Merge pull request #291 from stackhpc/upstream/2025.1-2026-06-08

Synchronise 2025.1 with upstream

Author: priteau

neutron/conf/policies/network_ip_availability.py

@@ -24,7 +24,7 @@
 rules = [
     policy.DocumentedRuleDefault(
         name='get_network_ip_availability',
-        check_str=base.ADMIN,
+        check_str=base.ADMIN_OR_SERVICE,
         scope_types=['project'],
         description='Get network IP availability',
         operations=[

neutron/conf/policies/port.py

@@ -81,6 +81,20 @@
             deprecated_reason=DEPRECATED_REASON,
             deprecated_since=versionutils.deprecated.WALLABY)
     ),
+    policy.DocumentedRuleDefault(
+        name='create_port:device_id',
+        check_str=neutron_policy.policy_or(
+            base.ADMIN_OR_PROJECT_MEMBER,
+            base.SERVICE),
+        scope_types=['project'],
+        description='Specify ``device_id`` attribute when creating a port',
+        operations=ACTION_POST,
+        deprecated_rule=policy.DeprecatedRule(
+            name='create_port:device_id',
+            check_str=neutron_policy.RULE_ANY,
+            deprecated_reason=DEPRECATED_REASON,
+            deprecated_since=versionutils.deprecated.WALLABY)
+    ),
     policy.DocumentedRuleDefault(
         name='create_port:device_owner',
         check_str=neutron_policy.policy_or(
@@ -244,7 +258,8 @@
         name='create_port:allowed_address_pairs',
         check_str=neutron_policy.policy_or(
             base.ADMIN_OR_NET_OWNER_MEMBER,
-            base.PROJECT_MANAGER),
+            base.PROJECT_MANAGER,
+            base.SERVICE),
         scope_types=['project'],
         description=(
             'Specify ``allowed_address_pairs`` '
@@ -261,7 +276,8 @@
         name='create_port:allowed_address_pairs:mac_address',
         check_str=neutron_policy.policy_or(
             base.ADMIN_OR_NET_OWNER_MEMBER,
-            base.PROJECT_MANAGER),
+            base.PROJECT_MANAGER,
+            base.SERVICE),
         scope_types=['project'],
         description=(
             'Specify ``mac_address` of `allowed_address_pairs`` '
@@ -278,7 +294,8 @@
         name='create_port:allowed_address_pairs:ip_address',
         check_str=neutron_policy.policy_or(
             base.ADMIN_OR_NET_OWNER_MEMBER,
-            base.PROJECT_MANAGER),
+            base.PROJECT_MANAGER,
+            base.SERVICE),
         scope_types=['project'],
         description=(
             'Specify ``ip_address`` of ``allowed_address_pairs`` '
@@ -460,6 +477,20 @@
             deprecated_reason=DEPRECATED_REASON,
             deprecated_since=versionutils.deprecated.WALLABY)
     ),
+    policy.DocumentedRuleDefault(
+        name='update_port:device_id',
+        check_str=neutron_policy.policy_or(
+            base.ADMIN_OR_PROJECT_MEMBER,
+            base.SERVICE),
+        scope_types=['project'],
+        description='Update ``device_id`` attribute of a port',
+        operations=ACTION_PUT,
+        deprecated_rule=policy.DeprecatedRule(
+            name='update_port:device_id',
+            check_str=neutron_policy.RULE_ANY,
+            deprecated_reason=DEPRECATED_REASON,
+            deprecated_since=versionutils.deprecated.WALLABY)
+    ),
     policy.DocumentedRuleDefault(
         name='update_port:device_owner',
         check_str=neutron_policy.policy_or(
@@ -622,7 +653,8 @@
         name='update_port:allowed_address_pairs',
         check_str=neutron_policy.policy_or(
             base.ADMIN_OR_NET_OWNER_MEMBER,
-            base.PROJECT_MANAGER),
+            base.PROJECT_MANAGER,
+            base.SERVICE),
         scope_types=['project'],
         description='Update ``allowed_address_pairs`` attribute of a port',
         operations=ACTION_PUT,
@@ -636,7 +668,8 @@
         name='update_port:allowed_address_pairs:mac_address',
         check_str=neutron_policy.policy_or(
             base.ADMIN_OR_NET_OWNER_MEMBER,
-            base.PROJECT_MANAGER),
+            base.PROJECT_MANAGER,
+            base.SERVICE),
         scope_types=['project'],
         description=(
             'Update ``mac_address`` of ``allowed_address_pairs`` '
@@ -653,7 +686,8 @@
         name='update_port:allowed_address_pairs:ip_address',
         check_str=neutron_policy.policy_or(
             base.ADMIN_OR_NET_OWNER_MEMBER,
-            base.PROJECT_MANAGER),
+            base.PROJECT_MANAGER,
+            base.SERVICE),
         scope_types=['project'],
         description=(
             'Update ``ip_address`` of ``allowed_address_pairs`` '

