stackhpc
diff --git a/‎neutron/conf/policies/base.py‎
Lines changed: 1 addition & 0 deletions b/‎neutron/conf/policies/base.py‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎neutron/conf/policies/port.py‎
Lines changed: 1 addition & 18 deletions b/‎neutron/conf/policies/port.py‎
Lines changed: 1 addition & 18 deletions
diff --git a/‎neutron/plugins/ml2/extensions/dns_integration.py‎
Lines changed: 20 additions & 7 deletions b/‎neutron/plugins/ml2/extensions/dns_integration.py‎
Lines changed: 20 additions & 7 deletions
diff --git a/‎neutron/services/ovn_l3/plugin.py‎
Lines changed: 10 additions & 8 deletions b/‎neutron/services/ovn_l3/plugin.py‎
Lines changed: 10 additions & 8 deletions
diff --git a/‎neutron/services/portforwarding/pf_plugin.py‎
Lines changed: 2 additions & 2 deletions b/‎neutron/services/portforwarding/pf_plugin.py‎
Lines changed: 2 additions & 2 deletions
@@ -76,6 +76,7 @@
 # related to the "network owner" and network isn't really parent of the subnet
 # or port. Because of that, using parent owner in those cases may be
 # missleading for users so it's better to keep also "network owner" rules.
+NET_OWNER_MANAGER = 'role:manager and ' + RULE_NET_OWNER
 NET_OWNER_MEMBER = 'role:member and ' + RULE_NET_OWNER
 NET_OWNER_READER = 'role:reader and ' + RULE_NET_OWNER
 ADMIN_OR_NET_OWNER_MEMBER = (
 
