Remove external_id and security group proxy code
This code is no longer needed since nova can now proxy these calls to quantum directly. Fixes bug 1130927 Change-Id: I62f8d7d4161f8a1308ae80029effaa46b6d661a3
This commit is contained in:
parent
cfd7f777c4
commit
578e8230db
@ -217,10 +217,6 @@ notification_topics = notifications
|
|||||||
# Each service definition should be in the following format:
|
# Each service definition should be in the following format:
|
||||||
# <service>:<plugin>[:driver]
|
# <service>:<plugin>[:driver]
|
||||||
|
|
||||||
[SECURITYGROUP]
|
|
||||||
# If set to true this allows quantum to receive proxied security group calls from nova
|
|
||||||
# proxy_mode = False
|
|
||||||
|
|
||||||
[AGENT]
|
[AGENT]
|
||||||
# Use "sudo quantum-rootwrap /etc/quantum/rootwrap.conf" to use the real
|
# Use "sudo quantum-rootwrap /etc/quantum/rootwrap.conf" to use the real
|
||||||
# root filter facility.
|
# root filter facility.
|
||||||
|
@ -54,15 +54,12 @@ def upgrade(active_plugin=None, options=None):
|
|||||||
sa.Column('id', sa.String(length=36), nullable=False),
|
sa.Column('id', sa.String(length=36), nullable=False),
|
||||||
sa.Column('name', sa.String(length=255), nullable=True),
|
sa.Column('name', sa.String(length=255), nullable=True),
|
||||||
sa.Column('description', sa.String(length=255), nullable=True),
|
sa.Column('description', sa.String(length=255), nullable=True),
|
||||||
sa.Column('external_id', sa.Integer(), nullable=True),
|
sa.PrimaryKeyConstraint('id')
|
||||||
sa.PrimaryKeyConstraint('id'),
|
|
||||||
sa.UniqueConstraint('external_id')
|
|
||||||
)
|
)
|
||||||
op.create_table(
|
op.create_table(
|
||||||
'securitygrouprules',
|
'securitygrouprules',
|
||||||
sa.Column('tenant_id', sa.String(length=255), nullable=True),
|
sa.Column('tenant_id', sa.String(length=255), nullable=True),
|
||||||
sa.Column('id', sa.String(length=36), nullable=False),
|
sa.Column('id', sa.String(length=36), nullable=False),
|
||||||
sa.Column('external_id', sa.Integer(), nullable=True),
|
|
||||||
sa.Column('security_group_id', sa.String(length=36), nullable=False),
|
sa.Column('security_group_id', sa.String(length=36), nullable=False),
|
||||||
sa.Column('source_group_id', sa.String(length=36), nullable=True),
|
sa.Column('source_group_id', sa.String(length=36), nullable=True),
|
||||||
sa.Column('direction',
|
sa.Column('direction',
|
||||||
|
@ -16,7 +16,6 @@
|
|||||||
#
|
#
|
||||||
# @author: Aaron Rosen, Nicira, Inc
|
# @author: Aaron Rosen, Nicira, Inc
|
||||||
|
|
||||||
from oslo.config import cfg
|
|
||||||
import sqlalchemy as sa
|
import sqlalchemy as sa
|
||||||
from sqlalchemy import orm
|
from sqlalchemy import orm
|
||||||
from sqlalchemy.orm import exc
|
from sqlalchemy.orm import exc
|
||||||
@ -33,7 +32,6 @@ class SecurityGroup(model_base.BASEV2, models_v2.HasId, models_v2.HasTenant):
|
|||||||
"""Represents a v2 quantum security group."""
|
"""Represents a v2 quantum security group."""
|
||||||
name = sa.Column(sa.String(255))
|
name = sa.Column(sa.String(255))
|
||||||
description = sa.Column(sa.String(255))
|
description = sa.Column(sa.String(255))
|
||||||
external_id = sa.Column(sa.Integer, unique=True)
|
|
||||||
|
|
||||||
|
|
||||||
class SecurityGroupPortBinding(model_base.BASEV2):
|
class SecurityGroupPortBinding(model_base.BASEV2):
|
||||||
@ -50,7 +48,6 @@ class SecurityGroupPortBinding(model_base.BASEV2):
|
|||||||
class SecurityGroupRule(model_base.BASEV2, models_v2.HasId,
|
class SecurityGroupRule(model_base.BASEV2, models_v2.HasId,
|
||||||
models_v2.HasTenant):
|
models_v2.HasTenant):
|
||||||
"""Represents a v2 quantum security group rule."""
|
"""Represents a v2 quantum security group rule."""
|
||||||
external_id = sa.Column(sa.Integer)
|
|
||||||
security_group_id = sa.Column(sa.String(36),
|
security_group_id = sa.Column(sa.String(36),
|
||||||
sa.ForeignKey("securitygroups.id",
|
sa.ForeignKey("securitygroups.id",
|
||||||
ondelete="CASCADE"),
|
ondelete="CASCADE"),
|
||||||
@ -93,37 +90,17 @@ class SecurityGroupDbMixin(ext_sg.SecurityGroupPluginBase):
|
|||||||
a given tenant if it does not exist.
|
a given tenant if it does not exist.
