NSX-v3 disable psec per port
The current impl of NSX v3 port security does not remove the spoofguard profile from the respective NSX port when port security is disabled from neutron. In addition the address pairs are removed upon port security disablement. Unit tests are also included. backport: liberty Change-Id: Iad716b19a9a9439be0f372ef35f33d9c4ec39600 Closes-Bug: #1543694
This commit is contained in:
parent
deef820935
commit
4a95ba95f8
@ -88,6 +88,9 @@ class SwitchingProfile(AbstractRESTResource):
|
|||||||
def uri_segment(self):
|
def uri_segment(self):
|
||||||
return 'switching-profiles'
|
return 'switching-profiles'
|
||||||
|
|
||||||
|
def list(self):
|
||||||
|
return self._client.url_get('?include_system_owned=True')
|
||||||
|
|
||||||
def create(self, profile_type, display_name=None,
|
def create(self, profile_type, display_name=None,
|
||||||
description=None, **api_args):
|
description=None, **api_args):
|
||||||
body = {
|
body = {
|
||||||
@ -202,6 +205,9 @@ class LogicalPort(AbstractRESTResource):
|
|||||||
address_classifier['vlan'] = int(binding.vlan)
|
address_classifier['vlan'] = int(binding.vlan)
|
||||||
bindings.append(address_classifier)
|
bindings.append(address_classifier)
|
||||||
body['address_bindings'] = bindings
|
body['address_bindings'] = bindings
|
||||||
|
elif address_bindings == []:
|
||||||
|
# explicitly clear out address bindings
|
||||||
|
body['address_bindings'] = []
|
||||||
|
|
||||||
if switch_profile_ids:
|
if switch_profile_ids:
|
||||||
profiles = []
|
profiles = []
|
||||||
|
@ -78,6 +78,7 @@ from vmware_nsx.nsxlib.v3 import security
|
|||||||
|
|
||||||
LOG = log.getLogger(__name__)
|
LOG = log.getLogger(__name__)
|
||||||
NSX_V3_PSEC_PROFILE_NAME = 'neutron_port_spoof_guard_profile'
|
NSX_V3_PSEC_PROFILE_NAME = 'neutron_port_spoof_guard_profile'
|
||||||
|
NSX_V3_NO_PSEC_PROFILE_NAME = 'nsx-default-spoof-guard-vif-profile'
|
||||||
NSX_V3_DHCP_PROFILE_NAME = 'neutron_port_dhcp_profile'
|
NSX_V3_DHCP_PROFILE_NAME = 'neutron_port_dhcp_profile'
|
||||||
|
|
||||||
|
|
||||||
@ -149,6 +150,11 @@ class NsxV3Plugin(addr_pair_db.AllowedAddressPairsMixin,
|
|||||||
msg = _("Unable to initialize NSX v3 port spoofguard "
|
msg = _("Unable to initialize NSX v3 port spoofguard "
|
||||||
"switching profile: %s") % NSX_V3_PSEC_PROFILE_NAME
|
"switching profile: %s") % NSX_V3_PSEC_PROFILE_NAME
|
||||||
raise nsx_exc.NsxPluginException(msg)
|
raise nsx_exc.NsxPluginException(msg)
|
||||||
|
profiles = nsx_resources.SwitchingProfile
|
||||||
|
self._no_psec_profile_id = profiles.build_switch_profile_ids(
|
||||||
|
self._switching_profiles,
|
||||||
|
self._switching_profiles.find_by_display_name(
|
||||||
|
NSX_V3_NO_PSEC_PROFILE_NAME)[0])[0]
|
||||||
LOG.debug("Initializing NSX v3 DHCP switching profile")
|
LOG.debug("Initializing NSX v3 DHCP switching profile")
|
||||||
self._dhcp_profile = None
|
self._dhcp_profile = None
|
||||||
self._dhcp_profile = self._init_dhcp_switching_profile()
|
self._dhcp_profile = self._init_dhcp_switching_profile()
|
||||||
@ -651,7 +657,8 @@ class NsxV3Plugin(addr_pair_db.AllowedAddressPairsMixin,
|
|||||||
|
|
||||||
parent_name, tag = self._get_data_from_binding_profile(
|
parent_name, tag = self._get_data_from_binding_profile(
|
||||||
context, port_data)
|
context, port_data)
|
||||||
address_bindings = self._build_address_bindings(port_data)
|
address_bindings = (self._build_address_bindings(port_data)
|
||||||
|
if psec_is_on else [])
|
||||||
vif_uuid = port_data['id']
|
vif_uuid = port_data['id']
|
||||||
attachment_type = nsx_constants.ATTACHMENT_VIF
|
attachment_type = nsx_constants.ATTACHMENT_VIF
|
||||||
if not device_owner or device_owner == l3_db.DEVICE_OWNER_ROUTER_INTF:
|
if not device_owner or device_owner == l3_db.DEVICE_OWNER_ROUTER_INTF:
|
||||||
@ -1000,6 +1007,9 @@ class NsxV3Plugin(addr_pair_db.AllowedAddressPairsMixin,
|
|||||||
address_bindings = self._build_address_bindings(updated_port)
|
address_bindings = self._build_address_bindings(updated_port)
|
||||||
if port_security and address_bindings:
|
if port_security and address_bindings:
|
||||||
switch_profile_ids = [self._get_port_security_profile_id()]
|
switch_profile_ids = [self._get_port_security_profile_id()]
|
||||||
|
else:
|
||||||
|
switch_profile_ids = [self._no_psec_profile_id]