@@ -100,7 +100,6 @@
         check_str=neutron_policy.policy_or(
             'not rule:network_device',
             base.ADMIN_OR_SERVICE,
-            base.PROJECT_MANAGER,
             base.NET_OWNER_MEMBER
         ),
         scope_types=['project'],
@@ -119,7 +118,6 @@
         name='create_port:mac_address',
         check_str=neutron_policy.policy_or(
             base.ADMIN_OR_SERVICE,
-            base.PROJECT_MANAGER,
             base.NET_OWNER_MEMBER),
         scope_types=['project'],
         description='Specify ``mac_address`` attribute when creating a port',
@@ -136,7 +134,6 @@
         name='create_port:fixed_ips',
         check_str=neutron_policy.policy_or(
             base.ADMIN_OR_SERVICE,
-            base.PROJECT_MANAGER,
             base.NET_OWNER_MEMBER,
             'rule:shared'),
         scope_types=['project'],
@@ -155,7 +152,6 @@
         name='create_port:fixed_ips:ip_address',
         check_str=neutron_policy.policy_or(
             base.ADMIN_OR_SERVICE,
-            base.PROJECT_MANAGER,
             base.NET_OWNER_MEMBER),
         scope_types=['project'],
         description='Specify IP address in ``fixed_ips`` when creating a port',
@@ -172,7 +168,6 @@
         name='create_port:fixed_ips:subnet_id',
         check_str=neutron_policy.policy_or(
             base.ADMIN_OR_SERVICE,
-            base.PROJECT_MANAGER,
             base.NET_OWNER_MEMBER,
             'rule:shared'),
         scope_types=['project'],
@@ -191,7 +186,6 @@
         name='create_port:port_security_enabled',
         check_str=neutron_policy.policy_or(
             base.ADMIN_OR_SERVICE,
-            base.PROJECT_MANAGER,
             base.NET_OWNER_MEMBER),
         scope_types=['project'],
         description=(
@@ -258,7 +252,6 @@
         name='create_port:allowed_address_pairs',
         check_str=neutron_policy.policy_or(
             base.ADMIN_OR_NET_OWNER_MEMBER,
-            base.PROJECT_MANAGER,
             base.SERVICE),
         scope_types=['project'],
         description=(
@@ -276,7 +269,6 @@
         name='create_port:allowed_address_pairs:mac_address',
         check_str=neutron_policy.policy_or(
             base.ADMIN_OR_NET_OWNER_MEMBER,
-            base.PROJECT_MANAGER,
             base.SERVICE),
         scope_types=['project'],
         description=(
@@ -294,7 +286,6 @@
         name='create_port:allowed_address_pairs:ip_address',
         check_str=neutron_policy.policy_or(
             base.ADMIN_OR_NET_OWNER_MEMBER,
-            base.PROJECT_MANAGER,
             base.SERVICE),
         scope_types=['project'],
         description=(
@@ -496,7 +487,6 @@
         check_str=neutron_policy.policy_or(
             'not rule:network_device',
             base.ADMIN_OR_SERVICE,
-            base.PROJECT_MANAGER,
             base.NET_OWNER_MEMBER,
         ),
         scope_types=['project'],
@@ -515,7 +505,7 @@
         name='update_port:mac_address',
         check_str=neutron_policy.policy_or(
             base.ADMIN_OR_SERVICE,
-            base.PROJECT_MANAGER
+            base.NET_OWNER_MANAGER,
         ),
         scope_types=['project'],
         description='Update ``mac_address`` attribute of a port',
@@ -532,7 +522,6 @@
         name='update_port:fixed_ips',
         check_str=neutron_policy.policy_or(
             base.ADMIN_OR_SERVICE,
-            base.PROJECT_MANAGER,
             base.NET_OWNER_MEMBER
         ),
         scope_types=['project'],
@@ -550,7 +539,6 @@
         name='update_port:fixed_ips:ip_address',
         check_str=neutron_policy.policy_or(
             base.ADMIN_OR_SERVICE,
-            base.PROJECT_MANAGER,
             base.NET_OWNER_MEMBER
         ),
         scope_types=['project'],
@@ -571,7 +559,6 @@
         name='update_port:fixed_ips:subnet_id',
         check_str=neutron_policy.policy_or(
             base.ADMIN_OR_SERVICE,
-            base.PROJECT_MANAGER,
             base.NET_OWNER_MEMBER,
             'rule:shared'
         ),
@@ -594,7 +581,6 @@
         name='update_port:port_security_enabled',
         check_str=neutron_policy.policy_or(
             base.ADMIN_OR_SERVICE,
-            base.PROJECT_MANAGER,
             base.NET_OWNER_MEMBER
         ),
         scope_types=['project'],
@@ -653,7 +639,6 @@
         name='update_port:allowed_address_pairs',
         check_str=neutron_policy.policy_or(
             base.ADMIN_OR_NET_OWNER_MEMBER,
-            base.PROJECT_MANAGER,
             base.SERVICE),
         scope_types=['project'],
         description='Update ``allowed_address_pairs`` attribute of a port',
@@ -668,7 +653,6 @@
         name='update_port:allowed_address_pairs:mac_address',
         check_str=neutron_policy.policy_or(
             base.ADMIN_OR_NET_OWNER_MEMBER,
-            base.PROJECT_MANAGER,
             base.SERVICE),
         scope_types=['project'],
         description=(
@@ -686,7 +670,6 @@
         name='update_port:allowed_address_pairs:ip_address',
         check_str=neutron_policy.policy_or(
             base.ADMIN_OR_NET_OWNER_MEMBER,
-            base.PROJECT_MANAGER,
             base.SERVICE),
         scope_types=['project'],
         description=(
 
@@ -23,7 +23,6 @@
 from neutron_lib.exceptions import dns as dns_exc
 from neutron_lib.plugins import directory
 from neutron_lib.plugins.ml2 import api
-from neutron_lib.plugins import utils as plugin_utils
 from oslo_config import cfg
 from oslo_log import log as logging
 
@@ -349,9 +348,23 @@ def _get_details(self, context, network_id):
 
 class DNSExtensionDriverML2(DNSExtensionDriver):
 
+    def __init__(self):
+        super().__init__()
+        self._vlan_driver = None
+        self._plugin = None
+
     def initialize(self):
         LOG.info("DNSExtensionDriverML2 initialization complete")
 