|
||||||
"""
|
"""
|
||||||
s = security_group['security_group']
|
s = security_group['security_group']
|
||||||
if (cfg.CONF.SECURITYGROUP.proxy_mode and not context.is_admin):
|
|
||||||
raise ext_sg.SecurityGroupProxyModeNotAdmin()
|
|
||||||
if (cfg.CONF.SECURITYGROUP.proxy_mode and not s.get('external_id')):
|
|
||||||
raise ext_sg.SecurityGroupProxyMode()
|
|
||||||
if not cfg.CONF.SECURITYGROUP.proxy_mode and s.get('external_id'):
|
|
||||||
raise ext_sg.SecurityGroupNotProxyMode()
|
|
||||||
|
|
||||||
tenant_id = self._get_tenant_id_for_create(context, s)
|
tenant_id = self._get_tenant_id_for_create(context, s)
|
||||||
|
|
||||||
# if in proxy mode a default security group will be created by source
|
if not default_sg:
|
||||||
if not default_sg and not cfg.CONF.SECURITYGROUP.proxy_mode:
|
self._ensure_default_security_group(context, tenant_id)
|
||||||
self._ensure_default_security_group(context, tenant_id,
|
|
||||||
security_group)
|
|
||||||
if s.get('external_id'):
|
|
||||||
try:
|
|
||||||
# Check if security group already exists
|
|
||||||
sg = self.get_security_group(context, s.get('external_id'))
|
|
||||||
if sg:
|
|
||||||
raise ext_sg.SecurityGroupAlreadyExists(
|
|
||||||
name=sg.get('name', ''),
|
|
||||||
external_id=s.get('external_id'))
|
|
||||||
except ext_sg.SecurityGroupNotFound:
|
|
||||||
pass
|
|
||||||
|
|
||||||
with context.session.begin(subtransactions=True):
|
with context.session.begin(subtransactions=True):
|
||||||
security_group_db = SecurityGroup(id=s.get('id') or (
|
security_group_db = SecurityGroup(id=s.get('id') or (
|
||||||
uuidutils.generate_uuid()),
|
uuidutils.generate_uuid()),
|
||||||
description=s['description'],
|
description=s['description'],
|
||||||
tenant_id=tenant_id,
|
tenant_id=tenant_id,
|
||||||
name=s['name'],
|
name=s['name'])
|
||||||
external_id=s.get('external_id'))
|
|
||||||
context.session.add(security_group_db)
|
context.session.add(security_group_db)
|
||||||
if s.get('name') == 'default':
|
if s.get('name') == 'default':
|
||||||
for ethertype in ext_sg.sg_supported_ethertypes:
|
for ethertype in ext_sg.sg_supported_ethertypes:
|
||||||
@ -178,19 +155,13 @@ class SecurityGroupDbMixin(ext_sg.SecurityGroupPluginBase):
|
|||||||
def _get_security_group(self, context, id):
|
def _get_security_group(self, context, id):
|
||||||
try:
|
try:
|
||||||
query = self._model_query(context, SecurityGroup)
|
query = self._model_query(context, SecurityGroup)
|
||||||
if uuidutils.is_uuid_like(id):
|
sg = query.filter(SecurityGroup.id == id).one()
|
||||||
sg = query.filter(SecurityGroup.id == id).one()
|
|
||||||
else:
|
|
||||||
sg = query.filter(SecurityGroup.external_id == id).one()
|
|
||||||
|
|
||||||
except exc.NoResultFound:
|
except exc.NoResultFound:
|
||||||
raise ext_sg.SecurityGroupNotFound(id=id)
|
raise ext_sg.SecurityGroupNotFound(id=id)
|
||||||
return sg
|
return sg
|
||||||
|
|
||||||
def delete_security_group(self, context, id):
|
def delete_security_group(self, context, id):
|
||||||
if (cfg.CONF.SECURITYGROUP.proxy_mode and not context.is_admin):
|
|
||||||
raise ext_sg.SecurityGroupProxyModeNotAdmin()
|
|
||||||
|
|
||||||
filters = {'security_group_id': [id]}
|
filters = {'security_group_id': [id]}
|
||||||
ports = self._get_port_security_group_bindings(context, filters)
|
ports = self._get_port_security_group_bindings(context, filters)
|
||||||
if ports:
|
if ports:
|
||||||
@ -208,8 +179,6 @@ class SecurityGroupDbMixin(ext_sg.SecurityGroupPluginBase):
|
|||||||
'name': security_group['name'],
|
'name': security_group['name'],
|
||||||
'tenant_id': security_group['tenant_id'],
|
'tenant_id': security_group['tenant_id'],
|
||||||
'description': security_group['description']}
|
'description': security_group['description']}
|
||||||
if security_group.get('external_id'):
|
|
||||||
res['external_id'] = security_group['external_id']
|
|
||||||
res['security_group_rules'] = [self._make_security_group_rule_dict(r)
|
res['security_group_rules'] = [self._make_security_group_rule_dict(r)
|
||||||
for r in security_group.rules]
|
for r in security_group.rules]
|
||||||
return self._fields(res, fields)
|
return self._fields(res, fields)
|
||||||
@ -265,7 +234,6 @@ class SecurityGroupDbMixin(ext_sg.SecurityGroupPluginBase):
|
|||||||
id=uuidutils.generate_uuid(), tenant_id=tenant_id,
|
id=uuidutils.generate_uuid(), tenant_id=tenant_id,
|
||||||
security_group_id=rule['security_group_id'],
|
security_group_id=rule['security_group_id'],
|
||||||
direction=rule['direction'],
|
direction=rule['direction'],
|
||||||
external_id=rule.get('external_id'),
|
|
||||||
source_group_id=rule.get('source_group_id'),
|
source_group_id=rule.get('source_group_id'),
|
||||||
ethertype=rule['ethertype'],
|
ethertype=rule['ethertype'],
|
||||||
protocol=rule['protocol'],
|
protocol=rule['protocol'],
|
||||||
@ -286,23 +254,12 @@ class SecurityGroupDbMixin(ext_sg.SecurityGroupPluginBase):
|
|||||||
group, source_group_id/security_group_id belong to the same tenant,
|
group, source_group_id/security_group_id belong to the same tenant,
|
||||||
and rules are valid.
|
and rules are valid.
|
||||||
"""
|
"""
|
||||||
|
|
||||||
if (cfg.CONF.SECURITYGROUP.proxy_mode and not context.is_admin):
|
|
||||||
raise ext_sg.SecurityGroupProxyModeNotAdmin()
|
|
||||||
|
|
||||||
new_rules = set()
|
new_rules = set()
|
||||||
tenant_ids = set()
|
tenant_ids = set()
|
||||||
for rules in security_group_rule['security_group_rules']:
|
for rules in security_group_rule['security_group_rules']:
|
||||||
rule = rules.get('security_group_rule')
|
rule = rules.get('security_group_rule')
|
||||||
new_rules.add(rule['security_group_id'])
|
new_rules.add(rule['security_group_id'])
|
||||||
|
|
||||||
if (cfg.CONF.SECURITYGROUP.proxy_mode and
|
|
||||||
not rule.get('external_id')):
|
|
||||||
raise ext_sg.SecurityGroupProxyMode()
|
|
||||||
if (not cfg.CONF.SECURITYGROUP.proxy_mode and
|
|
||||||
rule.get('external_id')):
|
|
||||||
raise ext_sg.SecurityGroupNotProxyMode()
|
|
||||||
|
|
||||||
# Check that port_range's are valid
|
# Check that port_range's are valid
|
||||||
if (rule['port_range_min'] is None and
|
if (rule['port_range_min'] is None and
|
||||||
rule['port_range_max'] is None):
|
rule['port_range_max'] is None):
|
||||||
@ -347,8 +304,7 @@ class SecurityGroupDbMixin(ext_sg.SecurityGroupPluginBase):
|
|||||||
'port_range_min': security_group_rule['port_range_min'],
|
'port_range_min': security_group_rule['port_range_min'],
|
||||||
'port_range_max': security_group_rule['port_range_max'],
|
'port_range_max': security_group_rule['port_range_max'],
|
||||||
'source_ip_prefix': security_group_rule['source_ip_prefix'],
|
'source_ip_prefix': security_group_rule['source_ip_prefix'],
