From 600db3104c103bf41b2c2b49096ca2e31ec56c4c Mon Sep 17 00:00:00 2001
From: Salvatore Orlando <sorlando@vmware.com>
Date: Mon, 19 Jul 2021 12:15:42 -0700
Subject: [PATCH] API replay: post bulk sec group rule create by tenant

When doing bulk security group rule create, the API replay process
need to take into account that rules within a security group might
belong to different tenants, and all the rules submitted in a bulk
operation must belong to the same tenant.

Also, fix typo as datetime has no 'elapsed' member, we should have
called now()

Change-Id: I5a11e2b7eb1d07b4aafd0798533fc19c1463f868
---
 vmware_nsx/api_replay/client.py | 27 ++++++++++++++++-----------
 1 file changed, 16 insertions(+), 11 deletions(-)

diff --git a/vmware_nsx/api_replay/client.py b/vmware_nsx/api_replay/client.py
index 9461a516a8..3c8eb91096 100644
--- a/vmware_nsx/api_replay/client.py
+++ b/vmware_nsx/api_replay/client.py
@@ -415,7 +415,7 @@ class ApiReplayClient(utils.PrepareObjectForMigration):
                                     dest_sec_group['security_group_rules'])
                        is False):
                         try:
-                            rule_start = datetime.elapsed()
+                            rule_start = datetime.now()
                             body = self.prepare_security_group_rule(sg_rule)
                             self.dest_neutron.create_security_group_rule(
                                 {'security_group_rule': body})
@@ -456,7 +456,8 @@ class ApiReplayClient(utils.PrepareObjectForMigration):
                 # Use bulk rules creation for the rules of the SG
                 if not sg_rules:
                     continue
-                rules = []
+                # SG rules must be grouped per tenant
+                rules = {}
                 for sg_rule in sg_rules:
                     # skip the default rules that were already created
                     skip = False
@@ -472,8 +473,10 @@ class ApiReplayClient(utils.PrepareObjectForMigration):
                             break
                     if not skip:
                         body = self.prepare_security_group_rule(sg_rule)
-                        rules.append({'security_group_rule': body})
-
+                        tenant_id = sg_rule.get('tenant_id', 'default')
+                        tenant_rules = rules.get(tenant_id, [])
+                        tenant_rules.append({'security_group_rule': body})
+                        rules[tenant_id] = tenant_rules
                 # save rules to create once all the sgs are created
                 if rules:
                     rules_dict[sg['id']] = rules
@@ -482,15 +485,17 @@ class ApiReplayClient(utils.PrepareObjectForMigration):
 
         # Create the rules after all security groups are created to allow
         # dependencies in remote_group_id
-        for sg_id, sg in rules_dict.items():
+        for sg_id, sg_rules in rules_dict.items():
             try:
                 rule_start = datetime.now()
-                rules = self.dest_neutron.create_security_group_rule(
-                    {'security_group_rules': sg})
-                LOG.info("Created %d security group rules for SG %s: %s",
-                         len(rules), sg_id,
-                         ",".join([rule.get('id') for rule in
-                                   rules.get('security_group_rules', [])]))
+                for tenant_id, tenant_rules in sg_rules.items():
+                    rules = self.dest_neutron.create_security_group_rule(
+                        {'security_group_rules': tenant_rules})
+                    LOG.info("Created %d security group rules for "
+                             "SG %s and tenant %s: %s",
+                            len(rules), sg_id, tenant_id,
+                            ",".join([rule.get('id') for rule in
+                                    rules.get('security_group_rules', [])]))
                 self._log_elapsed(
                     rule_start,
                     "Migrate security group rules for group %s" % sg_id)