NSX|v+v3: Allow multiple provider security groups per tenant

The admin will be able to create multiple provider security groups per tenant, and the new compute ports of this tenant will get all those security groups. This enhancement is required for the NSX Policy support, as each security group can represent 1 policy, and we may need multiple mandatory policies per tenant. Change-Id: I058f639c94602dcce5c6f796d5fae4692481ad88
2016-11-03 09:05:19 +02:00 · 2016-11-03 09:05:19 +02:00 · 7e1b1f1cf2
commit 7e1b1f1cf2
parent d1ad56f850
2 changed files with 8 additions and 10 deletions
--- a/vmware_nsx/db/extended_security_group.py
+++ b/vmware_nsx/db/extended_security_group.py
@ -30,7 +30,6 @@ from neutron.extensions import securitygroup as ext_sg
 from neutron_lib.api import validators
 from neutron_lib import constants as n_constants

-from vmware_nsx._i18n import _
 from vmware_nsx.extensions import providersecuritygroup as provider_sg
 from vmware_nsx.extensions import securitygrouplogging as sg_logging

@ -169,15 +168,6 @@ class ExtendedSecurityGroupPropertiesMixin(object):
        if default_sg:
            raise provider_sg.DefaultSecurityGroupIsNotProvider()

-        tenant_id = security_group['tenant_id']
-        ssg = self._get_tenant_provider_security_groups(context, tenant_id)
-        if ssg:
-            # REVISIT(roeyc): At the moment we only allow on provider
-            # security-group per tenant, this might change in the future.
-            raise Exception(_("Provider Security-group already exists"
-                              "(%(pvdsg)s) for tenant %(tenant_id)s.")
-                            % {'pvdsg': ssg, 'tenant_id': tenant_id})
-
    def _get_provider_security_groups_on_port(self, context, port):
        p = port['port']
        tenant_id = p['tenant_id']
--- a/vmware_nsx/tests/unit/extensions/test_provider_security_groups.py
+++ b/vmware_nsx/tests/unit/extensions/test_provider_security_groups.py
@ -155,6 +155,14 @@ class ProviderSecurityGroupExtTestCase(
        self.assertEqual(
            provider_secgroup['security_group']['security_group_rules'], [])

+    def test_create_provider_security_groups_same_tenant(self):
+        provider_secgroup = self._create_provider_security_group()
+        self.assertTrue(provider_secgroup['security_group']['provider'])
+
+        # Verify that another one can also be created for the same tenant
+        provider_secgroup2 = self._create_provider_security_group()
+        self.assertTrue(provider_secgroup2['security_group']['provider'])
+
    def test_create_port_gets_provider_sg(self):
        # need to create provider security group first.
        provider_secgroup = self._create_provider_security_group()