|
||||||
'source_group_id': security_group_rule['source_group_id'],
|
'source_group_id': security_group_rule['source_group_id']}
|
||||||
'external_id': security_group_rule['external_id']}
|
|
||||||
|
|
||||||
return self._fields(res, fields)
|
return self._fields(res, fields)
|
||||||
|
|
||||||
@ -360,7 +316,7 @@ class SecurityGroupDbMixin(ext_sg.SecurityGroupPluginBase):
|
|||||||
|
|
||||||
include_if_present = ['protocol', 'port_range_max', 'port_range_min',
|
include_if_present = ['protocol', 'port_range_max', 'port_range_min',
|
||||||
'ethertype', 'source_ip_prefix',
|
'ethertype', 'source_ip_prefix',
|
||||||
'source_group_id', 'external_id']
|
'source_group_id']
|
||||||
for key in include_if_present:
|
for key in include_if_present:
|
||||||
value = sgr.get(key)
|
value = sgr.get(key)
|
||||||
if value:
|
if value:
|
||||||
@ -405,19 +361,13 @@ class SecurityGroupDbMixin(ext_sg.SecurityGroupPluginBase):
|
|||||||
|
|
||||||
def _get_security_group_rule(self, context, id):
|
def _get_security_group_rule(self, context, id):
|
||||||
try:
|
try:
|
||||||
if uuidutils.is_uuid_like(id):
|
query = self._model_query(context, SecurityGroupRule)
|
||||||
query = self._model_query(context, SecurityGroupRule)
|
sgr = query.filter(SecurityGroupRule.id == id).one()
|
||||||
sgr = query.filter(SecurityGroupRule.id == id).one()
|
|
||||||
else:
|
|
||||||
query = self._model_query(context, SecurityGroupRule)
|
|
||||||
sgr = query.filter(SecurityGroupRule.external_id == id).one()
|
|
||||||
except exc.NoResultFound:
|
except exc.NoResultFound:
|
||||||
raise ext_sg.SecurityGroupRuleNotFound(id=id)
|
raise ext_sg.SecurityGroupRuleNotFound(id=id)
|
||||||
return sgr
|
return sgr
|
||||||
|
|
||||||
def delete_security_group_rule(self, context, id):
|
def delete_security_group_rule(self, context, id):
|
||||||
if (cfg.CONF.SECURITYGROUP.proxy_mode and not context.is_admin):
|
|
||||||
raise ext_sg.SecurityGroupProxyModeNotAdmin()
|
|
||||||
with context.session.begin(subtransactions=True):
|
with context.session.begin(subtransactions=True):
|
||||||
rule = self._get_security_group_rule(context, id)
|
rule = self._get_security_group_rule(context, id)
|
||||||
context.session.delete(rule)
|
context.session.delete(rule)
|
||||||
@ -442,25 +392,17 @@ class SecurityGroupDbMixin(ext_sg.SecurityGroupPluginBase):
|
|||||||
self._create_port_security_group_binding(context, port_id,
|
self._create_port_security_group_binding(context, port_id,
|
||||||
security_group_id)
|
security_group_id)
|
||||||
|
|
||||||
def _ensure_default_security_group(self, context, tenant_id,
|
def _ensure_default_security_group(self, context, tenant_id):
|
||||||
security_group=None):
|
|
||||||
"""Create a default security group if one doesn't exist.
|
"""Create a default security group if one doesn't exist.
|
||||||
|
|
||||||
:returns: the default security group id.
|
:returns: the default security group id.
|
||||||
"""
|
"""
|
||||||
# if in proxy mode a default security group will be created by source
|
|
||||||
if not security_group and cfg.CONF.SECURITYGROUP.proxy_mode:
|
|
||||||
return
|
|
||||||
|
|
||||||
filters = {'name': ['default'], 'tenant_id': [tenant_id]}
|
filters = {'name': ['default'], 'tenant_id': [tenant_id]}
|
||||||
default_group = self.get_security_groups(context, filters)
|
default_group = self.get_security_groups(context, filters)
|
||||||
if not default_group:
|
if not default_group:
|
||||||
security_group = {'security_group': {'name': 'default',
|
security_group = {'security_group': {'name': 'default',
|
||||||
'tenant_id': tenant_id,
|
'tenant_id': tenant_id,
|
||||||
'description': 'default'}}
|
'description': 'default'}}
|
||||||
if security_group:
|
|
||||||
security_group['security_group']['external_id'] = (
|
|
||||||
security_group['security_group'].get('external_id'))
|
|
||||||
ret = self.create_security_group(context, security_group, True)
|
ret = self.create_security_group(context, security_group, True)
|
||||||
return ret['id']
|
return ret['id']
|
||||||
else:
|
else:
|
||||||
@ -477,11 +419,8 @@ class SecurityGroupDbMixin(ext_sg.SecurityGroupPluginBase):
|
|||||||
if p.get('device_owner') and p['device_owner'].startswith('network:'):
|
if p.get('device_owner') and p['device_owner'].startswith('network:'):
|
||||||
return
|
return
|
||||||
|
|
||||||
valid_groups = self.get_security_groups(
|
valid_groups = self.get_security_groups(context, fields=['id'])
|
||||||
context, fields=['external_id', 'id'])
|
|
||||||
valid_group_map = dict((g['id'], g['id']) for g in valid_groups)
|
valid_group_map = dict((g['id'], g['id']) for g in valid_groups)
|
||||||
valid_group_map.update((g['external_id'], g['id'])
|
|
||||||
for g in valid_groups if g.get('external_id'))
|
|
||||||
try:
|
try:
|
||||||
return set([valid_group_map[sg_id]
|
return set([valid_group_map[sg_id]
|
||||||
for sg_id in p.get(ext_sg.SECURITYGROUPS, [])])
|
for sg_id in p.get(ext_sg.SECURITYGROUPS, [])])
|
||||||
@ -489,10 +428,6 @@ class SecurityGroupDbMixin(ext_sg.SecurityGroupPluginBase):
|
|||||||
raise ext_sg.SecurityGroupNotFound(id=str(e))
|
raise ext_sg.SecurityGroupNotFound(id=str(e))
|
||||||
|
|
||||||
def _ensure_default_security_group_on_port(self, context, port):
|
def _ensure_default_security_group_on_port(self, context, port):
|
||||||
# return if proxy_mode is enabled since nova will handle adding
|
|
||||||
# the port to the default security group.
|
|
||||||
if cfg.CONF.SECURITYGROUP.proxy_mode:
|
|
||||||
return
|
|
||||||
# we don't apply security groups for dhcp, router
|
# we don't apply security groups for dhcp, router
|
||||||
if (port['port'].get('device_owner') and
|
if (port['port'].get('device_owner') and
|
||||||
port['port']['device_owner'].startswith('network:')):
|
port['port']['device_owner'].startswith('network:')):
|
||||||
|
@ -30,11 +30,6 @@ from quantum import quota
|
|||||||
|
|
||||||
|
|
||||||
# Security group Exceptions
|
# Security group Exceptions
|
||||||
class SecurityGroupAlreadyExists(qexception.InUse):
|
|
||||||
# This can only happen if the external_id database is cleared
|
|
||||||
message = _("Security group %(name)s id %(external_id)s already exists")
|
|
||||||
|
|
||||||
|
|
||||||
class SecurityGroupInvalidPortRange(qexception.InvalidInput):
|
class SecurityGroupInvalidPortRange(qexception.InvalidInput):
|
||||||
message = _("For TCP/UDP protocols, port_range_min must be "
|
message = _("For TCP/UDP protocols, port_range_min must be "
|
||||||
"<= port_range_max")
|
"<= port_range_max")
|
||||||
@ -100,22 +95,6 @@ class SecurityGroupRuleExists(qexception.InUse):
|
|||||||
message = _("Security group rule already exists. Group id is %(id)s.")