neutron/conf/policies/subnet.py

@@ -126,6 +126,7 @@
             'rule:shared',
             'rule:external_network',
             base.ADMIN_OR_NET_OWNER_READER,
+            base.SERVICE,
         ),
         scope_types=['project'],
         description='Get a subnet',

neutron/plugins/ml2/extensions/dns_integration.py

@@ -351,35 +351,42 @@ class DNSExtensionDriverML2(DNSExtensionDriver):
     def __init__(self):
         super().__init__()
         self._vlan_driver = None
+        self._tunnel_drivers = {}
         self._plugin = None
 
     def initialize(self):
         LOG.info("DNSExtensionDriverML2 initialization complete")
 
+    @property
+    def plugin(self):
+        if not self._plugin:
+            self._plugin = directory.get_plugin()
+        return self._plugin
+
     @property
     def vlan_driver(self):
         if not self._vlan_driver:
-            if not self._plugin:
-                self._plugin = directory.get_plugin()
-            self._vlan_driver = self._plugin.type_manager.drivers.get(
+            self._vlan_driver = self.plugin.type_manager.drivers.get(
                 lib_const.TYPE_VLAN)
         return self._vlan_driver
 
-    def _is_tunnel_tenant_network(self, provider_net):
-        if provider_net['network_type'] == lib_const.TYPE_GENEVE:
-            tunnel_ranges = cfg.CONF.ml2_type_geneve.vni_ranges
-        elif provider_net['network_type'] == lib_const.TYPE_VXLAN:
-            tunnel_ranges = cfg.CONF.ml2_type_vxlan.vni_ranges
-        else:
-            tunnel_ranges = cfg.CONF.ml2_type_gre.tunnel_id_ranges
+    def get_tunnel_driver(self, network_type):
+        if network_type not in self._tunnel_drivers:
+            self._tunnel_drivers[network_type] = (
+                self.plugin.type_manager.drivers.get(network_type))
+        return self._tunnel_drivers[network_type]
 
+    def _is_tunnel_project_network(self, provider_net):
+        network_type = provider_net['network_type']
+        tunnel_driver = self.get_tunnel_driver(network_type)
+        if not tunnel_driver:
+            return False
+        tunnel_ranges = tunnel_driver.obj.get_network_segment_ranges()
+        if not tunnel_ranges:
+            return False
         segmentation_id = int(provider_net['segmentation_id'])
-        for entry in tunnel_ranges:
-            entry = entry.strip()
-            tun_min, tun_max = entry.split(':')
-            tun_min = tun_min.strip()
-            tun_max = tun_max.strip()
-            return int(tun_min) <= segmentation_id <= int(tun_max)
+        return any(tun_min <= segmentation_id <= tun_max
+                   for tun_min, tun_max in tunnel_ranges)
 
     def _is_vlan_tenant_network(self, provider_net):
         if not self.vlan_driver:
@@ -414,7 +421,7 @@ def external_dns_not_needed(self, context, network, subnets):
         if provider_net['network_type'] in [
                 lib_const.TYPE_GRE, lib_const.TYPE_VXLAN,
                 lib_const.TYPE_GENEVE]:
-            return self._is_tunnel_tenant_network(provider_net)
+            return self._is_tunnel_project_network(provider_net)
         return True
 
 

neutron/tests/unit/conf/policies/test_network_ip_availability.py

@@ -99,7 +99,7 @@ def setUp(self):
         self.context = self.service_ctx
 
     def test_get_network_ip_availability(self):
-        self.assertRaises(
-            base_policy.PolicyNotAuthorized,
-            policy.enforce,
-            self.context, 'get_network_ip_availability', self.target)
+        self.assertTrue(
+            policy.enforce(
+                self.context, 'get_network_ip_availability',
+                self.target))