+    @property
+    def vlan_driver(self):
+        if not self._vlan_driver:
+            if not self._plugin:
+                self._plugin = directory.get_plugin()
+            self._vlan_driver = self._plugin.type_manager.drivers.get(
+                lib_const.TYPE_VLAN)
+        return self._vlan_driver
+
     def _is_tunnel_project_network(self, provider_net):
         if provider_net['network_type'] == lib_const.TYPE_GENEVE:
             tunnel_ranges = cfg.CONF.ml2_type_geneve.vni_ranges
@@ -369,15 +382,15 @@ def _is_tunnel_project_network(self, provider_net):
             return int(tun_min) <= segmentation_id <= int(tun_max)
 
     def _is_vlan_project_network(self, provider_net):
-        network_vlan_ranges = plugin_utils.parse_network_vlan_ranges(
-            cfg.CONF.ml2_type_vlan.network_vlan_ranges)
-        vlan_ranges = network_vlan_ranges[provider_net['physical_network']]
+        if not self.vlan_driver:
+            return False
+        network_vlan_ranges = self.vlan_driver.obj.get_network_segment_ranges()
+        vlan_ranges = network_vlan_ranges.get(provider_net['physical_network'])
         if not vlan_ranges:
             return False
         segmentation_id = int(provider_net['segmentation_id'])
-        for vlan_range in vlan_ranges:
-            if vlan_range[0] <= segmentation_id <= vlan_range[1]:
-                return True
+        return any(vlan_range[0] <= segmentation_id <= vlan_range[1]
+                   for vlan_range in vlan_ranges)
 
     def external_dns_not_needed(self, context, network, subnets):
         dns_driver = _get_dns_driver()
 
@@ -183,18 +183,20 @@ def subscribe(self):
                            cancellable=True)
 
     def _post_fork_initialize(self, resource, event, trigger, payload=None):
+        # TODO(ralonsoh): once [1] is released and required in Neutron, it
+        # won't be needed the ``get_method_class`` method.
+        # [1] https://review.opendev.org/c/openstack/neutron-lib/+/988563
+        if utils.get_method_class(trigger) != wsgi.WorkerService:
+            return
+
         if not self._nb_ovn or not self._sb_ovn:
             raise ovn_l3_exc.MechanismDriverOVNNotReady()
 
         # Register needed events, only for the Neutron API workers.
-        # TODO(ralonsoh): once [1] is released and required in Neutron, it
-        # won't be needed the ``get_method_class`` method.
-        # [1] https://review.opendev.org/c/openstack/neutron-lib/+/988563
-        if utils.get_method_class(trigger) == wsgi.WorkerService:
-            self._nb_ovn.idl.notify_handler.watch_events([
-                ovsdb_monitor.LogicalRouterPortEvent(self),
-                ovsdb_monitor.LogicalRouterPortGatewayChassisEvent(self),
-            ])
+        self._nb_ovn.idl.notify_handler.watch_events([
+            ovsdb_monitor.LogicalRouterPortEvent(self),
+            ovsdb_monitor.LogicalRouterPortGatewayChassisEvent(self),
+        ])
 
     def _add_neutron_router_interface(self, context, router_id,
                                       interface_info):
 
@@ -416,7 +416,7 @@ def update_floatingip_port_forwarding(self, context, id, floatingip_id,
             with db_api.CONTEXT_WRITER.using(context):
                 fip_obj = self._get_fip_obj(context, floatingip_id)
                 pf_obj = pf.PortForwarding.get_object(context, id=id)
-                if not pf_obj:
+                if not pf_obj or pf_obj.floatingip_id != floatingip_id:
                     raise pf_exc.PortForwardingNotFound(id=id)
                 original_pf_obj = copy.deepcopy(pf_obj)
                 ori_internal_port_id = pf_obj.internal_port_id
@@ -670,7 +670,7 @@ def get_floatingip_port_forwarding(self, context, id, floatingip_id,
                                        fields=None):
         self._get_fip_obj(context, floatingip_id)
         obj = pf.PortForwarding.get_object(context, id=id)
-        if not obj:
+        if not obj or obj.floatingip_id != floatingip_id:
             raise pf_exc.PortForwardingNotFound(id=id)
         return obj