|
message = _("Security group rule already exists. Group id is %(id)s.")
|
||||||
|
|
||||||
|
|
||||||
class SecurityGroupProxyMode(qexception.InUse):
|
|
||||||
message = _("Did not recieve external id and in proxy mode")
|
|
||||||
|
|
||||||
|
|
||||||
class SecurityGroupNotProxyMode(qexception.InUse):
|
|
||||||
message = _("Recieve external id and not in proxy mode")
|
|
||||||
|
|
||||||
|
|
||||||
class SecurityGroupProxyModeNotAdmin(qexception.NotAuthorized):
|
|
||||||
message = _("In Proxy Mode and not from admin")
|
|
||||||
|
|
||||||
|
|
||||||
class SecurityGroupInvalidExternalID(qexception.InvalidInput):
|
|
||||||
message = _("external_id wrong type %(data)s")
|
|
||||||
|
|
||||||
|
|
||||||
def convert_protocol_to_case_insensitive(value):
|
def convert_protocol_to_case_insensitive(value):
|
||||||
if value is None:
|
if value is None:
|
||||||
return value
|
return value
|
||||||
@ -147,36 +126,22 @@ def convert_validate_port_value(port):
|
|||||||
raise SecurityGroupInvalidPortValue(port=port)
|
raise SecurityGroupInvalidPortValue(port=port)
|
||||||
|
|
||||||
|
|
||||||
def convert_to_uuid_or_int_list(value_list):
|
def convert_to_uuid_list_or_none(value_list):
|
||||||
if value_list is None:
|
if value_list is None:
|
||||||
return
|
return
|
||||||
try:
|
for sg_id in value_list:
|
||||||
return [sg_id if uuidutils.is_uuid_like(sg_id) else int(sg_id)
|
if not uuidutils.is_uuid_like(sg_id):
|
||||||
for sg_id in value_list]
|
msg = _("'%s' is not an integer or uuid") % sg_id
|
||||||
except (ValueError, TypeError):
|
raise qexception.InvalidInput(error_message=msg)
|
||||||
msg = _("'%s' is not an integer or uuid") % sg_id
|
return value_list
|
||||||
raise qexception.InvalidInput(error_message=msg)
|
|
||||||
|
|
||||||
|
|
||||||
def _validate_name_not_default(data, valid_values=None):
|
def _validate_name_not_default(data, valid_values=None):
|
||||||
if not cfg.CONF.SECURITYGROUP.proxy_mode and data == "default":
|
if data == "default":
|
||||||
raise SecurityGroupDefaultAlreadyExists()
|
raise SecurityGroupDefaultAlreadyExists()
|
||||||
|
|
||||||
|
|
||||||
def _validate_external_id_and_mode(external_id, valid_values=None):
|
|
||||||
if not cfg.CONF.SECURITYGROUP.proxy_mode and not external_id:
|
|
||||||
return
|
|
||||||
elif not cfg.CONF.SECURITYGROUP.proxy_mode and external_id:
|
|
||||||
raise SecurityGroupNotProxyMode()
|
|
||||||
try:
|
|
||||||
int(external_id)
|
|
||||||
except (ValueError, TypeError):
|
|
||||||
raise SecurityGroupInvalidExternalID(data=external_id)
|
|
||||||
if cfg.CONF.SECURITYGROUP.proxy_mode and not external_id:
|
|
||||||
raise SecurityGroupProxyMode()
|
|
||||||
|
|
||||||
attr.validators['type:name_not_default'] = _validate_name_not_default
|
attr.validators['type:name_not_default'] = _validate_name_not_default
|
||||||
attr.validators['type:external_id_and_mode'] = _validate_external_id_and_mode
|
|
||||||
|
|
||||||
sg_supported_protocols = [None, 'tcp', 'udp', 'icmp']
|
sg_supported_protocols = [None, 'tcp', 'udp', 'icmp']
|
||||||
sg_supported_ethertypes = ['IPv4', 'IPv6']
|
sg_supported_ethertypes = ['IPv4', 'IPv6']
|
||||||
@ -193,9 +158,6 @@ RESOURCE_ATTRIBUTE_MAP = {
|
|||||||
'validate': {'type:name_not_default': None}},
|
'validate': {'type:name_not_default': None}},
|
||||||
'description': {'allow_post': True, 'allow_put': False,
|
'description': {'allow_post': True, 'allow_put': False,
|
||||||
'is_visible': True, 'default': ''},
|
'is_visible': True, 'default': ''},
|
||||||
'external_id': {'allow_post': True, 'allow_put': False,
|
|
||||||
'is_visible': True, 'default': None,
|
|
||||||
'validate': {'type:external_id_and_mode': None}},
|
|
||||||
'tenant_id': {'allow_post': True, 'allow_put': False,
|
'tenant_id': {'allow_post': True, 'allow_put': False,
|
||||||
'required_by_policy': True,
|
'required_by_policy': True,
|
||||||
'is_visible': True},
|
'is_visible': True},
|
||||||
@ -207,10 +169,6 @@ RESOURCE_ATTRIBUTE_MAP = {
|
|||||||
'validate': {'type:uuid': None},
|
'validate': {'type:uuid': None},
|
||||||
'is_visible': True,
|
'is_visible': True,
|
||||||
'primary_key': True},
|
'primary_key': True},
|
||||||
# external_id can be used to be backwards compatible with nova
|
|
||||||
'external_id': {'allow_post': True, 'allow_put': False,
|
|
||||||
'is_visible': True, 'default': None,
|
|
||||||
'validate': {'type:external_id_and_mode': None}},
|
|
||||||
'security_group_id': {'allow_post': True, 'allow_put': False,
|
'security_group_id': {'allow_post': True, 'allow_put': False,
|
||||||
'is_visible': True, 'required_by_policy': True},
|
'is_visible': True, 'required_by_policy': True},
|
||||||
'source_group_id': {'allow_post': True, 'allow_put': False,
|
'source_group_id': {'allow_post': True, 'allow_put': False,
|
||||||
@ -246,7 +204,7 @@ EXTENDED_ATTRIBUTES_2_0 = {
|
|||||||
'ports': {SECURITYGROUPS: {'allow_post': True,
|
'ports': {SECURITYGROUPS: {'allow_post': True,
|
||||||
'allow_put': True,
|
'allow_put': True,
|
||||||
'is_visible': True,
|
'is_visible': True,
|
||||||
'convert_to': convert_to_uuid_or_int_list,
|
'convert_to': convert_to_uuid_list_or_none,
|
||||||
'default': attr.ATTR_NOT_SPECIFIED}}}
|
'default': attr.ATTR_NOT_SPECIFIED}}}
|
||||||
security_group_quota_opts = [
|
security_group_quota_opts = [
|
||||||
cfg.IntOpt('quota_security_group',
|
cfg.IntOpt('quota_security_group',
|
||||||
@ -260,11 +218,6 @@ security_group_quota_opts = [
|
|||||||
]
|
]
|
||||||
cfg.CONF.register_opts(security_group_quota_opts, 'QUOTAS')
|
cfg.CONF.register_opts(security_group_quota_opts, 'QUOTAS')
|
||||||
|
|
||||||
security_group_opts = [
|
|
||||||
cfg.StrOpt('proxy_mode', default=False)
|
|
||||||
]
|
|
||||||
cfg.CONF.register_opts(security_group_opts, 'SECURITYGROUP')
|
|
||||||
|
|
||||||
|
|
||||||
class Securitygroup(extensions.ExtensionDescriptor):
|
class Securitygroup(extensions.ExtensionDescriptor):
|
||||||
""" Security group extension"""
|
""" Security group extension"""
|
||||||
|
@ -2005,25 +2005,11 @@ class NvpPluginV2(db_base_plugin_v2.QuantumDbPluginV2,
|
|||||||
group and we don't need to check if one exists.
