NSX-V| prevent rules creation for SG with policies

Even if currently the policies feature is disabled, it is still not allowed to add rules to a security group with a polict. Change-Id: I62d1b1760c4619a056b8ed8e6a083410a344cb14
2017-01-15 14:45:00 +02:00 · 2017-01-15 14:45:00 +02:00 · 5efdfab892
commit 5efdfab892
parent 14d5533e63
1 changed files with 6 additions and 7 deletions
--- a/vmware_nsx/plugins/nsx_v/plugin.py
+++ b/vmware_nsx/plugins/nsx_v/plugin.py
@ -3507,13 +3507,6 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
        sg_rules = security_group_rules['security_group_rules']
        sg_id = sg_rules[0]['security_group_rule']['security_group_id']

-        if (self._use_nsx_policies and
-            self._is_policy_security_group(context, sg_id)):
-            # If policies are enabled - creating rules is forbidden
-            msg = (_('Cannot create rules for security group %s with'
-                     ' a policy') % sg_id)
-            raise n_exc.InvalidInput(error_message=msg)
-
        self._prevent_non_admin_delete_provider_sg(context, sg_id)

        ruleids = set()
@ -3521,6 +3514,12 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,

        self._validate_security_group_rules(context, security_group_rules)

+        if self._is_policy_security_group(context, sg_id):
+            # If policies are/were enabled - creating rules is forbidden
+            msg = (_('Cannot create rules for security group %s with'
+                     ' a policy') % sg_id)
+            raise n_exc.InvalidInput(error_message=msg)
+
        # Querying DB for associated dfw section id
        section_uri = self._get_section_uri(context.session, sg_id)
        logging = self._is_security_group_logged(context, sg_id)