From 4530377c6024b188d57efee91dd4cc3feadef6af Mon Sep 17 00:00:00 2001 From: Adit Sarfaty Date: Thu, 18 Jan 2018 13:28:53 +0200 Subject: [PATCH] TVD: FWaaS plugins Adding FWaaS v1/v2 plugins to be used with the TVD core plugin. The plugins will make sure to separate the v/t returned lists using the same solution that was introduced for the LBass, now as a general class decorator. Change-Id: I5f01b8cf093d5ef3b340dce2d12fc41031dd12e9 --- doc/source/devstack.rst | 13 +++- setup.cfg | 4 +- vmware_nsx/plugins/nsx/utils.py | 42 ++++++++++++ vmware_nsx/services/fwaas/nsx_tv/plugin_v1.py | 29 ++++++++ vmware_nsx/services/fwaas/nsx_tv/plugin_v2.py | 29 ++++++++ vmware_nsx/services/lbaas/nsx/plugin.py | 67 ++++--------------- 6 files changed, 126 insertions(+), 58 deletions(-) create mode 100644 vmware_nsx/services/fwaas/nsx_tv/plugin_v1.py create mode 100644 vmware_nsx/services/fwaas/nsx_tv/plugin_v2.py diff --git a/doc/source/devstack.rst b/doc/source/devstack.rst index a54b5ddc3c..b119a83340 100644 --- a/doc/source/devstack.rst +++ b/doc/source/devstack.rst @@ -232,12 +232,17 @@ Add lbaas repo as an external repository and configure following flags in ``loca [[local]|[localrc]] enable_plugin neutron-lbaas https://git.openstack.org/openstack/neutron-lbaas enable_service q-lbaasv2 + Q_SERVICE_PLUGIN_CLASSES=vmware_nsxtvd_lbaasv2 Configure the service provider:: [[post-config|$NEUTRON_LBAAS_CONF]] [service_providers] service_provider = LOADBALANCERV2:VMWareEdge:neutron_lbaas.drivers.vmware.edge_driver_v2.EdgeLoadBalancerDriverV2:default + [[post-config|$NEUTRON_CONF]] + [DEFAULT] + api_extensions_path = $DEST/neutron-lbaas/neutron_lbaas/extensions + FWaaS (V1) Driver: ~~~~~~~~~~~~~ @@ -246,12 +251,14 @@ Add neutron-fwaas repo as an external repository and configure following flags i [[local|localrc]] enable_plugin neutron-fwaas https://git.openstack.org/openstack/neutron-fwaas ENABLED_SERVICES+=,q-fwaas - Q_SERVICE_PLUGIN_CLASSES=neutron_fwaas.services.firewall.fwaas_plugin.FirewallPlugin + Q_SERVICE_PLUGIN_CLASSES=vmware_nsxtvd_fwaasv1 [[post-config|$NEUTRON_CONF]] [fwaas] enabled = True driver = vmware_nsxtvd_edge_v1 + [DEFAULT] + api_extensions_path = $DEST/neutron-fwaas/neutron_fwaas/extensions FWaaS (V2) Driver @@ -262,12 +269,14 @@ Add neutron-fwaas repo as an external repository and configure following flags i [[local|localrc]] enable_plugin neutron-fwaas https://git.openstack.org/openstack/neutron-fwaas ENABLED_SERVICES+=,q-fwaas-v2 - Q_SERVICE_PLUGIN_CLASSES=neutron_fwaas.services.firewall.fwaas_plugin_v2.FirewallPluginV2 + Q_SERVICE_PLUGIN_CLASSES=vmware_nsxtvd_fwaasv2 [[post-config|$NEUTRON_CONF]] [fwaas] enabled = True driver = vmware_nsxtvd_edge_v2 + [DEFAULT] + api_extensions_path = $DEST/neutron-fwaas/neutron_fwaas/extensions L2GW Driver ~~~~~~~~~~~ diff --git a/setup.cfg b/setup.cfg index ba5bcbcdf9..8d5322c101 100644 --- a/setup.cfg +++ b/setup.cfg @@ -43,7 +43,9 @@ firewall_drivers = vmware_nsxtvd_edge_v2 = vmware_nsx.services.fwaas.nsx_tv.edge_fwaas_driver_v2:EdgeFwaasTVDriverV2 neutron.service_plugins = vmware_nsxv_qos = vmware_nsx.services.qos.nsx_v.plugin:NsxVQosPlugin - vmware_nsxtvd_lbaasv2 = vmware_nsx.services.lbaas.nsx.plugin:LoadBalancerTVDPluginv2 + vmware_nsxtvd_lbaasv2 = vmware_nsx.services.lbaas.nsx.plugin:LoadBalancerTVPluginV2 + vmware_nsxtvd_fwaasv1 = vmware_nsx.services.fwaas.nsx_tv.plugin_v1:FwaasTVPluginV1 + vmware_nsxtvd_fwaasv2 = vmware_nsx.services.fwaas.nsx_tv.plugin_v2:FwaasTVPluginV2 neutron.qos.notification_drivers = vmware_nsxv3_message_queue = vmware_nsx.services.qos.nsx_v3.message_queue:NsxV3QosNotificationDriver neutron.ipam_drivers = diff --git a/vmware_nsx/plugins/nsx/utils.py b/vmware_nsx/plugins/nsx/utils.py index a422692a31..3392385c60 100644 --- a/vmware_nsx/plugins/nsx/utils.py +++ b/vmware_nsx/plugins/nsx/utils.py @@ -16,8 +16,11 @@ from oslo_config import cfg from neutron_lib import context as n_context +from neutron_lib import exceptions from neutron_lib.plugins import directory +from vmware_nsx.db import db as nsx_db + def is_tvd_core_plugin(): core_plugin = cfg.CONF.core_plugin @@ -36,3 +39,42 @@ def get_tvd_plugin_type_for_project(project_id, context=None): context = n_context.get_admin_context() core_plugin = directory.get_plugin() return core_plugin.get_plugin_type_from_project(context, project_id) + + +def filter_plugins(cls): + """ + Class decorator to separate the results of each of the given methods + by plugin + """ + def get_project_mapping(context, project_id): + """Return the plugin associated with this project""" + mapping = nsx_db.get_project_plugin_mapping( + context.session, project_id) + if mapping: + return mapping['plugin'] + else: + raise exceptions.ObjectNotFound(id=project_id) + + def add_separate_plugin_hook(name): + orig_method = getattr(cls, name, None) + + def filter_results_by_plugin(self, context, filters=None, fields=None): + """Run the original get-list method, and filter the results + by the project id of the context + """ + req_p = get_project_mapping(context, context.project_id) + entries = orig_method(self, context, filters=filters, + fields=fields) + for entry in entries[:]: + p = get_project_mapping(context, entry['tenant_id']) + if p != req_p: + entries.remove(entry) + + return entries + + setattr(cls, name, filter_results_by_plugin) + + for method in cls.methods_to_separate: + add_separate_plugin_hook(method) + + return cls diff --git a/vmware_nsx/services/fwaas/nsx_tv/plugin_v1.py b/vmware_nsx/services/fwaas/nsx_tv/plugin_v1.py new file mode 100644 index 0000000000..bdb0463517 --- /dev/null +++ b/vmware_nsx/services/fwaas/nsx_tv/plugin_v1.py @@ -0,0 +1,29 @@ +# Copyright 2018 VMware, Inc. +# All Rights Reserved +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from neutron_fwaas.services.firewall import fwaas_plugin + +from vmware_nsx.plugins.nsx import utils as tvd_utils + + +@tvd_utils.filter_plugins +class FwaasTVPluginV1(fwaas_plugin.FirewallPlugin): + """NSX-TV plugin for Firewall As A Service - V1. + + This plugin adds separation between T/V instances + """ + methods_to_separate = ['get_firewall', + 'get_firewall_policies', + 'get_firewall_rules'] diff --git a/vmware_nsx/services/fwaas/nsx_tv/plugin_v2.py b/vmware_nsx/services/fwaas/nsx_tv/plugin_v2.py new file mode 100644 index 0000000000..9ec45d1f5e --- /dev/null +++ b/vmware_nsx/services/fwaas/nsx_tv/plugin_v2.py @@ -0,0 +1,29 @@ +# Copyright 2018 VMware, Inc. +# All