|
group and we don't need to check if one exists.
|
||||||
"""
|
"""
|
||||||
s = security_group.get('security_group')
|
s = security_group.get('security_group')
|
||||||
if cfg.CONF.SECURITYGROUP.proxy_mode:
|
|
||||||
if not context.is_admin:
|
|
||||||
raise ext_sg.SecurityGroupProxyModeNotAdmin()
|
|
||||||
elif not s.get('external_id'):
|
|
||||||
raise ext_sg.SecurityGroupProxyMode()
|
|
||||||
elif s.get('external_id'):
|
|
||||||
raise ext_sg.SecurityGroupNotProxyMode()
|
|
||||||
|
|
||||||
tenant_id = self._get_tenant_id_for_create(context, s)
|
tenant_id = self._get_tenant_id_for_create(context, s)
|
||||||
if not default_sg and not cfg.CONF.SECURITYGROUP.proxy_mode:
|
if not default_sg:
|
||||||
self._ensure_default_security_group(context, tenant_id,
|
self._ensure_default_security_group(context, tenant_id)
|
||||||
security_group)
|
|
||||||
if s.get('external_id'):
|
|
||||||
filters = {'external_id': [s.get('external_id')]}
|
|
||||||
security_groups = super(NvpPluginV2, self).get_security_groups(
|
|
||||||
context, filters=filters)
|
|
||||||
if security_groups:
|
|
||||||
raise ext_sg.SecurityGroupAlreadyExists(
|
|
||||||
name=s.get('name', ''), external_id=s.get('external_id'))
|
|
||||||
nvp_secgroup = nvplib.create_security_profile(self.default_cluster,
|
nvp_secgroup = nvplib.create_security_profile(self.default_cluster,
|
||||||
tenant_id, s)
|
tenant_id, s)
|
||||||
security_group['security_group']['id'] = nvp_secgroup['uuid']
|
security_group['security_group']['id'] = nvp_secgroup['uuid']
|
||||||
@ -2034,9 +2020,6 @@ class NvpPluginV2(db_base_plugin_v2.QuantumDbPluginV2,
|
|||||||
"""Delete a security group
|
"""Delete a security group
|
||||||
:param security_group_id: security group rule to remove.
|
:param security_group_id: security group rule to remove.
|
||||||
"""
|
"""
|
||||||
if (cfg.CONF.SECURITYGROUP.proxy_mode and not context.is_admin):
|
|
||||||
raise ext_sg.SecurityGroupProxyModeNotAdmin()
|
|
||||||
|
|
||||||
with context.session.begin(subtransactions=True):
|
with context.session.begin(subtransactions=True):
|
||||||
security_group = super(NvpPluginV2, self).get_security_group(
|
security_group = super(NvpPluginV2, self).get_security_group(
|
||||||
context, security_group_id)
|
context, security_group_id)
|
||||||
@ -2074,8 +2057,7 @@ class NvpPluginV2(db_base_plugin_v2.QuantumDbPluginV2,
|
|||||||
security_group_id = self._validate_security_group_rules(
|
security_group_id = self._validate_security_group_rules(
|
||||||
context, security_group_rule)
|
context, security_group_rule)
|
||||||
|
|
||||||
# Check to make sure security group exists and retrieve
|
# Check to make sure security group exists
|
||||||
# security_group['id'] needed incase it only has an external_id
|
|
||||||
security_group = super(NvpPluginV2, self).get_security_group(
|
security_group = super(NvpPluginV2, self).get_security_group(
|
||||||
context, security_group_id)
|
context, security_group_id)
|
||||||
|
|
||||||
@ -2098,9 +2080,6 @@ class NvpPluginV2(db_base_plugin_v2.QuantumDbPluginV2,
|
|||||||
""" Delete a security group rule
|
""" Delete a security group rule
|
||||||
:param sgrid: security group id to remove.
|
:param sgrid: security group id to remove.
|
||||||
"""
|
"""
|
||||||
if (cfg.CONF.SECURITYGROUP.proxy_mode and not context.is_admin):
|
|
||||||
raise ext_sg.SecurityGroupProxyModeNotAdmin()
|
|
||||||
|
|
||||||
with context.session.begin(subtransactions=True):
|
with context.session.begin(subtransactions=True):
|
||||||
# determine security profile id
|
# determine security profile id
|
||||||
security_group_rule = (
|
security_group_rule = (
|
||||||
|
@ -63,8 +63,7 @@ class NVPSecurityGroups(object):
|
|||||||
|
|
||||||
def _get_security_group_rules_nvp_format(self, context, security_group_id,
|
def _get_security_group_rules_nvp_format(self, context, security_group_id,
|
||||||
with_id=False):
|
with_id=False):
|
||||||
"""Query quantum db for security group rules. If external_id is
|
"""Query quantum db for security group rules.
|
||||||
provided the external_id will also be returned.
|
|
||||||
"""
|
"""
|
||||||
fields = ['source_ip_prefix', 'source_group_id', 'protocol',
|
fields = ['source_ip_prefix', 'source_group_id', 'protocol',
|
||||||
'port_range_min', 'port_range_max', 'protocol', 'ethertype']
|
'port_range_min', 'port_range_max', 'protocol', 'ethertype']
|
||||||
|
@ -1024,31 +1024,12 @@ def set_tenant_id_tag(tenant_id, taglist=None):
|
|||||||
return new_taglist
|
return new_taglist
|
||||||
|
|
||||||
|
|
||||||
def set_ext_security_profile_id_tag(external_id, taglist=None):
|
|
||||||
"""Convenience function to add spid tag to taglist.
|
|
||||||
|
|
||||||
:param external_id: the security_profile id from nova
|
|
||||||
:param taglist: the taglist to append to (or None).
|
|
||||||
:returns: a new taglist that includes the old taglist with the new
|
|
||||||
spid tag set."""
