Merge "NSX-V| Fix SG creation with nsx policy"

2017-01-26 18:19:06 +00:00 · 2017-01-26 18:19:06 +00:00 · 8e2fe26878
commit 8e2fe26878
parent 852d05e200 4625914085
2 changed files with 36 additions and 15 deletions
--- a/vmware_nsx/db/extended_security_group.py
+++ b/vmware_nsx/db/extended_security_group.py
@ -21,10 +21,13 @@ from sqlalchemy.orm import exc
 from sqlalchemy import sql

 from neutron.api.v2 import attributes
+from neutron.callbacks import events
+from neutron.callbacks import registry
+from neutron.callbacks import resources
 from neutron.common import utils as n_utils
 from neutron.db import api as db_api
 from neutron.db import db_base_plugin_v2
-from neutron.db.models import securitygroup as securitygroups_db  # noqa
+from neutron.db.models import securitygroup as securitygroups_db
 from neutron.extensions import securitygroup as ext_sg
 from neutron_lib.api import validators
 from neutron_lib import constants as n_constants
@ -69,14 +72,30 @@ class ExtendedSecurityGroupPropertiesMixin(object):
                     "==SecurityGroupPortBinding.security_group_id"))

    def create_provider_security_group(self, context, security_group):
-        """Create a provider security group.
+        return self.create_security_group_without_rules(
+            context, security_group, False, True)
+
+    def create_security_group_without_rules(self, context, security_group,
+                                            default_sg, is_provider):
+        """Create a neutron security group, without any default rules.

        This method creates a security group that does not by default
        enable egress traffic which normal neutron security groups do.
        """
        s = security_group['security_group']
+        kwargs = {
+            'context': context,
+            'security_group': s,
+            'is_default': default_sg,
+        }
+
+        self._registry_notify(resources.SECURITY_GROUP, events.BEFORE_CREATE,
+                              exc_cls=ext_sg.SecurityGroupConflict, **kwargs)
        tenant_id = s['tenant_id']

+        if not default_sg:
+            self._ensure_default_security_group(context, tenant_id)
+
        with db_api.autonested_transaction(context.session):
            security_group_db = securitygroups_db.SecurityGroup(
                id=s.get('id') or (uuidutils.generate_uuid()),
@ -84,8 +103,17 @@ class ExtendedSecurityGroupPropertiesMixin(object):
                tenant_id=tenant_id,
                name=s.get('name', ''))
            context.session.add(security_group_db)
+            if default_sg:
+                context.session.add(securitygroups_db.DefaultSecurityGroup(
+                    security_group=security_group_db,
+                    tenant_id=tenant_id))
+
        secgroup_dict = self._make_security_group_dict(security_group_db)
-        secgroup_dict[provider_sg.PROVIDER] = True
+        secgroup_dict[sg_policy.POLICY] = s.get(sg_policy.POLICY)
+        secgroup_dict[provider_sg.PROVIDER] = is_provider
+        kwargs['security_group'] = secgroup_dict
+        registry.notify(resources.SECURITY_GROUP, events.AFTER_CREATE, self,
+                        **kwargs)
        return secgroup_dict

    def _process_security_group_properties_create(self, context,
--- a/vmware_nsx/plugins/nsx_v/plugin.py
+++ b/vmware_nsx/plugins/nsx_v/plugin.py
@ -3257,15 +3257,6 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
            # just add the security group to the policy on the backend.
            self._update_nsx_security_group_policies(
                policy, None, nsx_sg_id)
-
-            # Delete the neutron default rules (do not exist on the backend)
-            if securitygroup.get(ext_sg.SECURITYGROUPRULES):
-                with context.session.begin(subtransactions=True):
-                    for rule in securitygroup[ext_sg.SECURITYGROUPRULES]:
-                        rule_db = self._get_security_group_rule(context,
-                                                                rule['id'])
-                        context.session.delete(rule_db)
-                securitygroup.pop(ext_sg.SECURITYGROUPRULES)
        else:
            try:
                self._create_fw_section_for_security_group(
@ -3358,9 +3349,11 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
        self._validate_security_group(context, sg_data, default_sg)

        with context.session.begin(subtransactions=True):
-            if sg_data.get(provider_sg.PROVIDER):
-                new_sg = self.create_provider_security_group(
-                    context, security_group)
+            is_provider = True if sg_data.get(provider_sg.PROVIDER) else False
+            is_policy = True if sg_data.get(sg_policy.POLICY) else False
+            if is_provider or is_policy:
+                new_sg = self.create_security_group_without_rules(
+                    context, security_group, default_sg, is_provider)
            else:
                new_sg = super(NsxVPluginV2, self).create_security_group(
                    context, security_group, default_sg)