obj_type == 'project' and 'uuid' in obj_dict:
+            perms2['owner'] = str(obj_dict['uuid']).replace('-','')
+        elif project_id:
+            perms2['owner'] = project_id
+
         # set ownership of object to creator tenant
         if obj_type == 'project' and 'uuid' in obj_dict:
             perms2['owner'] = str(obj_dict['uuid']).replace('-','')