|
|
||||||
new_taglist = []
|
|
||||||
if taglist:
|
|
||||||
new_taglist = [x for x in taglist if x['scope'] !=
|
|
||||||
EXT_SECURITY_PROFILE_ID_SCOPE]
|
|
||||||
if external_id:
|
|
||||||
new_taglist.append(dict(scope=EXT_SECURITY_PROFILE_ID_SCOPE,
|
|
||||||
tag=str(external_id)))
|
|
||||||
return new_taglist
|
|
||||||
|
|
||||||
|
|
||||||
# -----------------------------------------------------------------------------
|
# -----------------------------------------------------------------------------
|
||||||
# Security Group API Calls
|
# Security Group API Calls
|
||||||
# -----------------------------------------------------------------------------
|
# -----------------------------------------------------------------------------
|
||||||
def create_security_profile(cluster, tenant_id, security_profile):
|
def create_security_profile(cluster, tenant_id, security_profile):
|
||||||
path = "/ws.v1/security-profile"
|
path = "/ws.v1/security-profile"
|
||||||
tags = set_tenant_id_tag(tenant_id)
|
tags = set_tenant_id_tag(tenant_id)
|
||||||
tags = set_ext_security_profile_id_tag(
|
|
||||||
security_profile.get('external_id'), tags)
|
|
||||||
# Allow all dhcp responses in
|
# Allow all dhcp responses in
|
||||||
dhcp = {'logical_port_egress_rules': [{'ethertype': 'IPv4',
|
dhcp = {'logical_port_egress_rules': [{'ethertype': 'IPv4',
|
||||||
'protocol': 17,
|
'protocol': 17,
|
||||||
|
@ -52,15 +52,12 @@ class SecurityGroupTestExtensionManager(object):
|
|||||||
|
|
||||||
class SecurityGroupsTestCase(test_db_plugin.QuantumDbPluginV2TestCase):
|
class SecurityGroupsTestCase(test_db_plugin.QuantumDbPluginV2TestCase):
|
||||||
|
|
||||||
def _create_security_group(self, fmt, name, description, external_id=None,
|
def _create_security_group(self, fmt, name, description, **kwargs):
|
||||||
**kwargs):
|
|
||||||
|
|
||||||
data = {'security_group': {'name': name,
|
data = {'security_group': {'name': name,
|
||||||
'tenant_id': kwargs.get('tenant_id',
|
'tenant_id': kwargs.get('tenant_id',
|
||||||
'test_tenant'),
|
'test_tenant'),
|
||||||
'description': description}}
|
'description': description}}
|
||||||
if external_id:
|
|
||||||
data['security_group']['external_id'] = external_id
|
|
||||||
security_group_req = self.new_create_request('security-groups', data,
|
security_group_req = self.new_create_request('security-groups', data,
|
||||||
fmt)
|
fmt)
|
||||||
if (kwargs.get('set_context') and 'tenant_id' in kwargs):
|
if (kwargs.get('set_context') and 'tenant_id' in kwargs):
|
||||||
@ -72,7 +69,7 @@ class SecurityGroupsTestCase(test_db_plugin.QuantumDbPluginV2TestCase):
|
|||||||
def _build_security_group_rule(self, security_group_id, direction,
|
def _build_security_group_rule(self, security_group_id, direction,
|
||||||
protocol, port_range_min, port_range_max,
|
protocol, port_range_min, port_range_max,
|
||||||
source_ip_prefix=None, source_group_id=None,
|
source_ip_prefix=None, source_group_id=None,
|
||||||
external_id=None, tenant_id='test_tenant',
|
tenant_id='test_tenant',
|
||||||
ethertype='IPv4'):
|
ethertype='IPv4'):
|
||||||
|
|
||||||
data = {'security_group_rule': {'security_group_id': security_group_id,
|
data = {'security_group_rule': {'security_group_id': security_group_id,
|
||||||
@ -83,9 +80,6 @@ class SecurityGroupsTestCase(test_db_plugin.QuantumDbPluginV2TestCase):
|
|||||||
'port_range_max': port_range_max,
|
'port_range_max': port_range_max,
|
||||||
'tenant_id': tenant_id,
|
'tenant_id': tenant_id,
|
||||||
'ethertype': ethertype}}
|
'ethertype': ethertype}}
|
||||||
if external_id:
|
|
||||||
data['security_group_rule']['external_id'] = external_id
|
|
||||||
|
|
||||||
if source_ip_prefix:
|
if source_ip_prefix:
|
||||||
data['security_group_rule']['source_ip_prefix'] = source_ip_prefix
|
data['security_group_rule']['source_ip_prefix'] = source_ip_prefix
|
||||||
|
|
||||||
@ -105,10 +99,8 @@ class SecurityGroupsTestCase(test_db_plugin.QuantumDbPluginV2TestCase):
|
|||||||
context.Context('', kwargs['tenant_id']))
|
context.Context('', kwargs['tenant_id']))
|
||||||
return security_group_rule_req.get_response(self.ext_api)
|
return security_group_rule_req.get_response(self.ext_api)
|
||||||
|
|
||||||
def _make_security_group(self, fmt, name, description, external_id=None,
|
def _make_security_group(self, fmt, name, description, **kwargs):
|
||||||
**kwargs):
|
res = self._create_security_group(fmt, name, description, **kwargs)
|
||||||
res = self._create_security_group(fmt, name, description,
|
|
||||||
external_id, **kwargs)
|
|
||||||
if res.status_int >= 400:
|
if res.status_int >= 400:
|
||||||
raise webob.exc.HTTPClientError(code=res.status_int)
|
raise webob.exc.HTTPClientError(code=res.status_int)
|
||||||
return self.deserialize(fmt, res)
|
return self.deserialize(fmt, res)
|
||||||
@ -121,11 +113,10 @@ class SecurityGroupsTestCase(test_db_plugin.QuantumDbPluginV2TestCase):
|
|||||||
|
|
||||||
@contextlib.contextmanager
|
@contextlib.contextmanager
|
||||||
def security_group(self, name='webservers', description='webservers',
|
def security_group(self, name='webservers', description='webservers',
|
||||||
external_id=None, fmt=None, no_delete=False):
|
fmt=None, no_delete=False):
|
||||||
if not fmt:
|
if not fmt:
|
||||||
fmt = self.fmt
|
fmt = self.fmt
|
||||||
security_group = self._make_security_group(fmt, name, description,
|
security_group = self._make_security_group(fmt, name, description)
|
||||||
external_id)
|
|
||||||
try:
|
try:
|
||||||
yield security_group
|
yield security_group
|
||||||
finally:
|
finally:
|
||||||
@ -139,8 +130,7 @@ class SecurityGroupsTestCase(test_db_plugin.QuantumDbPluginV2TestCase):
