NSX|v3: do not allow provider sec groups if not port-sec

Prevent adding provider security groups to a port with ports-security disabled Change-Id: I5649efbf52d0d03f9ac80ab6b043c29290ef45d8
2017-08-01 09:14:51 +03:00 · 2017-08-01 09:14:51 +03:00 · 6bc54cf9cc
commit 6bc54cf9cc
parent 39b2821126
1 changed files with 6 additions and 2 deletions
--- a/vmware_nsx/plugins/nsx_v3/plugin.py
+++ b/vmware_nsx/plugins/nsx_v3/plugin.py
@ -2259,7 +2259,8 @@ class NsxV3Plugin(agentschedulers_db.AZDhcpAgentSchedulerDbMixin,
            port)

        # populate port_security setting
-        if psec.PORTSECURITY not in port['port']:
+        port_data = port['port']
+        if psec.PORTSECURITY not in port_data:
            updated_port[psec.PORTSECURITY] = \
                self._get_port_security_binding(context, id)
        has_ip = self._ip_on_port(updated_port)
@ -2286,9 +2287,12 @@ class NsxV3Plugin(agentschedulers_db.AZDhcpAgentSchedulerDbMixin,

        # checks if security groups were updated adding/modifying
        # security groups, port security is set and port has ip
+        provider_sgs_specified = (validators.is_attr_set(
+            port_data.get(provider_sg.PROVIDER_SECURITYGROUPS)) and
+            port['port'][provider_sg.PROVIDER_SECURITYGROUPS] != [])
        if (validate_port_sec and
            not (has_ip and updated_port[psec.PORTSECURITY])):
-            if has_security_groups:
+            if has_security_groups or provider_sgs_specified:
                raise psec_exc.PortSecurityAndIPRequiredForSecurityGroups()
            # Update did not have security groups passed in. Check
            # that port does not have any security groups already on it.