rbacs: filter out model that are already owned by context

sahid · slawqo · commit 271bb48936ef · 2024-08-09T15:15:12.000+02:00
Taking example of a network that have multiple rbacs. In a situation of selecting networks that are shared to a project. If we could could already match the one that are owned by the context we can expect les rbacs to scan. https://bugs.launchpad.net/neutron/+bug/1918145/comments/54 In an environement with about 200 00 rbacs and 200 networks this reduce time of the request from more than 50s to less than a second. Related-bug: #1918145 Signed-off-by: Sahid Orentino Ferdjaoui <sahid.ferdjaoui@industrialdiscipline.com> Change-Id: I54808cbd4cdccfee97eb59053418f55ba57e11a6 Signed-off-by: Sahid Orentino Ferdjaoui <sahid.ferdjaoui@industrialdiscipline.com> Change-Id: Ib155fbb3f6b325d10e3fbea201677dc218111c17 (cherry picked from commit e6de524)
diff --git a/neutron/db/external_net_db.py b/neutron/db/external_net_db.py
@@ -51,6 +51,8 @@ def _network_filter_hook(context, original_model, conditions):
             (rbac_model.target_project == context.tenant_id) |
             (rbac_model.target_project == '*'))
         conditions = expr.or_(tenant_allowed, *conditions)
+        conditions = expr.or_(original_model.tenant_id == context.tenant_id,
+                              *conditions)
     return conditions
 
 
diff --git a/neutron/tests/unit/extensions/test_external_net.py b/neutron/tests/unit/extensions/test_external_net.py
@@ -142,15 +142,17 @@ def test_network_filter_hook_admin_context(self):
     def test_network_filter_hook_nonadmin_context(self):
         ctx = context.Context('edinson', 'cavani')
         model = models_v2.Network
-        txt = ("networkrbacs.action = :action_1 AND "
+        txt = ("networks.project_id = :project_id_1 OR "
+               "networkrbacs.action = :action_1 AND "
                "networkrbacs.target_project = :target_project_1 OR "
                "networkrbacs.target_project = :target_project_2")
         conditions = external_net_db._network_filter_hook(ctx, model, [])
         self.assertEqual(conditions.__str__(), txt)
         # Try to concatenate conditions
         txt2 = (txt.replace('project_1', 'project_3').
                 replace('project_2', 'project_4').
-                replace('action_1', 'action_2'))
+                replace('action_1', 'action_2').
+                replace('project_id_1', 'project_id_2'))
         conditions = external_net_db._network_filter_hook(ctx, model,
                                                           conditions)
         self.assertEqual(conditions.__str__(), "%s OR %s" % (txt, txt2))