|
|||||||
direction='ingress', protocol='tcp',
|
direction='ingress', protocol='tcp',
|
||||||
port_range_min='22', port_range_max='22',
|
port_range_min='22', port_range_max='22',
|
||||||
source_ip_prefix=None, source_group_id=None,
|
source_ip_prefix=None, source_group_id=None,
|
||||||
external_id=None, fmt=None, no_delete=False,
|
fmt=None, no_delete=False, ethertype='IPv4'):
|
||||||
ethertype='IPv4'):
|
|
||||||
if not fmt:
|
if not fmt:
|
||||||
fmt = self.fmt
|
fmt = self.fmt
|
||||||
rule = self._build_security_group_rule(security_group_id,
|
rule = self._build_security_group_rule(security_group_id,
|
||||||
@ -149,7 +139,6 @@ class SecurityGroupsTestCase(test_db_plugin.QuantumDbPluginV2TestCase):
|
|||||||
port_range_max,
|
port_range_max,
|
||||||
source_ip_prefix,
|
source_ip_prefix,
|
||||||
source_group_id,
|
source_group_id,
|
||||||
external_id,
|
|
||||||
ethertype=ethertype)
|
ethertype=ethertype)
|
||||||
security_group_rule = self._make_security_group_rule(self.fmt, rule)
|
security_group_rule = self._make_security_group_rule(self.fmt, rule)
|
||||||
try:
|
try:
|
||||||
@ -243,45 +232,12 @@ class TestSecurityGroups(SecurityGroupDBTestCase):
|
|||||||
for k, v, in keys:
|
for k, v, in keys:
|
||||||
self.assertEqual(security_group['security_group'][k], v)
|
self.assertEqual(security_group['security_group'][k], v)
|
||||||
|
|
||||||
def test_create_security_group_external_id(self):
|
|
||||||
cfg.CONF.set_override('proxy_mode', True, 'SECURITYGROUP')
|
|
||||||
name = 'webservers'
|
|
||||||
description = 'my webservers'
|
|
||||||
external_id = 10
|
|
||||||
keys = [('name', name,), ('description', description),
|
|
||||||
('external_id', external_id)]
|
|
||||||
with self.security_group(name, description, external_id) as sg:
|
|
||||||
for k, v, in keys:
|
|
||||||
self.assertEqual(sg['security_group'][k], v)
|
|
||||||
|
|
||||||
def test_default_security_group(self):
|
def test_default_security_group(self):
|
||||||
with self.network():
|
with self.network():
|
||||||
res = self.new_list_request('security-groups')
|
res = self.new_list_request('security-groups')
|
||||||
groups = self.deserialize(self.fmt, res.get_response(self.ext_api))
|
groups = self.deserialize(self.fmt, res.get_response(self.ext_api))
|
||||||
self.assertEqual(len(groups['security_groups']), 1)
|
self.assertEqual(len(groups['security_groups']), 1)
|
||||||
|
|
||||||
def test_create_security_group_proxy_mode_not_admin(self):
|
|
||||||
cfg.CONF.set_override('proxy_mode', True, 'SECURITYGROUP')
|
|
||||||
res = self._create_security_group(self.fmt, 'webservers',
|
|
||||||
'webservers', '1',
|
|
||||||
tenant_id='bad_tenant',
|
|
||||||
set_context=True)
|
|
||||||
self.deserialize(self.fmt, res)
|
|
||||||
self.assertEqual(res.status_int, 403)
|
|
||||||
|
|
||||||
def test_create_security_group_no_external_id_proxy_mode(self):
|
|
||||||
cfg.CONF.set_override('proxy_mode', True, 'SECURITYGROUP')
|
|
||||||
res = self._create_security_group(self.fmt, 'webservers',
|
|
||||||
'webservers')
|
|
||||||
self.deserialize(self.fmt, res)
|
|
||||||
self.assertEqual(res.status_int, 400)
|
|
||||||
|
|
||||||
def test_create_security_group_no_external_id_not_proxy_mode(self):
|
|
||||||
res = self._create_security_group(self.fmt, 'webservers',
|
|
||||||
'webservers', '1')
|
|
||||||
self.deserialize(self.fmt, res)
|
|
||||||
self.assertEqual(res.status_int, 409)
|
|
||||||
|
|
||||||
def test_create_default_security_group_fail(self):
|
def test_create_default_security_group_fail(self):
|
||||||
name = 'default'
|
name = 'default'
|
||||||
description = 'my webservers'
|
description = 'my webservers'
|
||||||
@ -289,17 +245,6 @@ class TestSecurityGroups(SecurityGroupDBTestCase):
|
|||||||
self.deserialize(self.fmt, res)
|
self.deserialize(self.fmt, res)
|
||||||
self.assertEqual(res.status_int, 409)
|
self.assertEqual(res.status_int, 409)
|
||||||
|
|
||||||
def test_create_security_group_duplicate_external_id(self):
|
|
||||||
cfg.CONF.set_override('proxy_mode', True, 'SECURITYGROUP')
|
|
||||||
name = 'webservers'
|
|
||||||
description = 'my webservers'
|
|
||||||
external_id = 1
|
|
||||||
with self.security_group(name, description, external_id):
|
|
||||||
res = self._create_security_group(self.fmt, name, description,
|
|
||||||
external_id)
|
|
||||||
self.deserialize(self.fmt, res)
|
|
||||||
self.assertEqual(res.status_int, 409)
|
|
||||||
|
|
||||||
def test_list_security_groups(self):
|
def test_list_security_groups(self):
|
||||||
with contextlib.nested(self.security_group(name='sg1',
|
with contextlib.nested(self.security_group(name='sg1',
|
||||||
description='sg'),
|
description='sg'),
|
||||||
@ -554,58 +499,6 @@ class TestSecurityGroups(SecurityGroupDBTestCase):
|
|||||||
self.deserialize(self.fmt, res)
|
self.deserialize(self.fmt, res)
|
||||||
self.assertEqual(res.status_int, 404)
|
self.assertEqual(res.status_int, 404)
|
||||||
|
|
||||||
def test_create_security_group_rule_exteral_id_proxy_mode(self):
|
|
||||||
cfg.CONF.set_override('proxy_mode', True, 'SECURITYGROUP')
|
|
||||||
with self.security_group(external_id=1) as sg:
|
|
||||||
rule = {'security_group_rule':
|
|
||||||
{'security_group_id': sg['security_group']['id'],
|
|
||||||
'direction': 'ingress',
|
|
||||||
'protocol': 'tcp',
|
|
||||||
'port_range_min': '22',
|
|
||||||
'port_range_max': '22',
|
|
||||||
'external_id': '1',
|
|
||||||
'tenant_id': 'test_tenant',
|
|
||||||
'source_group_id': sg['security_group']['id']}}
|
|
||||||
|
|
||||||
res = self._create_security_group_rule(self.fmt, rule)
|
|
||||||
self.deserialize(self.fmt, res)
|
|
||||||