|
||||||
|
address_bindings = []
|
||||||
|
|
||||||
try:
|
try:
|
||||||
self._update_port_on_backend(context, nsx_lport_id,
|
self._update_port_on_backend(context, nsx_lport_id,
|
||||||
|
@ -94,11 +94,6 @@ class NsxV3PluginTestCaseMixin(test_plugin.NeutronDbPluginV2TestCase,
|
|||||||
_patch_object(nsx_plugin, 'nsx_client', new=mock_client_module)
|
_patch_object(nsx_plugin, 'nsx_client', new=mock_client_module)
|
||||||
_patch_object(nsx_plugin, 'nsx_cluster', new=mock_cluster_module)
|
_patch_object(nsx_plugin, 'nsx_cluster', new=mock_cluster_module)
|
||||||
|
|
||||||
super(NsxV3PluginTestCaseMixin, self).setUp(plugin=plugin,
|
|
||||||
ext_mgr=ext_mgr)
|
|
||||||
|
|
||||||
self.maxDiff = None
|
|
||||||
|
|
||||||
# populate pre-existing mock resources
|
# populate pre-existing mock resources
|
||||||
cluster_id = uuidutils.generate_uuid()
|
cluster_id = uuidutils.generate_uuid()
|
||||||
self.mock_api.post(
|
self.mock_api.post(
|
||||||
@ -120,6 +115,18 @@ class NsxV3PluginTestCaseMixin(test_plugin.NeutronDbPluginV2TestCase,
|
|||||||
]}),
|
]}),
|
||||||
headers=nsx_client.JSONRESTClient._DEFAULT_HEADERS)
|
headers=nsx_client.JSONRESTClient._DEFAULT_HEADERS)
|
||||||
|
|
||||||
|
self.mock_api.post(
|
||||||
|
'api/v1/switching-profiles',
|
||||||
|
data=jsonutils.dumps({
|
||||||
|
'id': uuidutils.generate_uuid(),
|
||||||
|
'display_name': nsx_plugin.NSX_V3_NO_PSEC_PROFILE_NAME
|
||||||
|
}), headers=nsx_client.JSONRESTClient._DEFAULT_HEADERS)
|
||||||
|
|
||||||
|
super(NsxV3PluginTestCaseMixin, self).setUp(plugin=plugin,
|
||||||
|
ext_mgr=ext_mgr)
|
||||||
|
|
||||||
|
self.maxDiff = None
|
||||||
|
|
||||||
def tearDown(self):
|
def tearDown(self):
|
||||||
for patcher in self._patchers:
|
for patcher in self._patchers:
|
||||||
patcher.stop()
|
patcher.stop()
|
||||||
|
@ -13,6 +13,8 @@
|
|||||||
# License for the specific language governing permissions and limitations
|
# License for the specific language governing permissions and limitations
|
||||||
# under the License.
|
# under the License.
|
||||||
#
|
#
|
||||||
|
import copy
|
||||||
|
|
||||||
import mock
|
import mock
|
||||||
|
|
||||||
from oslo_serialization import jsonutils
|
from oslo_serialization import jsonutils
|
||||||
@ -184,6 +186,15 @@ class TestSwitchingProfileTestCase(nsxlib_testcase.NsxClientTestCase):
|
|||||||
self.assertEqual(resp_resources['results'],
|
self.assertEqual(resp_resources['results'],
|
||||||
mocked_resource.find_by_display_name('resource-1'))
|
mocked_resource.find_by_display_name('resource-1'))
|
||||||
|
|
||||||
|
def test_list_all_profiles(self):
|
||||||
|
mocked_resource = self._mocked_switching_profile()
|
||||||
|
mocked_resource.list()
|
||||||
|
test_client.assert_json_call(
|
||||||
|
'get', mocked_resource,
|
||||||
|
'https://1.2.3.4/api/v1/switching-profiles/'
|
||||||
|
'?include_system_owned=True',
|
||||||
|
data=None)
|
||||||
|
|
||||||
|
|
||||||
class LogicalPortTestCase(nsxlib_testcase.NsxClientTestCase):
|
class LogicalPortTestCase(nsxlib_testcase.NsxClientTestCase):
|
||||||
|
|
||||||
@ -272,6 +283,24 @@ class LogicalPortTestCase(nsxlib_testcase.NsxClientTestCase):
|
|||||||
'delete', mocked_resource,
|
'delete', mocked_resource,
|
||||||
'https://1.2.3.4/api/v1/logical-ports/%s?detach=true' % uuid)
|
'https://1.2.3.4/api/v1/logical-ports/%s?detach=true' % uuid)
|
||||||
|
|
||||||
|
def test_clear_port_bindings(self):
|
||||||
|
fake_port = copy.copy(test_constants_v3.FAKE_PORT)
|
||||||
|
fake_port['address_bindings'] = ['a', 'b']
|
||||||
|
mocked_resource = self._mocked_lport()
|
||||||
|
|
||||||
|
def get_fake_port(*args):
|
||||||
|
return fake_port
|
||||||
|
|
||||||
|
mocked_resource.get = get_fake_port
|
||||||
|
mocked_resource.update(
|
||||||
|
fake_port['id'], fake_port['id'], address_bindings=[])
|
||||||
|
|
||||||
|
fake_port['address_bindings'] = []
|
||||||
|
test_client.assert_json_call(
|
||||||
|
'put', mocked_resource,
|
||||||
|
'https://1.2.3.4/api/v1/logical-ports/%s' % fake_port['id'],
|
||||||
|
data=jsonutils.dumps(fake_port, sort_keys=True))
|
||||||
|
|
||||||
|
|
||||||
class LogicalRouterTestCase(nsxlib_testcase.NsxClientTestCase):
|
class LogicalRouterTestCase(nsxlib_testcase.NsxClientTestCase):
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user