Rights Reserved +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from neutron_fwaas.services.firewall import fwaas_plugin_v2 + +from vmware_nsx.plugins.nsx import utils as tvd_utils + + +@tvd_utils.filter_plugins +class FwaasTVPluginV2(fwaas_plugin_v2.FirewallPluginV2): + """NSX-TV plugin for Firewall As A Service - V2. + + This plugin adds separation between T/V instances + """ + methods_to_separate = ['get_firewall_groups', + 'get_firewall_policies', + 'get_firewall_rules'] diff --git a/vmware_nsx/services/lbaas/nsx/plugin.py b/vmware_nsx/services/lbaas/nsx/plugin.py index 4a8ad00eb1..60ac4434bb 100644 --- a/vmware_nsx/services/lbaas/nsx/plugin.py +++ b/vmware_nsx/services/lbaas/nsx/plugin.py @@ -12,63 +12,20 @@ # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. -from neutron_lib import exceptions from neutron_lbaas.services.loadbalancer import plugin -from vmware_nsx.db import db as nsx_db + +from vmware_nsx.plugins.nsx import utils as tvd_utils -class LoadBalancerTVDPluginv2(plugin.LoadBalancerPluginv2): +@tvd_utils.filter_plugins +class LoadBalancerTVPluginV2(plugin.LoadBalancerPluginv2): + """NSX-TV plugin for LBaaS V2. - def _get_project_mapping(self, context, filters): - project_id = context.project_id - if filters: - if filters.get('tenant_id'): - project_id = filters.get('tenant_id') - elif filters.get('project_id'): - project_id = filters.get('project_id') - # If multiple are requested then we revert to - # the context's project id - if isinstance(project_id, list): - project_id = context.project_id - mapping = nsx_db.get_project_plugin_mapping( - context.session, project_id) - if mapping: - return mapping['plugin'] - else: - raise exceptions.ObjectNotFound(id=project_id) - - def _filter_entries(self, method, context, filters=None, fields=None): - req_p = self._get_project_mapping(context, filters) - entries = method(context, filters=filters, fields=fields) - for entry in entries[:]: - p = self._get_project_mapping(context, - entry['tenant_id']) - if p != req_p: - entries.remove(entry) - return entries - - def get_loadbalancers(self, context, filters=None, fields=None): - return self._filter_entries( - super(LoadBalancerTVDPluginv2, self).get_loadbalancers, - context, filters=filters, fields=fields) - - def get_listeners(self, context, filters=None, fields=None): - return self._filter_entries( - super(LoadBalancerTVDPluginv2, self).get_listeners, - context, filters=filters, fields=fields) - - def get_pools(self, context, filters=None, fields=None): - return self._filter_entries( - super(LoadBalancerTVDPluginv2, self).get_pools, - context, filters=filters, fields=fields) - - def get_healthmonitors(self, context, filters=None, fields=None): - return self._filter_entries( - super(LoadBalancerTVDPluginv2, self).get_healthmonitors, - context, filters=filters, fields=fields) - - def get_l7policies(self, context, filters=None, fields=None): - return self._filter_entries( - super(LoadBalancerTVDPluginv2, self).get_l7policies, - context, filters=filters, fields=fields) + This plugin adds separation between T/V instances + """ + methods_to_separate = ['get_loadbalancers', + 'get_listeners', + 'get_pools', + 'get_healthmonitors', + 'get_l7policies']