self.assertEqual(res.status_int, 201)
|
|
||||||
|
|
||||||
def test_create_security_group_rule_exteral_id_not_proxy_mode(self):
|
|
||||||
with self.security_group() as sg:
|
|
||||||
rule = {'security_group_rule':
|
|
||||||
{'security_group_id': sg['security_group']['id'],
|
|
||||||
'direction': 'ingress',
|
|
||||||
'protocol': 'tcp',
|
|
||||||
'port_range_min': '22',
|
|
||||||
'port_range_max': '22',
|
|
||||||
'external_id': 1,
|
|
||||||
'tenant_id': 'test_tenant',
|
|
||||||
'source_group_id': sg['security_group']['id']}}
|
|
||||||
|
|
||||||
res = self._create_security_group_rule(self.fmt, rule)
|
|
||||||
self.deserialize(self.fmt, res)
|
|
||||||
self.assertEqual(res.status_int, 409)
|
|
||||||
|
|
||||||
def test_create_security_group_rule_not_admin(self):
|
|
||||||
cfg.CONF.set_override('proxy_mode', True, 'SECURITYGROUP')
|
|
||||||
with self.security_group(external_id='1') as sg:
|
|
||||||
rule = {'security_group_rule':
|
|
||||||
{'security_group_id': sg['security_group']['id'],
|
|
||||||
'direction': 'ingress',
|
|
||||||
'protocol': 'tcp',
|
|
||||||
'port_range_min': '22',
|
|
||||||
'port_range_max': '22',
|
|
||||||
'tenant_id': 'bad_tenant',
|
|
||||||
'external_id': 1,
|
|
||||||
'source_group_id': sg['security_group']['id']}}
|
|
||||||
|
|
||||||
res = self._create_security_group_rule(self.fmt, rule,
|
|
||||||
tenant_id='bad_tenant',
|
|
||||||
set_context=True)
|
|
||||||
self.deserialize(self.fmt, res)
|
|
||||||
self.assertEqual(res.status_int, 403)
|
|
||||||
|
|
||||||
def test_create_security_group_rule_bad_tenant_source_group_id(self):
|
def test_create_security_group_rule_bad_tenant_source_group_id(self):
|
||||||
with self.security_group() as sg:
|
with self.security_group() as sg:
|
||||||
res = self._create_security_group(self.fmt, 'webservers',
|
res = self._create_security_group(self.fmt, 'webservers',
|
||||||
@ -1080,60 +973,7 @@ class TestSecurityGroups(SecurityGroupDBTestCase):
|
|||||||
self.deserialize(self.fmt, res)
|
self.deserialize(self.fmt, res)
|
||||||
self.assertEqual(res.status_int, 400)
|
self.assertEqual(res.status_int, 400)
|
||||||
|
|
||||||
def test_validate_port_external_id_quantum_id(self):
|
def test_create_port_with_non_uuid(self):
|
||||||
cfg.CONF.set_override('proxy_mode', True, 'SECURITYGROUP')
|
|
||||||
with self.network() as n:
|
|
||||||
with self.subnet(n):
|
|
||||||
sg1 = (self.deserialize(self.fmt,
|
|
||||||
self._create_security_group(self.fmt,
|
|
||||||
'foo', 'bar', '1')))
|
|
||||||
sg2 = (self.deserialize(self.fmt,
|
|
||||||
self._create_security_group(self.fmt,
|
|
||||||
'foo', 'bar', '2')))
|
|
||||||
res = self._create_port(
|
|
||||||
self.fmt, n['network']['id'],
|
|
||||||
security_groups=[sg1['security_group']['id']])
|
|
||||||
|
|
||||||
port = self.deserialize(self.fmt, res)
|
|
||||||
# This request updates the port sending the quantum security
|
|
||||||
# group id in and a nova security group id.
|
|
||||||
data = {'port': {'fixed_ips': port['port']['fixed_ips'],
|
|
||||||
'name': port['port']['name'],
|
|
||||||
ext_sg.SECURITYGROUPS:
|
|
||||||
[sg1['security_group']['external_id'],
|
|
||||||
sg2['security_group']['id']]}}
|
|
||||||
req = self.new_update_request('ports', data,
|
|
||||||
port['port']['id'])
|
|
||||||
res = self.deserialize(self.fmt, req.get_response(self.api))
|
|
||||||
self.assertEquals(len(res['port'][ext_sg.SECURITYGROUPS]), 2)
|
|
||||||
for sg_id in res['port'][ext_sg.SECURITYGROUPS]:
|
|
||||||
# only security group id's should be
|
|
||||||
# returned and not external_ids
|
|
||||||
self.assertEquals(len(sg_id), 36)
|
|
||||||
self._delete('ports', port['port']['id'])
|
|
||||||
|
|
||||||
def test_validate_port_external_id_string_or_int(self):
|
|
||||||
cfg.CONF.set_override('proxy_mode', True, 'SECURITYGROUP')
|
|
||||||
with self.network() as n:
|
|
||||||
with self.subnet(n):
|
|
||||||
string_id = '1'
|
|
||||||
int_id = 2
|
|
||||||
self.deserialize(
|
|
||||||
self.fmt, self._create_security_group(self.fmt,
|
|
||||||
'foo', 'bar',
|
|
||||||
string_id))
|
|
||||||
self.deserialize(
|
|
||||||
self.fmt, self._create_security_group(self.fmt,
|
|
||||||
'foo', 'bar',
|
|
||||||
int_id))
|
|
||||||
res = self._create_port(
|
|
||||||
self.fmt, n['network']['id'],
|
|
||||||
security_groups=[string_id, int_id])
|
|
||||||
|
|
||||||
port = self.deserialize(self.fmt, res)
|
|
||||||
self._delete('ports', port['port']['id'])
|
|
||||||
|
|
||||||
def test_create_port_with_non_uuid_or_int(self):
|
|
||||||
with self.network() as n:
|
with self.network() as n:
|
||||||
with self.subnet(n):
|
with self.subnet(n):
|
||||||
res = self._create_port(self.fmt, n['network']['id'],
|
res = self._create_port(self.fmt, n['network']['id'],
|
||||||
@ -1142,18 +982,6 @@ class TestSecurityGroups(SecurityGroupDBTestCase):
|
|||||||
self.deserialize(self.fmt, res)
|
self.deserialize(self.fmt, res)
|
||||||
self.assertEqual(res.status_int, 400)
|
self.assertEqual(res.status_int, 400)
|
||||||
|
|
||||||
def test_validate_port_external_id_fail(self):
|
|
||||||
cfg.CONF.set_override('proxy_mode', True, 'SECURITYGROUP')
|
|
||||||
with self.network() as n:
|
|
||||||
with self.subnet(n):
|
|
||||||
bad_id = 1
|
|
||||||
res = self._create_port(
|
|
||||||
self.fmt, n['network']['id'],
|
|
||||||
security_groups=[bad_id])
|
|
||||||
|
|
||||||
self.deserialize(self.fmt, res)
|
|
||||||
self.assertEqual(res.status_int, 404)
|
|
||||||
|
|
||||||
|
|
||||||
class TestSecurityGroupsXML(TestSecurityGroups):
|
class TestSecurityGroupsXML(TestSecurityGroups):
|
||||||
fmt = 'xml'
|
fmt = 'xml'
|
||||||
|
Loading…
Reference in New Issue
Block a user